This happened in Las Vegas, but the weaknesses in U.S. voting equipment uncovered during a summer hackathon are too important to stay there, experts say: They’re a matter of national security.
A new report breaks down the lessons learned at DEFCON 25, which amounted to a concentrated attack—orchestrated in the name of public safety—on the programming and machinery used in U.S. elections.
“The results were sobering,” according to a copy of the report provided by The Atlantic Council, an international affairs think tank.
“By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems.”
Douglas Lute, former U.S. ambassador to NATO, said the report comes down to this: “Our voting systems are not secure.”
Russia’s demonstration of an ability to “use cyber tools against the U.S. election process” should create a powerful sense of urgency, Lute wrote in the foreword to the report.
“If Russia can attack our election, so can others: Iran, North Korea, ISIS, or even criminal or extremist groups,” he said. “This is a national security issue because other democracies—our key allies and partners—are also vulnerable.”
How Russia or its agents and allies sought to influence the 2016 elections—on many fronts—remains the subject of multiple federal inquiries, including one led by Special Counsel Robert Mueller.
The health of American’s election system is also under scrutiny by a group called the Presidential Advisory Commission on Election Integrity. President Donald Trump created the commission, which he has also referred to as the “very distinguished voter fraud panel,” after months of evidence-free claims that millions of people cast illegal ballots in 2016, costing him the popular vote.
The bipartisan panel is officially chaired by Vice President Mike Pence, but it is mainly run by Kansas Secretary of State (and Republican gubernatorial hopeful) Kris Kobach, a well-known proponent of more stringent voting laws. The panel is under challenge from voting and civil rights advocates, who call it a front to disenfranchise vulnerable voters without proof of widespread fraud of the kind described by Trump.
On the physical side of questions about voting systems, which the presidential commission discussed at its second meeting in September, DEFCON hackers found some of the machines had cringeworthy weaknesses, the new report said.
For example, one had “an unchangeable, universal default password—found with a simple Google search—of “admin” and “abcde.”
Researchers found the susceptibilities exposed by the hackers controverted manufacturers’ longstanding claims that their products were designed to thwart tampering: “If a voting machine can be hacked by a relative novice in a matter of minutes at DEFCON, imagine what a savvy and well-resourced adversary could do with months or years,” the researchers wrote.
Voter databases in individual states, which keep records and run elections in the non-centralized U.S. system with various kinds of both software and hardware, have also reportedly been targeted.
“Given the federal government’s recent designation of election systems as critical infrastructure—and in light of what is known about the Russian attempts to infiltrate election networks in at least 21 states in the 2016 Presidential Election—it is overwhelmingly evident that election security is now an extension of national security,” the report said.
“The bottom line is: No matter the level of nation-state hacking or interference in 2016, if our enemy’s goal is to shake public confidence about the security of the vote, they may already be winning.”
Matthew Masterson, chairman of the independent federal Election Assistance Commission, told Newsweek his agency is working with state and local officials “to carry out accurate, accessible and secure elections” and seeking ways to improve security.
“Any effort that helps us do that job better is welcome,” said Masterson, whose agency runs “the nation's only federal election system testing and certification program," as a spokeswoman described it.
Around the time hackers were trying to lay waste to voting machines at the hackathon, EAC officials were huddling with Homeland Security at a summit on defending U.S. elections systems, which are now considered “critical infrastructure” by the federal government—along with nuclear power plants and dams.
The late-July DEFCON attracted 25,000 participants—the most, per the report, since the event’s 1993 inception.
Held over several days in a “Voting Village” in Las Vegas, the event as described in the report “represented the first occasion where mainstream hackers were granted unrestricted access to explore and share any discovered vulnerabilities” in a variety of voting machines and electronic poll books, most of which are still in use in elections today.
The first machine “was hacked and taken control of remotely in a matter of minutes,” according to the study.
In another case, sensitive voter data that should have been wiped from a device remained accessible, and hackers were able to pull up personal information from 2008 on more than 654,000 Tennessee voters. Home addresses extracted from the files included the residences of “judges, law enforcement officers, and domestic violence victims.”
The machines could be manipulated by U.S. enemies long before they even reach polling sites: Hostile actors could exploit “supply chain security flaws to plant malware into the parts of every machine, and indeed could breach vast segments of U.S. election infrastructure remotely.”
One of the authors of the report, Joseph Hall of the Center for Democracy & Technology, tweeted a warning against overinterpreting the scope of the threat, if not its urgency.
Responding to one published claim that the Russians could remotely take over the entire U.S. election system, technologist Hall decried the “breathless hysteria” of the coverage and remarked, “I wrote a lot of the dang thing and it doesn't make a claim like that.”
In an email exchange with Newsweek, Hall called the idea of a systemwide Russian takeover of a U.S. election “crazy.”
Logan Churchwell of the Public Interest Legal Foundation, which has integrity commission member Christian Adams as its general counsel, insisted Tuesday that keeping unqualified people off the rolls remains important even amid a discussion of physical flaws in voting technology.
“Jurisdictions where voter roll maintenance is lacking offers a soft target for those that would manipulate data before a vote is cast,” Churchwell said. “How do you sort between outside sabotage and pre-existing negligence after an attack?”