Mark Ovaska / The New York Times
A voting machine with prints of records from past voting activity is shown, as part of an exercise where hackers tested them at Def Con in Las Vegas, July 28, 2017. Part of this weekend’s conference will address election security.
Tuesday, Aug. 6, 2019 | 2 a.m.
Ahead of the annual hacker and cybersecurity conference Def Con in Las Vegas this weekend, organizers anticipate that the part of the event devoted to election security will entice more local, state and federal election officials than ever before.
Drawing tens of thousands of hackers, researchers, lawyers and others interested in cybersecurity every year to Las Vegas, Def Con has included a so-called “Voting Village” in its weekend-long programming for the past three years to address election security and how to protect elections from hacking.
This is the first time that Def Con explicitly invited local and state election officials to attend, and many seem to be taking advantage of the opportunity, said Harri Hursti, co-founder of the Voting Village and founder of computer and network security company Nordic Innovation Labs.
“We never intended this to be a main or big thing. It became a big thing because of popular demand,” Hursti said.
Among those attending the conference are representatives from the Clark County Election Department and the Nevada Secretary of State’s Office.
Spokespeople for Clark County and the Secretary of State’s Office declined to discuss any voting security issues that piqued their interest in the conference, citing security concerns. But public information officer for the Secretary of State’s Office Jennifer Russell confirmed that Deputy Secretary of State for Elections Wayne Thorley will be speaking on a Voting Village panel Saturday and that the office has sent employees to the conference in the past.
One focus of this year’s Voting Village will be to help election officials obtain election security resources and meet experienced hackers, cybersecurity experts and IT workers who want to volunteer their time to secure elections and preserve democracy. From 10 a.m. to noon Saturday, the Voting Village will host an “open-house style event” for government officials to meet with experts and discuss ways they might collaborate.
The goal of this new program is to address the “cybersecurity workforce gap,” or the lack of cybersecurity experts employed where needed, such as in election offices.
“A lot of the election offices and officials are at the mercy of their vendors. They don’t have the people or the skillset to evaluate and value what they’re paying to the vendors and if what the vendors have sold them is doing the job it’s supposed to do,” Hursti said.
That’s partly because many election jurisdictions lack full-time IT or cybersecurity experts, he said. Poll workers also, on the whole, tend to have limited knowledge about election security.
“In the U.S., elections are starved from all resources, and one resource is money. The second resource from which they are starved of is poll workers,” Hursti said.
For Hursti, who has raised alarms about election security in the United States for years, the election process can be broken down into four parts: voter registration, electronic pollbooks, election management systems (including tabulation) and the reporting of results. All areas are vulnerable to attacks, Hursti said.
Take pollbooks, for example. The use of electronic pollbooks is growing in the United States; nearly 48% of U.S. voters who signed in at polling stations in 2016 used an e-book to do so, U.S. Election Assistance Commission data shows. But, according to Hursti, their use and regulation resembles “a Wild West.”
“There are no security standards, and there are no federal regulations, unless some states have been proactive,” he said.
Nevada is one of 36 states to have used e-poll books in 2018, but it lacked a formal certification process for the vendors at that time, according to the National Conference of State Legislatures.
The state tightened rules around e-poll books in the 2019 legislative session through the passage of Senate Bill 123. The measure requires county and city clerks who administer elections to receive cybersecurity training and to conduct “risk-limiting” audits of elections before results are certified, among other measures.
Ahead of the 2018 midterm elections, the Nevada Secretary of State’s Office also hired an information security officer and installed software to detect and repel attacks, Thorley said in an interview last year with the Las Vegas Sun.
Tweaks to election systems can make a difference, Hursti said, but an overhaul of U.S. election systems is what is truly needed in his eyes. Most election systems are designed in such a way that it is nearly impossible to preserve evidence to show whether they have been hacked, he said, compounding other security problems.
“You can do a lot by improving what’s there and (raising) the bar higher, but the real answer is to start over,” Hursti said.
In light of revelations that Russian intelligence officers interfered in the 2016 United States election, Hursti’s warnings, which might have once sounded fringe, are now capturing the attention of election officials and of the Department of Homeland Security. Hursti encourages officials everywhere to take advantage of resources from the DHS and elsewhere — including at Def Con’s Voting Village, which runs Aug. 8–11 at Planet Hollywood.
“This is a national security issue. This decides who is governing a country and how that’s influenced. This should never be a partisan issue,” Hursti said.
