Voting machine maker ES&S says it did not cooperate with the Voting Village at hacking conference DEF CON because it worried the event posed a national security risk.
This is according to a letter the biz sent to four US senators in response to inquiries about why the manufacturer was dismissive of the show's village and its warnings of wobbly security in some systems that officials use to record, tally, and report votes.
Among the vendors singled out was ES&S, sparking Senators Kamala Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME) and James Lankford (R-OK) to express concern that ES&S wasn’t serious about security.
“We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing,” the senators wrote in their letter [PDF].
“We believe that independent testing is one of the most effective ways to understand and address potential cybersecurity risks.”
Nothing to see here, move along
Earlier this week, ES&S provided the senate with a response letter [PDF] arguing that, while it is happy to work with outside researchers, it feels the DEF CON competition was doing more harm than good.
“All informed observers and participants in protecting America agree that our nation’s critical infrastructure is under attack by nation-states, cybercriminals, and professional and amateur hackers. That’s why forums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,” ES&S CEO Tom Burt wrote.
“We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”
Security researchers, however, aren’t buying it. Among those to blast the manufacturer's response was Voting Village cofounder and Princeton University Professor Matt Blaze, who issued a scathing rebuttal.
We bought a bunch of surplus voting machines on eBay and put them in a room. I believe many of our foreign adversaries already have eBay capability, so perhaps it would be prudent to use election equipment that can withstand eBay-based threats. https://t.co/SYsVEH2etX— matt blaze (@mattblaze) August 27, 2018
Rob Joyce, the former head of the NSA's elite Tailored Access Operations hacking squad (and noted Christmas light enthusiast) backed Blaze, and expressed support for the hackers whose loyalty was questioned by ES&S.
Ignorance of insecurity does not get you security. We need to examine voting machines, SCADA systems, IOT and other important items in our lives. The investigation of these devices by the hacker community is a service, not a threat.— Rob Joyce (@RGB_Lights) August 28, 2018
The exchange threatens to overshadow a larger security effort ES&S kicked off last week to improve its hardware and system security as well as its reputation in the infosec space by working better with government cybersecurity agencies and private research operations.
This embarrassing exchange is, to say the least, particularly bad timing for the vendor. ®