Let white-hat hackers stick a probe in those voting machines, say senators
HAVA go at breaking electronic ballot box security
US voting machines would undergo deeper examination for computer security holes under proposed bipartisan legislation.
Senators Mark Warner (D-VA) and Susan Collins (R-ME) this week introduced an amendment to the Help America Vote Act (HAVA) that would require the nation's Election Assistance Commission to include penetration testing in its certification process of voting hardware and software. That tech would need to undergo pen testing before it could be used in elections.
Today's HAVA regulations – the law was passed in 2002 following that 2000 election – require the commission to provide testing and certification, decertification, and recertification of electronic ballot box hardware and software by accredited laboratories. But the rules stop short of explicitly requiring pen testing of these voting machines – something hackers at DEF CON have been doing for years.
The proposed amendment – known as the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act [PDF] – would not only require penetration testing in the certification process, it would also set up a voluntary vulnerability disclosure program for election systems.
Ethical security hackers could sign up to take part in the program, and find and confidentially disclose bugs in voting machines or source code to participating vendors; those suppliers would have 180 days to issue a fix before details are made public.
There are other requirements, such as the vetting of participating researchers, and 90-day deadlines for reviewing patches. A summary of the bill is here [PDF].
"If we're going to defeat our adversaries, we have to be able to think like they do," Senator Warner said in a statement. "The SECURE IT Act would allow researchers to step into the shoes of cybercriminals and uncover vulnerabilities and weaknesses that might not be found otherwise."
- Mandiant 'highly confident' foreign cyberspies will target US midterm elections
- US citizens charged with pushing pro-Kremlin disinfo, election interference
- RSA Conference or Black Mirror? Either way, we're doomed ... probably
- US voting hardware maker's shock discovery: Security improves when you actually work with the community
The proposal comes as the US gears up for a presidential race in 2024, and just weeks after top cybersecurity officials revealed declassified details of attempts by Iranians to compromise election infrastructure in 2020.
Last month, Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), and Army Major General William Hartman, chief of the Cyber National Mission Force (CNMF), told RSA Conference attendees they thwarted an attempt by Iran's Pioneer Kitten team to compromise an election reporting website and alter results.
"There was no impact to election infrastructure, no impact to voting systems, no impact to the free and fair conduct of the election," Goldstein said.
"This is a case where we had an adversary with the potential intent to take action relating to an election, and we were able to effectively get in front of that activity."
This attempt is in addition to the previously disclosed Iranian gang that harassed US voters and launched disinformation campaigns during the 2020 presidential election.
And, of course, election officials and cybersecurity analysts expect the usual democracy-meddling attempts from Russian and Chinese state-sponsored miscreants in 2024.
That said, the 2020 race was declared "the most secure in American history," and the FBI and CISA were equally confident about the integrity of the 2022 mid-terms. And Fox News just settled out of court with a voting machine maker after pushing baseless allegations of electronic ballot box rigging. Go vote. ®