The top seller of voting machine technology in the U.S., in a pivot from its usual stance, is expected to encourage hackers to attempt to breach its security system in order to identify vulnerabilities fewer than three months away from the presidential election in November.
Election Systems & Software LLC Chief Information Security Officer Chris Wlaschin on Wednesday is expected to unveil an outreach program to security researchers during the annual Black Hat USA convention for hackers, which will be hosted remotely this year amid the coronavirus pandemic, the Wall Street Journal first reported.
In an effort to appeal to outside help, Wlaschin will outline a new vulnerability disclosure policy providing “safe harbor” protections to legitimate researchers if they identify and notify ES&S of bugs in its systems.
This marks a change of tone from two years ago when the Omaha, Neb.-based company criticized a group of hackers at Black Hat’s sister conference, Defcon, for testing its election equipment. The company claimed security researchers and hackers were only attempting to gain attention online by publishing unrealistic scenarios when real-world polling has safeguards, such as poll workers and fellow voters that made hacking equipment unlikely, according to the Journal.
At the time, Kevin Skoglund, an independent security researcher, identified a breach in the ES&S systems’ firewall, making it accessible on the Internet. Instead of notifying ES&S about the issue, Skoglund instead sent his finding to an industry information-sharing center, fearing that ES&S would not take him seriously.
“Rather than welcoming the contributions of these researchers with open arms, ES&S and companies like it have repeatedly attempted to demonize cybersecurity researchers and discredit their work,” Sen. Ron Wyden, D-Ore., who has been critical of companies, told the Journal.
ES&S has since changed its approach with security researchers, and, last week, the Department of Homeland Security released guidelines for election administrators recommending increased cooperation between security researchers, election officials, and vendors in identifying security vulnerabilities.
Meanwhile, state and local officials are receiving additional tools from the federal government to help defend the nation’s election systems from cyber threats ahead of the November vote, as intelligence officials continue to warn about foreign efforts to interfere in the U.S. election.
Under a $2.2 million pilot program that began in March, the Department of Homeland Security’s cybersecurity agency in partnership with the Center for Internet Security has been deploying software to election offices. It is then placed on devices, including laptops and servers used for voter registration and reporting vote totals, to detect malicious activity. The program was highlighted during a congressional hearing Tuesday.
“This is the next step, the evolution of helping state and local entities,” said Matt Masterson, a top cybersecurity official within the Department of Homeland Security. “This really advances their ability to protect their networks.”
Thirty state election offices have already integrated the so-called endpoint detection and response tools, which are routinely used in the private sector but less common at the local level. Through the federal program, officials expect to have this deployed in at least nine additional states by November. Fewer than 100 local government agencies have signed up so far.
States were left scrambling after it was revealed Russian agents had targeted election systems leading up to the 2016 presidential election. While no evidence surfaced that any votes were altered or voter data manipulated, the actions by a foreign adversary to scrutinize the nation’s myriad election systems for vulnerabilities prompted changes including enhanced security protocols, more rigorous and regular security reviews, and improved information-sharing across federal, state and local governments.
But cybersecurity experts say the threat has hardly been dulled.
Just a few weeks ago, Bill Evanina, director of the National Counterintelligence and Security Center, released a statement noting foreign adversaries are seeking to compromise election infrastructure along with campaigns, candidates, and other political targets. He said the government continues to “monitor malicious cyber actors trying to gain access to U.S. state and federal networks, including those responsible for managing elections.”
The Associated Press contributed to this report.