A noisy cheer went up from the crowd of hackers clustered around the voting machine tucked into the back corner of a casino conference room—they’d just managed to load Rick Astley’s “Never Gonna Give You Up” onto the WinVote, effectively rickrolling democracy. The hack was easy to execute. Two of the hackers working on the touchscreen voting machine, who identified only by their first names, Nick and Josh, had managed to install Windows Media Player on the machine and use it to play Astley’s classic-turned-trolling-track. … The security industry encourages regular software updates to patch bugs and keep machines as impenetrable as possible. But updating the machines used in voting systems isn’t as easy as installing a patch because the machines are subject to strict certification rules.
Any major software update would require the state to redo its certification process. “It costs over $1 million to get certified,” Joshua Franklin, a security specialist with the National Institute of Standards and Technology’s cybersecurity and privacy application unit, explained to attendees. Franklin said that even though the Election Assistance Commission’s most recent election security standards were released in 2015, most state’s machines are only compliant with standards from 2002 because of the prohibitive costs of updates.
The cost breaks down to about $30-$40 per voter, estimates Tom Stanionis, an IT manager for a county election agency in California who attended the village in his personal capacity. Most states just don’t have the money.
The voting village is the brainchild of a who’s-who list of security experts: DEF CON founder Jeff Moss, cryptographer Matt Blaze, computer programmer Harri Hursti (whose hack of Diebold voting machines in 2005 bears the name “the Hursti Hack”), and others. Researchers have been uncovering problems with voting systems for more than a decade, but the 2016 presidential election catapulted their work into the national spotlight. Now the entire country, and maybe the world, is paying attention. But poll workers and former campaign officials say that their primary security concerns still aren’t with voting machines themselves but with protecting voter registration systems and defending against basic phishing attacks like the ones used to gain entry to the Democratic National Committee’s network.