The nation’s leading voting equipment vendor made the bombastic claim that foreign spies may be infiltrating events where ethical hackers test vulnerabilities in voting machines — such as the Def Con hacking conference that took place this month in Las Vegas — to glean intelligence on how to hack an election. “[F]orums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,” Election Systems and Software wrote in a letter made public Monday to a bipartisan group of lawmakers on the Senate Intelligence Committee. ES&S was responding to bipartisan group of lawmakers on the Senate Intelligence Committee who inquired about the security of the company’s machines after researchers at Def Con discovered new vulnerabilities in voting equipment made by ES&S and other vendors. Yet the company’s response took issue with the idea of testing by independent hackers in the first place: “We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”
Attacking ethical hackers is likely to be a losing political strategy for ES&S, which is facing intense pressure from Congress and the research community to be more transparent about its machines’ security vulnerabilities. Lawmakers are already batting down the company’s claims and siding with independent cybersecurity experts who want to expose potential weaknesses in the country’s election systems before the November midterms — suggesting both a real concern about the security of the equipment and a growing acceptance of “white hat” hacking.
Senate Intelligence Committee Vice Chairman Mark R. Warner (D-Va.) “is not satisfied with this response,” a Warner spokesman said in an email. “In particular, the company’s suggestion that making machines accessible somehow makes them more vulnerable is silly and contrary to all evidence.”
A spokesman for Sen. Kamala D. Harris (D-Calif.) said it was “unacceptable that ES&S continues to dismiss the very real security concerns that Def Con raised.”
“Independent security research does not jeopardize election integrity — instead it helps us design more secure voting systems,” the spokesman told me in an email.
Warner and Harris, along with Sen. Susan Collins (R-Maine) and Sen. James Lankford (R-Okla.), wrote to ES&S after Def Con, expressing concerns that voting machine vendors “may not be prepared for the growing threats to our elections.” They also asked whether ES&S would provide its equipment to “qualified, good faith cybersecurity researchers” for independent testing.
In its response, first reported by Politico, ES&S said it would do so. But in the same breath, the company argued against hacking its machines in these kinds of forums and suggested there may be something more nefarious at play: “We strongly urge you to, in your capacity as members of the Select Committee, reach out to your contacts in the Intelligence Committee and make your own assessment regarding the presence of foreign adversaries in these anonymous forums.”