For the last two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities. But this year’s Village features a fancy new target: a prototype secure voting machine created through a $10 million project at the Defense Advanced Research Projects Agency. You know it better as Darpa, the government’s mad science wing. Announced in March, the initiative aims to develop an open source voting platform built on secure hardware. The Oregon-based verifiable systems firm Galois is designing the voting system. And Darpa wants you to know: its endgame goes way beyond securing the vote. The agency hopes to use voting machines as a model system for developing a secure hardware platform—meaning that the group is designing all the chips that go into a computer from the ground up, and isn’t using proprietary components from companies like Intel or AMD. “The goal of the program is to develop these tools to provide security against hardware vulnerabilities,” says Linton Salmon, the project’s program manager at Darpa. “Our goal is to protect against remote attacks.” Other voting machines in the Village are complete, deployed products that attendees can take apart and analyze. But the Darpa machines are prototypes, currently running on virtualized versions of the hardware platforms they will eventually use. A basic user interface is currently being provided by the secure voting firm VotingWorks.
National: DARPA’s $10 million voting machine couldn’t be hacked at Defcon (for the wrong reasons) | Alfred Ng/CNET
For the majority of Defcon, hackers couldn’t crack the $10 million secure voting machine prototypes that DARPA had set up at the Voting Village. But it wasn’t because of the machine’s security features that the team had been working on for four months. The reason: technical difficulties during the machines’ setup. Eager hackers couldn’t find vulnerabilities in the DARPA-funded project during the security conference in Las Vegas because a bug in the machines didn’t allow hackers to access their systems over the first two days. (DARPA is the Defense Advanced Research Projects Agency.) Galois brought five machines, and each one had difficulties during the setup, said Joe Kiniry, a principal research scientist at the government contractor. “They seemed to have had a myriad of different kinds of problems,” the Voting Village’s co-founder Harri Hursti said. “Unfortunately, when you’re pushing the envelope on technology, these kinds of things happen.” It wasn’t until the Voting Village opened on Sunday morning that hackers could finally get a chance to look for vulnerabilities on the machine. Kiniry said his team was able to solve the problem on three of them and was working to fix the last two before Defcon ended.
If election security is an engineering problem, the Defense Advanced Research Projects Agency is heading to the right place to solve it. The Pentagon’s blue skies projects agency is taking its System Security Integrated Through Hardware and Firmware (SSITH) to the 2019 DEF CON hacking conference to demonstrate its capabilities before the dark lords and apprentices of the underground community. SSITH will be on display as part of the conference’s Voting Village, where researchers will explore what can and cannot be done to interfere with voting machines and, by extension, elections. “We expect the voting booth demonstrator to provide tools, concepts and ideas that the election enterprise can use to increase security; however, our true aim is to improve security for all electronic systems. This includes election equipment, but also defense systems, commercial devices and beyond,” said Dr. Linton Salmon, the program manager leading SSITH, in a release from DARPA. DARPA sees securing faith in the literal machinery of elections as a national security issue. To prove that faith in the security systems is warranted, they have prepped the “SSITH voting system demonstrator,” with processors mounted on programmable arrays and installed in a ballot box. To get to the system, hackers can enter via either an Ethernet port or a USB port, loading software to try and get past the system’s hardware gatekeeping and security functions.
Microsoft has announced an ambitious effort to make voting secure, verifiable and subject to reliable audits by registering ballots in encrypted form so they can be accurately and independently tracked long after they are cast. Two of the three top U.S elections vendors have expressed interest in potentially incorporating the open-source software into their voting systems. The software is being developed with Galois, an Oregon-based company separately creating a secure voting system prototype under contract with the Pentagon’s advanced research agency, DARPA. Dubbed “ElectionGuard,” it will be available this summer, Microsoft says, with early prototypes ready to pilot for next year’s U.S. general elections. CEO Satya Nadella announced the initiative Monday at a developer’s conference in Seattle, saying the software development kit would help “modernize all of the election infrastructure everywhere in the world.” Three little-known U.S. companies control about 90 percent of the market for election equipment, but have long faced criticism for poor security, antiquated technology and insufficient transparency around their proprietary, black-box voting systems. Open-source software is inherently more secure because the underlying code is easily scrutinized by outside experts but has been shunned by the dominant vendors whose customers — the nation’s 10,000 election jurisdictions — are mostly strapped for cash. None offered bids when Travis County, Texas, home to Austin, sought to build a system with the “end-to-end” verification attributes that ElectionGuard promises to deliver. Two of the leading vendors, Election Systems & Software of Omaha, Nebraska, and Hart InterCivic of Austin, Texas, both expressed interest in partnering with Microsoft for ElectionGuard. A spokeswoman for a third vendor, Dominion Voting Systems of Denver, said the company looks forward to “learning more” about the initiative.