Congress did not pass the bipartisan Secure Elections Act. This means in the two years since Russian interference disrupted our election systems, we have failed to improve security around the technologies that support our election processes. Legislating a fix to the problem is proving futile. It’s time to ask ourselves – as citizens, elected leaders, technologists and those interested in protecting our democracy – what else we can do to improve election security. A recent report delivered to Capitol Hill found that “election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack,” according The Wall Street Journal. Shouldn’t we view our elections through the lens not just of security, but safety? Think about it this way: we have the NTSB for travel, the FDA for food, OSHA for workplace safety. We would scarcely accept 50 percent of cars on the road to be faulty or 50 percent of food on grocery store shelves to be tainted.
That’s why states should open up voting systems and machines to the white hat hacker community. Much of the technology we enjoy using today, our smartphones and apps and internet-connected vehicles, is safer and more secure because it’s been probed by hackers to expose and report vulnerabilities that are then corrected. The software that powers the digital world, including election systems, can be made more secure via bug bounties that enable the hacking community to get to work.
Hackers can be exceptionally creative, constantly thinking outside the box. Security experts close to a product will have made assumptions that attackers will ignore. Bringing in outside hackers with their own attack tools will uncover new risks. This is one of the clear values of bug bounty programs. Keep in mind, this is not a replacement for sound security engineering as part of the development process, it should be in addition.