There are four months until the midterm elections, and the security of state election systems remains a concern. The clock is ticking to ferret out problems and fix them before Nov. 6. Websites associated with voting continue to have poor cybersecurity hygiene, even after the revelation that hackers probed the systems of 21 states in the lead-up to the 2016 election. And while Congress has increased the funds available to states to improve their election systems, many are still jumping through bureaucratic hoops to actually access the money. One way to supplement much-needed security checks of election systems would be to replicate the security practices of tech-savvy companies. Many private tech companies treat cybersecurity differently than the government does, adapting security practices to deal with inevitable mistakes quickly and through the wisdom of the crowd. They rely partly on outside feedback to suss out vulnerabilities, something that many in the elections community seem allergic to. This could mean that fixable security flaws are left on the table for bad actors to exploit.
Tech companies were among the first to use crowdsourcing as a way to fix mistakes that cropped up in their systems. In a more innocent time for the internet, the tech community developed responsible disclosure programs for vulnerabilities based on good faith. “Norms began to develop,” said Alex Rice, former head of product security at Facebook and a co-founder of HackerOne, a company that works to help hackers and security researchers safely disclose vulnerabilities. “The right thing to do for all users of that technology was to get it into the hands of people who could take action and fix it.”
Later, tech companies started cash rewards programs — “bug bounties” — that gave hackers an incentive to report vulnerabilities through the proper channels rather than sell them on the black market.
But more traditional companies and the government have been slower to adapt to the norms of responsible disclosure. (The Department of Defense has been working to adapt more quickly, launching a “Hack the Pentagon” initiative in 2016.) Finding bugs in online systems is technically a violation of the Computer Fraud and Abuse Act, a 1986 law meant to provide a framework by which to prosecute digital crime. The law bans access to computers and networks “without authorization or exceeding authorized access,” a broad framing that prosecutors have used to target such actions as stealing corporate secrets from computer networks and setting up fake accounts on social media.