Voting machine maker claims hacking competitions a ‘green light’ for foreign hackers

Voting machine vendor ES&S says it did not cooperate with the Voting Village hacking competition at DEF CON because it worried the event posed a national security risk.

This according to a letter the company sent to four US senators in response to inquiries about why the company was dismissive of the event and its findings of huge security holes in many of the systems state and local governments use to record and tally votes.

Among the vendors singled out was ES&S, sparking Senators Kamala Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME) and James Lankford (R-OK) to express concern that ES&S wasn’t serious about security.

“We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic nd that your company is not supportive of independent testing,” the letter [PDF] reads.

“We believe that independent testing is one of the most effective ways to understand and address potential cybersecurity risks.”

Nothing to see here, move along

Earlier this week, ES&S provided the senate with a response letter [PDF] arguing that, while it is happy to work with outside researchers, it feels the DEF CON competition was doing more harm than good.

“All informed observers and participants in protecting America agree that our nation’s critical infrastructure is under attack by nation-states, cybercriminals, and professional and amateur hackers. That’s why forums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,” ES&S said.

“We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”

Security researchers, however, aren’t buying it. Among those to blast the letter was Voting Village co-founder and Princeton University Professor Matt Blaze, who issued a scathing rebuttal on Twitter.

We bought a bunch of surplus voting machines on eBay and put them in a room. I believe many of our foreign adversaries already have eBay capability, so perhaps it would be prudent to use election equipment that can withstand eBay-based threats. https://t.co/SYsVEH2etX

— matt blaze (@mattblaze) August 27, 2018

Rob Joyce, the former head of the NSA’s elite Tailored Access Operations hacking squad (and noted Christmas light enthusiast) took to his persoanl Twitter feed to back Blaze up and expressed support for the hackers whose loyalty was questioned by ES&S.

Ignorance of insecurity does not get you security. We need to examine voting machines, SCADA systems, IOT and other important items in our lives. The investigation of these devices by the hacker community is a service, not a threat.

— Rob Joyce (@RGB_Lights) August 28, 2018

The exchange threatens to overshadow a larger security effort ES&S kicked off last week to improve both its hardware and system security as well as its reputation in the infosec space by better integrating with both government cybersecurity agencies and private research operations.

This embarrassing exchange is, to say the least, particularly bad timing for the vendor. ®

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

READ MORE HERE