Hackers Get Green Light to Test U.S. Voting Systems - The Wall Street Journal

sekirta.blogspot.com

A person casts a vote on an Election Systems & Software voting machine during a practice demonstration in Pennsylvania last year.

Photo: brian snyder/Reuters

By

Robert McMillan

• Biography

and

Alexa Corse

• Biography
• @alexacorse

Aug. 5, 2020 7:48 am ET

Election Systems & Software LLC, the top U.S. seller of voting-machine technology, is calling a truce in its feud with computer-security researchers over the ways they probe for vulnerabilities of the company’s systems.

With the U.S. presidential election less than three months away, ES&S Chief Information Security Officer Chris Wlaschin on Wednesday will unveil the company’s outreach effort to security researchers at the annual Black Hat hacker convention that is taking place virtually this year, according to ES&S.

Mr. Wlaschin will detail a new vulnerability disclosure policy, which spells out, for example, the “safe harbor” protections that ES&S will provide legitimate researchers if they identify and notify the company of bugs in its systems, ES&S said. Those provisions are standard across many industries, from computer equipment to cars to medical devices, as manufacturers seek outside help to ensure their systems are secure. But the makers of election equipment, ES&S in particular, have been reluctant to allow outside security experts to test their systems, researchers have said.

Supporters cheer and wave as President Trump arrives for a private campaign fundraiser in Texas, July 29.

Photo: carlos barria/Reuters

The company’s move follows the Department of Homeland Security last week urging increased cooperation between security researchers, election officials and vendors as it released guidance for election administrators on coordinating to address security vulnerabilities.

ES&S and some election officials had previously defended their reluctance to work with outside security researchers, at times arguing that some hackers have used unrealistic scenarios and published hyped claims to gain attention, and that real-world polling had safeguards such as poll workers and fellow voters that made hacking equipment unlikely.

U.S. national-security officials have warned about the threat to elections from foreign adversaries. U.S. intelligence officials have said Russia has probed state election systems and interfered through social media during the 2016 presidential election. Russia has denied meddling in U.S. elections. 

For Omaha, Neb.-based ES&S, Wednesday’s expected announcement marks a turnaround from two years ago when the manufacturer and hackers clashed at Black Hat’s sister conference, called Defcon. There, ES&S criticized a group of hackers who sought to test voting equipment. The company, at the time, said unauthorized use of its software violated its licensing agreements and that hackers risked jeopardizing national security by testing voting machines in a public setting with few safeguards.

SHARE YOUR THOUGHTS

How can the U.S. maintain the integrity of the 2020 presidential election? Join the conversation below.

Soon after, Kevin Skoglund, an independent security researcher, and others discovered that some ES&S systems—which weren’t supposed to be accessible on the internet—could be reached, although they were protected by a firewall. Mr. Skoglund said he sent his findings to an industry information sharing center rather than to ES&S because he felt the company wouldn’t take his research seriously. “They did not have a good track record on these issues, so we felt like they would deny and spin,” he said.

Sen. Ron Wyden (D., Ore.), who has been critical of the companies, said: “Rather than welcoming the contributions of these researchers with open arms, ES&S and companies like it have repeatedly attempted to demonize cybersecurity researchers and discredit their work.”

ES&S says it has since changed its approach to handling such findings. It has added a way for researchers to report vulnerabilities and acted on several bug notifications, the company said. It hired its first chief information security officer, Mr. Wlaschin, and last year allowed security experts from the Department of Energy’s Idaho National Laboratory cyber-testing facility to test three of its systems for security flaws. The lab declined to comment.

Synack Inc., a crowdsourced provider of security testing services, will evaluate a system that keeps track of voters checking in at polling stations, ES&S said. Test results from the lab and Synack won’t be made public, ES&S said.

“We hope researchers will agree that our actions in recent years have been positive and industry leading,” a company spokeswoman said.

When security researcher Jack Cable in January discovered that a virtual private network used by ES&S employees was running old software with known bugs that left it vulnerable to attack, he emailed the company’s security team on a Friday night and heard back within hours. A few days later, ES&S had fixed the problem, Mr. Cable and the company said.

As November’s presidential election draws closer, the conversation is switching from who’s leading the national polls to what states the two campaigns need to reach 270 electoral votes. WSJ’s Gerald F. Seib looks at the states up for grabs in the 2020 race. Photo: Charles Mostoller/Reuters

“ES&S, more than any other vendor, has a history of locking horns with election security advocates,” Mr. Skoglund said. “It is encouraging to see signs of a new approach, but they have to do more to get past the skepticism and years of bad blood.”

Other companies also are opening themselves more to third-party scrutiny. Dominion Voting Systems Corp., the country’s second-largest voting-machine vendor, plans to publish a new policy for vulnerability disclosure in the coming weeks to expand on the company’s standard agreement for third-party security testing, said Kay Stimson, a spokeswoman for the Denver-based company.

Hart InterCivic Inc., another voting-machine vendor, said it has also expanded its vulnerability testing and reporting over the past year including by working with DHS. The Austin, Texas-based company said it established a way to report vulnerabilities in 2019, though it previously already worked with security experts.

DHS’s senior adviser on election security, Matt Masterson, said in a statement that “over the past few years, the relationship between the election community and the cybersecurity research community has grown immensely, but there is more to be done.”

More

• Election Officials Are Vulnerable to Email Attacks, Report Shows
• Why a Data-Security Expert Fears U.S. Voting Will Be Hacked
• Agencies Warn States That Internet Voting Poses Widespread Security Risks

Write to Robert McMillan at Robert.Mcmillan@wsj.com and Alexa Corse at alexa.corse@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Let's block ads! (Why?)

"light" - Google News
August 05, 2020 at 06:48PM
https://ift.tt/3i8PIdq

Hackers Get Green Light to Test U.S. Voting Systems - The Wall Street Journal
"light" - Google News
https://ift.tt/2Wm8QLw
https://ift.tt/2Stbv5k

Bagikan Berita Ini