Hack the #US #Voting System Without #Punishment!

“They’re coming after America. They will be back.”

With those words, former FBI Director James Comey has verbalized what many election officials have been thinking and fearing. Their concern has prompted the latest action by Congress to defend against hacks of US voting systems.

That the US elections were hacked is no longer up for debate – it happened. It was no big surprise either, as it was foreshadowed at a summer DEF CON hacking convention in Las Vegas. It only took about 90 minutes for the voting system to be proven vulnerable. Jake Braun, who convinced DEF CON founder Jeff Moss about the validity of the test earlier this year, commented,

“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how.”

The US spent billions on upgrading its voting technology after the 2000 Bush-Gore ballot brouhaha. The result was finding its system was still hackable. Now it is making a new attempt to safeguard voting – a key component of any democracy. At Congress’s urging, the Department of Homeland Security will sponsor a program to encourage more mainstream hackers to breach the voting systems. Rather than punishing the successful hackers, it may reward them for exploiting the system and alerting authorities of the defects they find.

Current legislation is being proposed to incentivize hackers to deliberately attack the voting systems. If it becomes law, it may provide election officials with the information necessary to combat future hacks. As the losers of the elections, the Democrats have been howling most about the results. They contend the election was stolen from them. Thus it comes as no surprise that a Democrat is at the forefront of this latest initiative. Sen. Martin Heinrich (D-N.M.) states,

“Until we set up a stronger set of protections for our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable.”

A Pre-emptive Strike

This pre-emptive strike on potential future election hacking aims to mirror a program last year called “Hack the Pentagon.” That had a similar goal of incentivizing the hacking community to exploit and thus expose chinks in the Pentagon’s digital “armor.” The newly proposed hacking bounty program, as outlined by the latest legislation, would be called the “Cooperative Hack the Election Program.” The proposed law suggests it would be “an annual competition for hacking in state voting and voter registration systems during periods when such systems are not in use for elections.”

The rewards for successfully hacking the system and identifying the flaws to authorities are unspecified at this time. However, one would imagine that there would enough incentive just from the pride angle to get hackers enthused. Personally, I have some reservations though…

While hackers may not “exploit” discovered vulnerabilities or publicly expose them, according to the legislation, in this sieve-like leaking society, isn’t there a strong possibility that bad actors, foreign or domestic, may piggy-back on the vulnerabilities discovered by amateur hackers? If so, couldn’t they merely adjust their attacks or take a new tack? It’s not far-fetched because the bad-guy hackers are pros. I’d like to see this eventuality taken into account in the “contest.”

Another thing to consider, given lawmakers’ penchant for myopia and tunnel vision, is that opening the floodgates for users to submit bugs only works when there are processes in place to analyze submissions, sift out duplicates and bad leads, and prioritize and repair the bugs. That infrastructure takes time, money and practice. These aren’t always lawmakers’ strong-suits. And what about the next steps after vulnerabilities/bugs have been identified? Will they be addressed en-masse or as each one crops up? If it is the former, then be prepared for a long slog. This may or may not be completed by the time the next presidential election arrives in 2020 – and forget the 2018 mid-terms!

Still, it is an admirable endeavor and one worthy of Congress’ expenditure and the public’s support. Do you think it will work?