Volunteer hackers to help get US election cybersecurity up to par

Cyber Surge’s roots can be traced back to hacker conference Def Con, whose ‘voting village’ saw hackers attempt breaking into decommissioned voting equipment.
3 August 2020

Cybersecurity is a serious concern for the US elections. Source: Shutterstock

  • US elections are approaching in November, but cybersecurity remains underfunded, despite being a proven threat
  • An NYU-led voluntary group of cybersecurity pros could help support the security of smaller election offices 

The US 2020 elections are drawing ever closer, bringing with them renewed concerns over the integrity of the voting systems serving as vehicles for democracy across the country.

Cybersecurity remains one of the system’s biggest threats, and yet it remains largely underfunded, if not to a degree overlooked. 

In 2016, Russian attackers attempted to hack state-controlled voting systems, including the attempted breach of a software company that provides software to local voting offices to verify voter ID. 

The Russian military hackers also succeeded in stealing the personal details of 500,000 voters in a single state.

Aside from the proven threat of state-led interference, there are potential electronic voting equipment vulnerabilities and failures to contend with too. Last November, the battleground state of Pennsylvania suffered voting equipment problems, as did Florida and North Carolina in 2016 and Georgia in 2018. 

That threat isn’t just from foreign governments either, but from any cybercriminal. Federal authorities say that one of the gravest threats to the November election is ransomware. These types of attacks on public authorities, from state and local governments, have been on the rise since 2016, and could affect voting systems directly or indirectly by infecting broader government networks that include electoral databases. Attacks could rattle confidence in a vote, if not paralyze voting operations in some areas entirely. 

In response to these threats and others, Congress added US$425 million for election-related spending – to include cybersecurity measures – earlier this year. However, citing the threats, which include intelligence warnings that the Kremlin will try to disrupt the 2020 elections once again, senior officials, including Democratic senator Mark Warner, have urged the government to do more. 

“[…] additional money is no substitute for a permanent funding mechanism for securing and maintaining elections systems, and comprehensive legislation to protect our elections […]” Warner said. 

At present, some states pay private companies for cybersecurity, while others rely on in-house staff or federal assistance – but much of this budget earmarked for security has gone instead towards making voting operations safe in the pandemic, including covering mail ballot costs and buying personal protective equipment. 

Bit with cybersecurity resources ultimately lacking, some assistance may now come at no cost at all. 

Def Con One

Dubbed the Election Cyber Surge, an initiative from the University of Chicago is now acting as a matchmaker between local election officials lacking security resources and qualified experts who are willing to forego a fee to help. Officials can use the services to select their area of concern, and speak to cybersecurity professionals via phone or video chat. 

Identified through a university database of trusted cybersecurity professionals, some 50 vetted volunteers will join the program from the off, but the number is expected to double – most of those enlisted have at least a decade’s experience in the field. 

Elizabeth Howard, senior counsel for the Democracy Program at the Brennan Center for Justice – a New York University think tank – called the Cyber Surge group “a much needed resource.”

“Election officials in jurisdictions of all sizes in all states are potential targets of cybercriminals, hostile foreign nation states and other bad actors,” she said. 

“Unfortunately, some of these jurisdictions lack the resources necessary to implement and maintain robust cybersecurity measures, and this concern seems much more likely to affect small election jurisdictions, which may run on a staff of only one or two.”

Chief election officials at county level can often be local residents who won a small election, and naturally have access to minimal cybersecurity support. “We know how expensive things are, and that the cyber skills shortage is more profound in smaller places that can’t recruit, can’t pay, can’t compete in any way with larger, more attractive places where people with these high-level skillsets want to be,” Worman said.

Cyber Surge’s roots can be reportedly traced back to American hacker conference Def Con, whose ‘voting village’ saw hackers take turns at breaking into decommissioned voting equipment. With the conference having gone virtual in 2020, the program has recruited additional volunteers through its forums.

Anything that can help reassure the American voter that their vote will indeed count this November is a welcome sight,” commented Chris Hauk, Consumer Privacy Champion at Pixel Privacy, on the launch of Cyber Surge. 

“This is especially true not only in national elections, but also at the local level, where security may not be as tight as on other levels, due to budget restrictions and other issues. With the help of these ‘white hat’ hackers, we can help ensure the integrity of the United States’ election infrastructure.”

Harri Hursti, an organizer for both the Voting Village and Cyber Surge, said the support can help local election officials who don’t know where to start in securing their networks. “The issue we are addressing is a lot of the local election officials have no access to talent,” he said.

“There is no requirement to become an election official in most of the US — so for anyone who wins the race on the ballot, now you have the job, no previous experience required.”