Heads in the Sand

There is a Defcon computer security conference in progress at which a Voting Village hackers collection is busily hacking various voting machine manufacturers’ machines.  As McMillan and Volz put it in their Wall Street Journal piece about the Village,

These hacks can root out weaknesses in voting machines so that vendors will be pressured to patch flaws and states will upgrade to more secure systems, organizers say.

Sadly, many of those manufacturers are upset over it, even to the point of warning about voting software license abuse.  Even State government representatives don’t like the idea of testing this software’s and these machines’ security.  Here’s Leslie Reynolds, National Association of Secretaries of State Executive Director:

Anybody could break into anything if you put it in the middle of a floor and gave them unlimited access and unlimited time[.]

To a small extent, that’s a valid beef.  But only to a small extent: that direct access “in the middle of a floor.”  However, malicious hackers—for instance, Russian hackers, to say nothing of Iranian, People’s Republic of China’s, northern Korean’s, each of whom also have an interest in sowing doubt and causing outright disruption—have lots of time between now and our November elections, and they’ve had the last couple of years (at the least) already—a good approximation of unlimited time relative to the evolution of software and hardware.

In addition, Reynolds’ argument is a bit of a strawman.  No one is representing this hack-athon as the last word in the security investigation.  It is, though, a highly useful step in the process of locating security failures (vulnerabilities being a too-soft term) so they can be patched.

Election Systems & Software LLC, a leading manufacturer of voting equipment, was reluctant to have its systems tested at the conference. … Hackers “will absolutely access some voting systems internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords, and other security measures that are in place in an actual voting situation.”

Sure.  Our stuff don’t stink, so there’s nothing to see here.  Move along.  Don’t investigate because we don’t want to know the problems.  They’d be invalid, anyway.

Jeanette Manfra, a senior cybersecurity official at DHS, actually sympathized with concerns that Village hackers could unintentionally lower Americans’ confidence in our election systems.  She’s wrong, though.  Responsible persons’ hiding their heads under their pillows, chanting, “La la la, I don’t hear you” are the ones lowering our confidence.  Pretending problems don’t exist is a thin shield, indeed, against those problems’ exploitation.

No.  The more objections there are to investigating and testing the security of our voting system, the more badly we need those investigations and tests.

Leave a Reply

Your email address will not be published. Required fields are marked *