In September, the Information Technology-Information Sharing and Analysis Center (IT-ISAC) convened interested security researchers and voting system companies for a three-day forum. The event aimed to build trust among participants, and it included a day and a half during which researchers tested not-yet-deployed election technologies from participating companies, the IT-ISAC announced in a new report.
Election Systems & Software, Hart InterCivic and Unisyn Voting Solutions all provided their choice of equipment, such as electronic pollbooks, digital ballot scanners and ballot marking devices. Some providers gave researchers credentials so they could mimic insider compromise.
Ultimately, the organizers deemed the event “unquestionably a success,” per the report. Researchers shared vulnerability findings that companies are now working with them to address. Most of those issues were with hardware or some “garden variety” software bugs, said Casey Ellis, co-founder and chief technology officer of Bugcrowd and a member of the forum’s advisory board. Ellis discussed the project during the 2024 RSA Conference.
Most importantly, in the ISAC’s view, the event established a framework for researchers to test voting equipment and have permission to publicly disclose their vulnerability findings after the bugs had been fixed or a certain amount of time had passed. Such an approach is common in other industries, but in the election sector there has been “decades of contention between security researchers and voting technology providers,” the report said.
Riding on that initial success, the organizers are now looking to hold a larger forum in 2025, involving more researchers, companies and participants, including state and local election officials.
The elections space is unique, and the IT-ISAC had to work around challenges when designing the 2023 forum. One major hurdle: testing already in-use election equipment could create logistical, regulatory and public image issues.
Most states also require new or updated equipment to be tested against Election Assistance Commission standards. In addition, they have to undergo acceptance testing to ensure they still function as intended, said Jennifer Morrell, CEO and co-founder of The Elections Group and member of the forum’s advisory board. Morrell also spoke at the RSA Conference panel. Holding the forum late in 2023 meant that companies wouldn’t have time to address any researcher-discovered vulnerabilities and clear federal certification before the 2024 elections. The team also wanted to avoid the risk that researcher discoveries might prompt voters to mistrust the systems.
As such, the IT-ISAC decided their first forum would test soon-to-be released equipment.
But Morrell noted it may not be sustainable to always look to test technology that isn’t in use, given that elections occur all the time, not just every four years. Some panelists hope that vulnerability discovering won’t always pose such a risk to public faith in election security.
Bugcrowd’s Ellis said more transparent conversations about vulnerabilities might shift public perception so that discoveries don’t spark panic. Humans make mistakes when writing code, and the resulting issues aren’t necessarily an indicator of malicious activity, he said. Similarly, Morrell emphasized that just because a vulnerability may be found doesn’t mean it’s been exploited.
As the report states, “In reality, every critical infrastructure domain faces risk and has vulnerabilities. Our banking systems, technology providers and other critical infrastructure all have vulnerabilities. This is not reason to distrust these systems.”
Further trust might also involve explaining more about audits and tests, including checks to see whether the right safeguards and controls are in place to prevent a hypothetical vulnerability exploitation from causing real damage, Morrell said.