Bill Calls on Public to Hack Election System
It’s not clear if the contest will include prize money or be a formal bug bounty program.
A bipartisan Senate bill would put the power of legislation behind much of the government’s election security work during the past year and would establish a national competition for hacking election systems.
The Securing America’s Voting Equipment Act, or SAVE Act, would formalize the Homeland Security Department’s designation of election systems as critical infrastructure, a move that makes it easier for the federal government to share cyber threat information with state election officials.
The bill, sponsored by Sens. Martin Heinrich, D-N.M., and Susan Collins, R-Maine, would also direct the department to vet top state election officials for security clearances so they can receive classified threat information.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Homeland Security has already begun that process, according to top officials, following reports that Russian government-linked hackers tried to penetrate election systems in 21 states during the 2016 cycle.
There’s no evidence those hackers actually penetrated any voting systems or altered any votes, according to top Homeland Security and intelligence officials. The Russians were more successful at a broader influence campaign, which included selectively leaking hacked emails from the Democratic National Committee and Democratic nominee Hillary Clinton’s presidential campaign.
“Until we set up a stronger set of protections for our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable,” Heinrich said in a conference call with reporters.
Heinrich and Collins’ bill would establish a grant program to help states upgrade their election systems based on a threat assessment and best practices developed by Homeland Security, though the bill does not list a dollar figure for that grant program.
The bill also directs the Government Accountability Office to audit states’ use of those grant funds to make sure they’re meeting program goals.
The election hacking challenge would be an annual program run by Homeland Security that includes rewards for uncovering high-value vulnerabilities in voting systems, though the bill does not specify if those rewards would be cash prizes.
Companies and government agencies have increasingly launched bug bounty programs to reward ethical hackers for uncovering vulnerabilities in their systems.
A “voting machine hacking village” at the 2017 DEF CON cybersecurity conference in Las Vegas in July turned up cyber vulnerabilities in numerous voting systems.
The DEF CON hackers also pointed out vulnerabilities created by voting machine companies’ expansive supply lines, which run through numerous countries, and by consolidation in the voting machine industry.
Those supply lines multiply the points at which a rogue agent could insert a backdoor or other vulnerability into voting machines. Consolidation in the industry means a nefarious actor who discovered vulnerabilities in just one or two companies’ machines could affect votes on a large scale.