Now in its second year, the Voting Machine Hacking Village at the DefCon security conference in Las Vegas features a new set of voting machines—all of which will actually be used in the 2018 midterm elections—for attendees to analyze and attack. But as eager attendees get to work familiarizing themselves with the devices and revealing their weaknesses, another call has emerged from the Village as well: Finding bugs is great. But you also need the money to fix them.
Election officials can’t act on findings about voting machine and voting infrastructure vulnerabilities, DefCon speakers noted on Friday, if they don’t have the money to replace obsolete equipment, invest in network improvements, launch post-election audit programs, and hire cybersecurity staff. Some progress has come, but not enough, and too slowly.
“While I thank the United States Congress for appropriating $340 million last month, let me be abundantly clear, we need more resources,” said Alex Padilla, the secretary of state of California and the state’s top election official. “All the things that we know we have to do, all the things that I’m going to learn and observe when I go down to the Village after this panel, to implement and act on all of these findings, recommendations, and discoveries we need official resources.”
After all, it took nearly two decades for Congress to appropriate that recent election security windfall; it came from the 2002 Help America Vote Act. “That’s butterfly ballot hanging chad money, not cyberthreats 2016, 2018, 2020 money,” Padilla says. In recent months, Congress has failed to pass various bills that would fund election security and infrastructure improvements ahead of the midterms. And though the bipartisan Secure Elections Act has been steadily gaining momentum in the Senate—and was introduced through a companion bill in the House on Friday—it is likely still months away from potentially becoming law.
After months of silence on the topic, the Trump Administration said at the end of July that it would “continue to provide the support necessary to the owners of elections systems—state and local governments—to secure their elections.” Department of Homeland Security top cybersecurity official Jeanette Manfra echoed that sentiment at DefCon on Friday, noting that election officials “do a lot with not a lot of resources, and now they’re on the front lines trying to deal with a lot of these issues. They can’t do it alone.”
Jake Braun, a co-organizer of the Voting Village and a former White House and public liaison for DHS, pointed out on Friday that even a project like the DefCon research workshop is costly and would be out of reach for many organizations. “This is a volunteer operation,” he said. “None of us make a dime off of this; we actually lose money.”
The findings that come out of the Voting Village this weekend, and those from researchers more broadly, continue to provide crucial information, as security advocates work to raise the bar of voting machine defense around the US and shape guidelines for vendors. But knowledge can only go so far without the resources required to act on it.
“Most election officials have one or two people in their office,” says Noah Praetz, the director of elections for Cook County, Illinois, who also attended the Voting Village last year. “They outsource most of the work they do, and it’s really difficult” to keep up with the constant stream of election system-related vulnerability advisories.
Voting infrastructure desperately needs vetting from hackers. But now that that idea has more widespread support, the next item on the punch list is funding.