ES&S security lead: We trust our process over DEF CON village findings

While there are a number of companies that build and sell election-related technology, ES&S has been the most notable as of late.

The company’s CEO released a letter last week that took issue with calls from lawmakers to work with anonymous researchers, like those at the DEF CON Voting Village that uncovered various vulnerabilities in election-related hardware and software.

“We will not, however, provide or submit any hardware, software, source code or other intellectual property to unvetted, anonymous security researchers, nor would we make public any assessments of vulnerability findings, because providing or making available secure information to individuals or groups whose interests may counter the United States’ interests would be irresponsible and may in fact, jeopardize the integrity of elections,” the letter from ES&S CEO Tom Burt read.

That letter was poorly received by both Capitol Hill and the security research community. Both felt the response was inadequate on a number of levels.

Christopher Wlaschin, vice president of systems security for ES&S, has dealt with both of these communities before. Formerly the CISO for the Department of Health and Human Services, Wlaschin has experience working with or answering to both sides of this disagreement.

Wlaschin spoke with CyberScoop for a lengthy Q&A on what the company is doing to secure its tech ahead of the midterm elections, why it doesn’t support the DEF CON Voting Village and its possible plan to work with the security research community in the future.

CyberScoop: Let’s start with last week’s announcement: Why did ES&S decide to attach Albert sensors to the voter registration systems?

Chris Wlaschin: In my previous role as a CISO for HHS, I had a deep and fulfilling relationship with DHS’s National Protection & Programs Directorate. When I came to ES&S a little over five months ago, I had a body of knowledge and experience to help them navigate the relationships with DHS, the Center for Internet Security and the [Multi-State ISAC]. We quickly got our leadership team up to speed on the benefits that those kinds of partnerships can deliver.

It didn’t happen right away, there were some legal and procedural hurdles that we had to navigate through. As you know, the Albert program is mainly for state, local, tribal and territorial organizations. No private institution had been allowed to participate in the Albert program. We were able to successfully navigate that. We’ve received approval from the states that we host voter registration systems, and we expect to have that thing up and running in the next couple of weeks.

CS: When will you start pulling information from the Albert sensors?

I believe it will be installed as soon as Sept. 15, if not before. We had to work through some technical issues with how our network is set up, how our voter registration network is partitioned and isolated between states and our corporate network. While that was happening, the states whose voter registration systems we host completed the information sharing agreements with MS-ISAC. Those are in place and now we’re expecting to receive that Albert sensor configured to our technical specifications, so I’m projecting Sept. 15 for that to be up and running.

CS: What exactly is ES&S processing, or is it more on the owner of the voter registration systems to process that sensor information?

CIS operates the Albert system, which is a network of sensors that are now present in all 50 states and over 1,000 election jurisdictions. These sensors monitor network traffic and alert on indicators of compromise that state and local jurisdictions might be experiencing. Typical things that are seen by the sensors are increased levels of scanning from overseas or threatening IP locations. That’s indicative of a nation state or a hacker trying to find an opening.

If there is any evidence of increased activity, any indicators of compromise that might be present, this security operation center aggregates that information, updates it and then pushes it out to their customers — and now ES&S to alert us if something bad is going to happen or is actually happening.

“DEF CON does not have sole reign over nor is it the exclusive source of vulnerability testing and exposure.”

CS: How quickly could you respond if the ISACs call and give you info for a very specific threat to your machines or your registration systems? Can you walk me through a scenario on what would happen if you know a critical threat was detected and the company had to take action?

So the monitoring and alerts that we get from the ISACs are complementary to what we’re doing to our own networks. We would expect to see something on our monitoring systems here first before we ever got a notice from one of the ISACs. I experienced attacks like WannaCry and NotPetya at HHS, and the key to the alerting of those attacks were that they started somewhere else. You probably recall that WannaCry and NotPetya started against the [United Kingdom’s] National Health System and a shipping company respectively. As those attacks propagated and got a toehold in the U.S., the intelligence community, DHS, the ISACs started to alert critical infrastructure customers that something bad was about to happen.

Before our partnership with these ISACs, we didn’t have that here at ES&S. We’re going to get it now. We’re gonna learn about it through one of the ISACs and be able to strengthen our defenses here at ES&S before it ever hits us.

CS: ES&S sent a letter last week to a group of senators that hinted at issues with what happened at DEF CON’s Voting Village. Your CEO Tom Burt said sharing info is “counter to U.S. interests or would be irresponsible and may jeopardize the integrity of elections.” I was wondering if you can expound on that, especially the “jeopardizing the integrity of elections” part. A lot of other companies deal with critical vulnerabilities and they are a little bit more forthcoming than the way your company is positioning itself.

CW: I’ve been to DEF CON before, in my various roles with the federal government and other private and public companies. I have observed what I believe to be serious and valuable ethical white-hat hacking occurring at DEF CON. I’ve visited many of the villages and taken a strong interest in other villages, whether it’s network security, medical device security, down to lock picking and tamper seals.

What I saw at [the Voting Village] was legacy hardware that had been purchased off eBay, without the benefit of any updates or other physical security controls. Just laid bare on the table, allowing anybody who had a toolkit and plenty of time to try and manipulate the machine or somehow exploit a vulnerability.

That seems contrary to me as a professional cybersecurity practitioner. You’ll probably find my peers who would say that any opportunity to reduce the attack surface on sensitive hardware and software is a wise thing to do. To give up hardware and software to anonymous people, whose intent is really unknown … some of those folks claim to be interested in helping strengthen U.S. election security, but you don’t know for sure, because they’re anonymous. You don’t know what their agenda is.

I have seen cases where vulnerabilities in devices at these conferences have been exploited and used for blackmail. Maybe a zero-day vulnerability has been found and ransomed back to the manufacturer or company, in terms of, “Hey, we found this vulnerability in your device and we’ll give you 10 days to disclose it or we’re going to go to press.”

In the case of Mr. Burt’s specific comments, we feel a tremendous responsibility to protect our customers — the state and local election officials that we work with. We feel an intense responsibility to protect the integrity of the election through the hardware and software that we provide them. We take great pains to test this hardware and software in multiple venues, by multiple independent security testers.

Let me say that again. We’re already doing [testing] with multiple independent security testers. Ethical, vetted, white-hat security researchers test our equipment and alert us to vulnerabilities so that we can patch them and get certified if we need to, by the federal government, before those vulnerabilities become public.

In the DEF CON environment, we don’t have that ability. So we feel that by protecting the hardware and software, the source code, from unvetted, anonymous security researchers it’s in our best interest and the interests of our customers, to ensure that we’re doing all we can to protect the integrity of elections.

“We’ve been out lately doing security seminars for our customers and we’re telling them ‘increased auditing is coming.’ “

CS: I want to back up to something a little bit. You said you have been to DEF CON before and have seen code written that went on to be used maliciously?

I’ve been to DEF CON before. And I’ve seen security researchers there exploiting vulnerabilities in various types of devices. And in some cases we read about later, that those vulnerabilities were released in the wild, or ransomed back to the equipment manufacturer.

CS: Can you speak to any specific examples?

I remember the following: At the 2016 event I recall seeing several IoT demonstrations where unassuming everyday IoT devices were easily hacked and vulnerabilities in operating systems and applications were exploited. In one demonstration, a wireless thermostat, I think, was hacked and then infected with ransomware and required the user to pay a fee to restore or recover the operation of the device.

The lesson I learned that day, and the position I have stuck with since, was that there is a fine line between legitimate white-hat security research, vulnerability disclosure programs, and the dark side of hacking where anonymous access to hardware or software could cause major problems for equipment manufacturers. Why take the risk of anonymous vulnerability exploitation and potential ransomware infections when we are already subjecting ourselves to rigorous third-party penetration testing and hacking from several trusted, ethical white-hat hackers? DEF CON does not have sole reign over nor is it the exclusive source of vulnerability testing and exposure.

CS: There are a host of other DEF CON villages there that also deal with critical infrastructure, like the car hacking village or the ICS village. Anonymous security researchers go to DEF CON sit in these villages and do the same type of stuff that was going on at the voting village. If these companies embrace what goes on at DEF CON, why is there such pushback from companies like ES&S?

CW: We believe that DEF CON is not the only place where hacking and exposure of vulnerabilities can take place. We are already using certified, ethical white-hat hackers to test our equipment in multiple locations and in multiple scenarios and we see no value in submitting our equipment to anonymous, unidentified hackers, whose agendas or purpose is unknown or questionable. We already go through three or four different versions of trusted, vetted security research hacking. We believe, and our customers believe, that that’s sufficient and we see no value in submitting our equipment or our software to anonymous hackers whose intentions are unknown.

CS: Before DEF CON, ES&S sent a notice out saying that the physical security measures that go into protecting your machines wouldn’t allow for the types of hacks that were going to be displayed at the village. There’s one video in particular that shows a researcher easily accessing the programming card and popping open a lock as well in a relatively short amount of time. Have you viewed those videos and have you gained any feedback that you will apply to your equipment moving forward?

Yes, we’ve seen the video. We are aware that any piece of technology, with sufficient time and resources, can be hacked. We’ve known that for as long as we’ve been in business. We’ve spent a considerable amount of time addressing each and every vulnerability that we find, that our independent third party testers find, and that hackers at DEF CON find. For every vulnerability that is found, there’s a compensating control. There are multiple layers of protection that would prevent a simple hack like defeating a lock or a tamper seal or switching out a card. We advise our customers in all the states that we work in to maintain the certified and hardened configuration of the system that we deliver to them. And then we work with them leading up to and on Election Day, to make sure that that equipment remains in the secure and trusted configuration.

I can tell you that these election officials have planned for contingencies like this for years. All of them have plan A, B and C. If a machine is acting unusual, these election officials have well developed and mature contingency plans to deal with all of those. That’s part of this security ecosystem that surrounds our election infrastructure. I understand that in that environment that a key lock or a tamper seal could be defeated, but we have compensating controls that I know are verified in the election jurisdiction that would help detect and defeat those kinds of vulnerabilities.

CS: Has there been any thought inside ES&S on opening up a vulnerability disclosure program where anonymous researchers, if they do discover flaws, can get in contact with the company?

We have talked about that at the senior leadership level. Security companies across the country who do security vulnerability testing as a business will notify us on occasion. We reach out to those folks, we have conversations with them, we confirm what they’re telling us, and then we act on it if it’s appropriate to do so.

That’s not formal in the sense that I know you’re getting to. I’m aware that there are other industries that have formal vulnerability disclosure programs. I would have to say that ours has been informal. I would personally like to see us take a more formal approach to that.

CS: Do you see a formal program happening at all?

I see that happening. You know, ES&S, I feel that we’ve been unfairly characterized in some of the recent press reports. We value security researchers. We use the third parties that we work with, we’re getting ready to enter into an agreement with DHS to submit our hardware to one of the government test labs, like in Idaho or at Sandia, I’m not quite sure which one yet. We want to ensure the security of our hardware and software. It’s our business, it’s what we pride ourselves in. We absolutely want to learn about vulnerabilities and be able to correct them so that the customers, the election officials across the country, can maintain confidence.

CS: Can you give me a little bit more details on what exactly has been discussed? Is it a coordinated disclosure via an email address or possibly a bug bounty program?

CW: I don’t believe we’ve talked about that, no. But that said, it would be my desire to work with the senior leadership here to develop that kind of a program.

CS: Finally, a lot of researchers and academics have been recommending that state and local election officials rely on paper ballots or machines that give an auditable paper record. Have you seen an uptick in interest in those types of machines?

CW: There’s significant interest from our customers in having a paper ballot of record to assure state and local election officials, candidates and the public that votes that are cast, counted and audited, are backed up by some type of paper record.

ES&S is on record embracing the use of paper as the output of the ballot marking device. We’ve been supporting it for some time in a number of states and we would like to see its use increased. Why? Because it supports pre- and post-election auditing.

[Kathy Rogers, Head of Government Solutions for ES&S is added in to the interview.]

KR: Sometimes we’re painted by certain people as trying to push DRE [direct-recording electronic, or paperless] technology. We have DRE technology in the field that we support today and we take care of our customers who have that technology and we sustain it very well.

However, when it comes to making decisions about what technology we build and deploy, we go to our customers as any company would. There were times when DRE technology was the way that people want to go. As a company, we certainly don’t shy away from what customers are telling us that they’re going to purchase. If not from us, they’ll purchase it from someone else.

We’ve been out lately doing security seminars for our customers and we’re telling them increased auditing is coming. If you don’t have a great deal of auditing now, you’re going to have it. It’s our job to ensure that these systems make auditing streamlined and it’s easy as possible for offices, and part of that includes a piece of paper.

CW: We’re an American company that dedicates each and every day to secure elections. It’s the cornerstone of what we do, it’s in our benefit, because any compromise of our products or technology would be harmful to our business and our customers and maybe, most importantly, our personal integrity.

This interview has been edited for length and clarity.