National labs will probe election tech for vulnerabilities under planned DHS program

The government is currently planning a cybersecurity program that would allow federally funded national scientific laboratories to privately probe and then document security flaws existing in U.S. election technology, most of which is developed and sold by private companies, according to a senior U.S. official.

Rob Karas, director of the National Cybersecurity Assessments and Technical Service team at the Homeland Security Department, said that multiple election technology vendors had already shown an interest in engaging on the effort. Karas declined to name the firms, but said the initiative will begin later this summer. The outreach process is still ongoing.

It would provide voting-technology companies — hardware and software makers alike — with a free, comprehensive vulnerability assessment report so that they can better understand how their systems might be hacked. This type of information is typically considered valuable as companies look to harden their products. The individual reports will not be made public, but rather privately offered to the companies.

In addition to providing a confidential report to the participating vendors, the federal program would also help inform the U.S. government about the technical avenues that any foreign government may target in upcoming elections.

Karas said that the goal is for these vulnerability assessments to be finished before the end of the year so that election technology companies can begin incorporating them into future products. It’s not yet clear what sort of positive impact this program can have on either the 2018 or 2020 elections.

At the moment, the idea is to have several national labs, including potentially Idaho National Lab and Pacific Northwest National Lab, working on the vulnerability testing component while DHS handles the broader private-public relationship.

Though Idaho National Lab (INL) is perhaps best known for its nuclear research, the facility is also deeply familiar with studying the digital security surrounding industrial control systems (ICS) like those used in electric and manufacturing plants. In 2011, INL faced public backlash after a New York Times story claimed it had helped U.S. intelligence agencies develop a damaging offensive hacking tool, which later became known as “Stuxnet.” Stuxnet, among other things, exploited flaws in a Siemens’ ICS product.

In December, the DHS and the independent Election Assistance Commission (EAC) launched the Sector Coordinating Council (SCC), a voluntary stakeholder group that’s helped the government build partnerships with the election technology industry.

While federal elections are managed at the state level, the technology that facilitates them comes from a mix of contractors and technology firms. Until recently, the topic of voting security received little fanfare, but today, heading into the 2018 midterms, it’s become a matter of national security.

Election technology vendors are not compelled under existing law to disclose if they’ve been breached to the U.S. government.

U.S. intelligence officials widely predict that Russia will once again attempt to meddle in future U.S. elections. How that will occur remains an open-ended question.

Historically, the election technology industry — which is largely dominated by less than five brands — has not been open to scrutiny by the cybersecurity research community. That thinking, however, could now be changing with the hand of government pushing for it.