R Street Institute
Aug
07
Time10:00AM4:00PM PST
Events hosted by others

DEF CON Voting Village

Issues: Cybersecurity Policy

A Note from the DEF CON Voting Village

As this year’s federal election draws near, events like the DEF CON Voting Village that highlight key issues of election security and integrity are more critical than ever. In order to make the most of this opportunity and leverage the expertise of the DEF CON community, this year’s Voting Village includes (by design) presentations that may be controversial. Please note that the inclusion of a speaker or organization on the speaker track does not mean that the Voting Village endorses the speaker’s views and/or comments. Some talks have been accepted because the presenters have specifically expressed the desire to receive feedback and/or guidance from the security community when the approach presented has been rejected by the security community.

The Voting Village welcomes feedback and questions on all presentations, particularly those that are controversial in nature. Given the virtual nature of this year’s DEF CON, the ability of DEF CON Village organizers, speakers, and attendees to hold interactive, in-person discussions is limited. Therefore, Voting Village organizers will facilitate the compilation of comments, feedback, and suggestions related to this year’s Voting Village talks.

The Voting Village organizers welcome all comments and feedback, which we hope to include in our annual report. If you would like to contribute, please include the following information in your comments:

We invite you to communicate your feedback on Voting Village presentations in the following ways:

  1. Take part in the live text discussion about each presentation on Discord at vmhv-talks-questions-text (for Q&A during a presentation or panel) and vmhv-talks-text (for comments and questions after a talk has ended). 
  2. Email us your comments and feedback about the talks at [email protected]

Friday, August 7

10:00 AM PT // 1:00 PM ET – Welcome and Kick-off

10:30 AM Keynote Remarks: Representative Jackie Speier

11:00 AM PT // 2:00 PM ET – A Policy Approach to Resolving Cybersecurity Problems in the Election Process

Cybersecurity researchers keep identifying cybersecurity vulnerabilities in voting machines and in the election process, but not much happens in closing identified vulnerabilities.  The private sector vendors involved in voter registration, manufacturing and programming voting machines, and vote tabulation are less than responsive and few have not provided evidence that they have strong cybersecurity programs that meet best practices and standards and regular have cyber risk assessments performed.  This presentation will put forward a federal policy approach that will help correct these problems and advance the integrity of elections across the country. 

11:30 AM PT // 2:30 PM ET – Hacking Democracy II: On Securing an Election Under Times of Uncertainty and Upheaval

Democracy is the cornerstone of America’s Constitution, identity, and ideology, and this foundation was shaken during the 2016 Presidential Election. Four years later, we still have great lengths to go to ensure that the integrity of the 2020 Presidential Election, and any election moving forward, is protected.

In February, this panel convened to discuss the threats and challenges that are present and may arise between then and the November election. We discussed the intersection of people, technology, security, and elections, with a focus on themes including:

However, we did not know a pandemic and a constantly changing rhetoric by candidates and government leaders, along with several court cases, primaries and other events would add even more challenges for the 2020 election. We will discuss what is left in the 90 days left between now and the election, what can be feasibly helped by the public, governments, and others to ensure a secure and valid election, as well as what will need to be carried forward as lessons learned.

12:30 PM PT // 3:30 PM ET – See Something, Say Something

1:00 PM PT // 4:00 PM ET – A Panel with the Feds on Election Security

Elections are critical in a free and fair society. Public trust in election infrastructure begins with understanding what the Government has done with transparency and how the hacker community can help. We are all citizens and our voices should be heard.

-What has the Federal Government done since 2016 including with state and local? 

-What changes have come about with the military’s Defend Forward strategy in 2018?

-How do they work together with the domestic efforts? 

-How are foreign and domestic campaigns of disinformation managed? 

-What else could we do better? 

-How can the hacker community help?

2:00 PM PT // 5:00 PM ET – Keynote Remarks: Senator Ron Wyden

2:30 PM PT // 5:30 PM ET – Chairman Benjamin Hovland, U.S. Election Assistance Commission

3:00 PM PT // 6:00 PM ET – Secretary Kim Wyman, Washington

Saturday, August 8

10:00 AM PT // 1:00 PM ET – War By Other Means: How Influence Operations Undermine Democracy

New tactics and capabilities in information warfare give authoritarians unprecedented power to “hack” the electorates. Our research on campaigns in Poland and Taiwan show the breadth and impact of operations against democracies around the world and what they foreshadow for the US Presidential election

10:30 AM PT // 1:30 PM ET – An Overview of the Security Challenges Posed by State-Level Election Management Systems

Are voting machines all we have to worry about? This presentation will give an overview of why we should turn our attention to statewide election management systems and databases for potential security issues.

11:00 AM PT // 2:00 PM ET – Heightened Election Security Risks Amidst the Pandemic

Amidst the COVID-19 pandemic, countless aspects of American life have been impacted, including our elections. Accommodations for the pandemic include an unprecedented shift towards absentee balloting across the United States, as well as drastically reduced in-person voting options. While we cannot predict the state of the pandemic come November, it is clear that elections will operate differently, constrained by health concerns around in-person voting, reduced polling place staff, and massive budget shortfalls. Such large-scale change will necessarily impact election security, as new attack surfaces open due to states relying on rapidly expanded infrastructure. With political polarization at a high, it is crucial that elections remain safe and secure despite the pandemic, and that American citizens believe their elections credible. In this talk, we will explore the areas of election infrastructure that are changing, and new associated security concerns based on our work at the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

11:30 AM PT // 2:30 PM ET – Hack-a-Fax

Millions of overseas voters must choose between the following ballot return methods: international mail, email or fax return as allowed by each respective state law. The insecurity of email and fax, arguably, creates a security gap in the overall elections infrastructure that undermines its integrity. The National Cybersecurity Center proposes to ‘hack a fax’ in order to demonstrate the lack of security, and create an opportunity to strengthen standards. The concern to the broader community is that as we continue to seek to make voting more accessible, it must also be secure. Policies that limit overseas voters to technology that may not have security standards in place, and therefore are insecure, reduces the integrity of the overall elections ecosystem. 

12:00 PM PT // 3:00 PM ET – Analysis of the Attack Data Collected During Mobile Voting Pilots

Since 2018, we have been experimenting with smartphone-app based mobile voting for a very small number of voters across various jurisdictions in the United States. The small-scale nature of these pilots has not prevented attackers and researchers from around the world from attempting to break into the platform at multiple levels. In this paper, we present the significant amount of attack data that has been collected over the past couple of years and an early analysis of the nature of these attack attempts, their lethality, origins, etc. We also present the mitigation measures that have worked and the ones that haven’t. Lastly, we will also dive deeper into a couple of very significant attack attempts and present a detailed analysis of the threat vectors, the attack modality, duration, etc. All this data is being shared in the public domain for the very first time and an anonymized dataset will be available for open downloads. We hope that it will further inform research in this space.

 

 

12:30 PM PT // 3:30 PM ET – Remote Online Balloting Delivery and Marking Options and Security Considerations for Absentee Voting During the COVID-19 Pandemic

As States grapple with the difficult task of holding elections during the novel coronavirus pandemic, election administrators are exploring and implementing technology to deliver blank ballots electronically. The expansion of vote by mail in many states also necessitates a remote accessible ballot marking option for voters with disabilities.

A number of available systems allow the voter to receive a blank ballot electronically, mark it on their computer and print it for mailing or drop off without transmitting the voted ballot to the election office. However, these remote accessible ballot marking systems can be designed in different ways that have significantly different security and privacy profiles.

We explore the different architectures for remote ballot marking, comparing systems that conduct the marking process over the internet, (on a remote server), and those that mark ballots statelessly, on the client’s device. We consider the security and privacy issues associated with both technologies, and offer specific recommendations to limit security and privacy risks.

1:00 PM PT // 4:00 PM ET – Don’t Go Postal Over Mail In Voting

As the previous DEFCON Voting Villages have proved, our voting equipment and infrastructure are very vulnerable to multiple types of attacks. But now, with everything that’s going on in the world ,voting by mail is the new vulnerable thing! Instead of focusing on problems and broken things, this talk will focus on simple fixes that vendors and governments can put into action right now. Starting with the registering to vote, then moving through parts of the entire system, BiaSciLab will offer suggestions on how simple practices and changes in thinking can improve the security of the entire system.

Last year, in the Voting Village BiaSciLab did a talk on the election systems problems and how to fix them. This year with voting by mail, new problems are appearing! Like States not allowing people to vote by mail! Breaking down these flaws and offering real solutions for each one, BiaSciLab will bring hope in the face of this daunting and complex security problem in these hard times.

1:30 PM PT // 4:30 PM ET – The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections

In the 2018 midterm elections, West Virginia became the first state in the U.S. to allow select voters to cast their ballot on a mobile phone via a proprietary app called “Voatz.” Although there was no public formal description of Voatz’s security model, the company claimed that election security and integrity were maintained through the use of a permissioned blockchain, biometrics, a mixnet, and hardware-backed key storage modules on the user’s device. In this work, we present the first public security analysis of Voatz, based on a reverse engineering of their Android application and the minimal available documentation. We performed a cleanroom reimplementation of Voatz’s server and present an analysis of the election process as visible from the app itself.

We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a sidechannel attack in which a completely passive network adversary can recover a user’s secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections. 

2:00 PM PT // 5:00 PM ET – Vote-from-Home? Review of Election Security on Remote Voting in Response to COVID-19

This presentation poses a question on whether the remote voting by online or vote-by-mail is trustworthy under the COVID-19 pandemic situation. One of the worldwide efforts to contain the virus was to work-from-home and restriction orders. Besides, because of the human contact is critical in the dissemination of the virus, possibilities of alternative methods of voting such as online voting, blockchain voting, vote-by-mail are proposed. In light of such a situation, the article proposes a framework to evaluate the election security of remote voting methods. Further, the article provides a case of best practice for election administration from the case of the Republic of Korea. Based off of the assessment results from the proposed evaluation framework, the article provides modest suggestions and policy implications to the election administrators.

2:30 PM PT // 5:30 PM ET – Electronic Ballot Return Standards & Guidelines

The emergence of new electronic ballot return methods creates an opportunity for greater vote access and potential enfranchisement, but also raises concerns about security in an increasingly tumultuous cyber-election landscape. The challenge of security is further compounded by a lack of proactive guidance from the federal level on developing these new technologies, leaving a gap in the secure development of the technologies to adopt an elections framework and approach to security. Experts from the National Cybersecurity Center (NCC) will offer a draft of security guidelines for the new electronic ballot return platforms to consider, and for federal agencies to adopt. The guidelines format mimics the Voluntary Voting System Guidelines created by the Election Assistance Commission.

3:00 PM PT // 6:00 PM ET – Understanding Cyber-Attacks and Their Implications to Democratic Regimes

Cyber-security experts have documented how authoritarian regimes attacked the US voting infrastructure or how this type of governments stole information from American companies. This evidence suggests that authoritarian regimes are more likely to conduct cyber-attacks than democratic ones. The purpose of this research is to prove this hypothesis. With information from the Center for Strategic and International Studies (CSIS), this research provides a descriptive analysis of the Significant Cyber Incidents that occurred worldwide from 2006 to 2019. To prove the former hypothesis, this research shows the results from panel data models with random and fixed effects, which provide evidence that confirms this hypothesis: authoritarian regimes are more likely to commit cyber-attacks than democratic states. However, there is no evidence to sustain that democracies are more likely to be attacked than authoritarian regimes. In other words, all regimes are subject to cyber-attacks.

3:30 PM PT // 6:30 PM ET – A Lawyer’s Reflections on Elections

Join Cordero Alexander Delgadillo (@CORDERO_ESQ), a business and technology lawyer, and more recently a former political candidate, as he demonstrates that elections, especially local elections, are akin to information systems (even reasonably locked down systems), because both are highly susceptible to the very non-tech, human vulnerabilities (nefarious and negligent). In this talk Cordero will provide insight by:

– Examining the structures of American Democracy

– Telling stories from his own election lawsuit:  Delgadillo v. City of Peoria et al

– Highlighting election process issues deemed “inconsequential” or “un-addressable”

– Sharing information and resources

4:00 PM PT // 7:00 PM ET – Protecting Elections with Data Science — A Tool for 2020 and Beyond

What are the possibilities, and challenges, for using data science to protect elections? Stephanie Singer will describe an open source tool to aid in quick consolidation of election results, and a public-facing web front end planned for November 2020 and beyond.

 

Recent Work from the Federal Affairs Team

View all