DEFCON has hit back at criticisms levied at it by the National Association of Secretaries of State (NASS) over the introduction of an area designed to test voting machines.
In a statement released on 9th August, the NASS said that while it applauded “the goal of DEFCON attendees to find and report vulnerabilities in election systems" it felt it was important to point out that work has been done by states' own information technology teams, and also named the Department of Homeland Security (DHS), the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the private sector, the National Guard and universities as being involved “to enhance and reinforce their cyber postures with penetration testing, risk and vulnerability assessments and many other tools.”
In particular, the NASS said that its main concern with the approach taken by DEFCON “is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security” and while delegates have access to voting machines, NASS said that many of these are no longer in use, and the environment does not "replicate accurate physical and cyber protections established by state and local governments before, and on Election Day."
The NASS also said that it was concerned that creating “mock” election office networks and voter registration databases for participants to defend and/or hack was also unrealistic. It said: “It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols.”
In response, a statement from the DEFCON Vote Hacking Village sent to Infosecurity claimed that the goal of the village is to present the most realistic election network possible, to further the education, discovery, and the free exchange of facts.
“Therefore, the Voting Village made a concerted effort to involve as many local election officials as possible,” it said.
“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”
In particular, it named the state of Ohio and Cook County, Illinois whose participation enabled the village “to incorporate several key elements of the voting process to replicate the election infrastructure.”
The village also disregarded claims that the machines are old and out of use, as all but one are still in use.
“We did our public demonstrations with the decommissioned WinVote out of a sense of responsibility to not broadcast a guide to hacking an actively in-use machine to the public,” the statement said.
“We invite NASS and all election machine manufacturers to learn about the vulnerabilities we find this year, and we invite them to participate next year because as we know, cyber threats are constantly evolving and becoming more sophisticated.”
DEFCON’s Voting Machine Hacking Village is the latest village for the Las Vegas conference, following on from initiatives around IoT, lockpicking, and social engineering.