Voting machine companies, which for years have been loath to acknowledge any security weaknesses, are finally saying they will consider allowing ethical hackers to search for them. But hackers are skeptical of the election industry's recent commitment to security and transparency.
The olive branch to hackers marks a huge about-face for the industry, which last week asked for feedback from researchers and companies about the best ways to let outsiders vet their security. They've long argued that researchers, by exposing security flaws, could give a roadmap to foreign hackers intent on compromising the 2020 contest. Now they're saying the threat of Russian hacking and disinformation is too severe for the security of election systems to be treated as a private matter to be managed behind closed doors.
"For many years the industry . . . preferred to work quietly behind scenes. [But] 2016 brought cybersecurity to the front burner and folks in this industry who were uncomfortable talking about vulnerabilities have warmed up to it," said Chris Wlaschin, the top cybersecurity official for Election Systems and Software.
But some ethical hackers worry the industry, which has historically prioritized making their machines easier for election administrators to use rather than making them as secure as possible, isn't ready to make big changes. They fear the companies won't work quickly enough to fix the bugs they discover and could use non-disclosure agreements to enforce silence about dangerous bugs that could compromise an election.
Wlaschin said the process to report bugs, which is still under consideration, is likely to be relatively restrictive. The companies are likely to require both background vetting for hackers who participate and require them to sign non-disclosure agreements about the issues they find. Members of the working group that's developing the plan have been getting regular briefings from companies that manage programs like that, he said.
That's already raising the hackles of some hackers who say the voting machine industry has a history of ignoring their reports about dangerous bugs - or downplaying the bugs' significance.
"The idea of a system where people are reporting vulnerabilities under a gag order and the gag order is in place until its fixed is unrealistic. Because right now 'until it's fixed' could be as long as the system's in use," said Harri Hursti, a cybersecurity researcher who has spent more than a decade studying vulnerabilities in voting systems.
Hursti helps run a program for hackers to probe election systems in a safe environment at the Def Con cybersecurity conference. He worries a formal program for hackers to report bugs could end up undercutting the research hackers are doing independently without actually making voting systems' cybersecurity any better.
For instance, when researchers at his "voting village" probed voting machines for the first time in 2018, they found bugs that were first reported to companies more than a decade ago that still hadn't been fixed. They also found built-in passwords that were not possible to change that were set to insecure and easy-to-guess codes such as "1111."
Hursti and other hackers will release the findings from their second round of testing, which took place this summer, later this week. He says they are just as concerning. He slammed the industry's white paper and request for comment as "marketing materials" from a group that isn't serious about cybersecurity.
But the voting machine industry says non-disclosure agreements and similar protections are common when companies ask outside researchers to examine highly sensitive systems and they're necessary to ensure information about dangerous bugs doesn't get out to hackers who actually want to compromise voting machines.
"We're trying to create a balance between ensuring the security of the systems and getting valuable input from the community," said Scott Algeier, executive director of the non-profit cybersecurity organization that helped draft the industry's white paper and request for information. "If a vulnerability is announced and there's no fix for it, that puts everyone at risk."
And some cybersecurity researchers were more bullish on the voting industry's plan.
Joe Hall, chief technologist at the Center for Democracy and Technology who's also worked extensively in election systems cybersecurity, said in an interview that he's fine with the industry requiring non-disclosure agreements from hackers but said those agreements should be negotiated so they run out if vulnerabilities remain un-patched for too long.
"I've seen signals from the industry over the past year that they seem to be giving cybersecurity much more of a first-class citizenship," Hall said. "I'm not saying it's going to last and they have a long way to go but I've seen a change in terms of their receptivity."
Even if the industry does get hackers on board, though, it will face another hurdle to implement their cybersecurity fixes.
That's because states certify voting machines using federal guidelines that make it extremely hard to change any software - including patching bugs against hackers - without restarting the lengthy certification process all over again.
That means "a change to even one byte of the trusted software built in voting machines or back office computers" could launch a re-testing process that takes weeks or even months, the companies note in their white paper, which they produced through the Information Technology-Information Sharing and Analysis Center, a non-profit cybersecurity group that counts most major election systems vendors among its members.