The Race to Secure Voting Tech Gets an Urgent Jumpstart

Numerous electronic voting machines used in United States elections have critical exposures that could make them vulnerable to hacking. Security experts have known that for a decade. But it wasn’t until Russia meddled in the 2016 US presidential campaigns and began probing digital voting systems that the topic took on pressing urgency. Now hackers, researchers, diplomats, and national security experts are pushing to effect real change in Washington. The latest update? It’s working, but maybe not fast enough.

On Tuesday, representatives from the hacking conference DefCon and partners at the Atlantic Council think tank shared findings from a report about DefCon’s Voting Village, where hundreds of hackers got to physically interact with—and compromise—actual US voting machines for the first time ever at the conference in July. Work over three days at the Village underscored the fundamental vulnerability of the devices, and raised questions about important issues, like the trustworthiness of hardware parts manufactured in other countries, including China. But most importantly, the report highlights the dire urgency of securing US voting systems before the 2018 midterm elections.

“The technical community … has attempted to raise alarms about these threats for some years,” said Frederick Kempe, president and CEO of the Atlantic Council, in a panel discussion. “Recent revelations have made clear how vulnerable the very technologies we use to manage our records, cast our votes, and tally our results really are … These findings from the Voting Village are incredibly disconcerting.”

Fortunately, the past few months have seen signs of progress. The Department of Homeland Security is moving forward with its critical infrastructure designation for voting systems, which frees up resources for helping states secure their platforms. The Texas Supreme Court is currently considering a lawsuit challenging the state’s use of digital voting machines. And in Virginia, state officials are converting voting systems to use paper ballots and electronic scanners before the November 7 elections. They say the change was motivated by the findings at DefCon’s Voting Village.

Susan Greenhalgh, an elections specialist for the vote-security group Verified Voting, which worked with Virginia officials this fall, applauded the “transition into real-world change” that had transpired in just the last few months.

Virginia and Texas represent important progress, but plenty of work remains. Five states still rely solely on digital voting machines without paper backups, and at least 10 states have mixed voting infrastructure, with certain counties that use digital voting without paper. These systems are the most vulnerable to manipulation, because you can’t audit them afterward to confirm or dispute the digital vote count in the case of suspected tampering.

“The one core point that election security experts and others have been making about why our votes are safe was that the decentralized nature of our voting systems, the thousands and thousands of voting offices around the country that administer the election, is what kept us safe,” Jake Braun, a DefCon Voting Village organizer and University of Chicago researcher said. “Because Russians [or other attackers] would need to have tens of thousands of operatives go get physical access to machines to actually infiltrate the election. We now know that’s false.”

With only a handful of companies manufacturing electronic voting machines, a single compromised supply chain could impact elections across multiple states at once. The Voting Village report emphasizes that there is a huge amount of change required in the US to address security issues at every point in the election workflow, from developing more secure voting machines to sourcing trustworthy hardware, and then actually setting up voting system devices and software for use in a secure way. DefCon founder Jeff Moss says that the goal for next year’s Voting Village is to have a full election network set up so hackers can evaluate and find weaknesses in a complete system, not just individual machines.

The Department of Homeland Security recently confirmed that Russia infiltrated various election-related systems in 21 states during 2016, and access to a full voting-system setup would give security researchers additional real world insight into defending US voting infrastructure. But as was the case with acquiring real voting machines for last summer’s conference, Moss says it has been extremely difficult to gain access to the third-party proprietary systems that states use to coordinate voting.

Related Stories

  • Brian Barrett

    America’s Electronic Voting Machines Are Scarily Easy Targets

  • Lily Hay Newman

    The Simple Fix That’d Help Protect Georgia From Election Hacks

  • Andy Greenberg

    Hacked or Not, Audit This Election (And All Future Ones)

“I would love to be able to create any kind of a complete system, that’s what we’re aiming for,” he said during the panel. “The part that’s really hard to get our hands on is the backend software that ties the voting machines together to tabulate and accumulate votes, to provision voting ballots, to run the election, and to figure out a winner. And boy do we want to have a complete voting system for people to attack. There’s never been a test of a complete system—it’s just mind boggling.”

DefCon’s voting village and interdisciplinary partnerships are certainly raising awareness about election security and motivating change, but with some elections just a few weeks away and the midterms rapidly approaching, experts agree that change may not be coming quickly enough.

“We’ve got a lot to do in a short period of time,” said Douglas Lute, a former national security advisor to President George W. Bush and former US ambassador to NATO under President Barack Obama. “In my over 40 years of working on national security issues I don’t believe I’ve seen a more severe threat to American national security than the election hacking experience of 2016. Russia is not going away. This wasn’t a one shot deal.”

Tech

Alphabet’s Project to Restore Wireless Service in Puerto Rico With Balloons Gets FCC Approval

Project Loon has already proven its real-world usefulness once this year.

The FCC has approved an experimental license for Alphabet, Inc’s Project Loon to attempt to restore wireless service to storm-ravaged Puerto Rico using its high-altitude balloons, according to FCC Chief of Staff Matthew Berry.

Though the Loon technology is not entirely proven, it could help speed the restoration of vital communications as the U.S. territory works to recover from the devastation of Hurricane Maria.

It could also help prove the business case for Loon, one of the experimental “moonshots” debuted as part of Google, and now housed under Alphabet subsidiary X.

More than 80% of Puerto Rico’s cellular towers are still out of service more than two weeks after the arrival there of Hurricane Maria, and nearly one-third of the island’s counties have no service, according to the FCC. Rebuilding conventional cell towers will be “a long road,” T-Mobile told CNN, thanks to challenges including not just the cost of construction, but, according to some wireless companies, theft and crime against their operations.

Get Data Sheet, Fortune’s technology newsletter.

Loon balloons, which carry communications equipment as high as 20 kilometers into the atmosphere, would circumvent those earthbound hurdles — at least temporarily. Loon recently rolled out internet and LTE service in Peru after flooding there, reportedly providing coverage for an area roughly the size of Switzerland. The balloons that were deployed in Peru, in fact, were launched from Puerto Rico.

However, restoring communications to Puerto Rico may be more challenging. Loon requires local partners to work, and in the case of the Peru project, relationships with wireless providers and other players were already in place. But in earlier statements to Mashable, a Loon spokesman said the Puerto Rico effort would be “a little more complicated because we’re starting from scratch.”

Contracting with governments for deployment in disaster zones could eventually become a revenue stream for Loon, which debuted in 2013. Alphabet has begun ramping up pressure for moonshots to generate revenue, partly in hopes of diversifying beyond the search-driven advertising business that still makes up the overwhelming majority of its profits.

Tech

In France, Snap's Discover news feature gets 10 million monthly users

(Reuters) – Snap Inc, searching for ways to reinvigorate a slowing growth rate and increase advertising revenue for its Snapchat messaging app, said this week it has racked up 10 million users for its Discover news and video feature in France a year after launching there.

The figure, which has not previously been reported, is equivalent to about 15 percent of the country’s population.

Internationally, the Snapchat app has 173 million daily active users, the company said in August, while rival Instagram, owned by Facebook Inc, said this week it has 500 million daily users.

Snap’s partners in France such as Le Monde and Cosmopolitan, which supply video and news for the Discover feature, were getting “significant” revenue from ads, Nick Bell, Snap’s vice president of content, told Reuters, without giving an exact figure.

Snap, which generates revenue from advertisers, shares that revenue 50-50 with its publisher partners.

The company has yet to turn a profit since its messaging app launched in 2012. Since its initial public offering in March, its shares are down almost 18 percent, to around $ 14 per share.

France was the first international launch of Discover. It has also been released in Germany, the Middle East and North Africa, but the company is taking a slow, deliberate approach to expansion as it works at developing strong partnerships with publishers, said Bell.

Reporting By Jessica Toonkel; editing by Anna Driver and Rosalba O’Brien

Our Standards:The Thomson Reuters Trust Principles.

Tech