State Elections Official Touts Bug Bounties for Voting SystemsOhio's Secretary of State Plugs Bug Bounties to Ensure the Integrity of Elections
An elections official today touted bug bounties for voting machines, telling a congressional panel that the federal government should support state governments that ask for the help of white hat hackers.
Ohio was the first U.S. state to implement a vulnerability disclosure policy for its election systems, with the state asking researchers to find vulnerabilities and inform state authorities, the Buckeye State's top election official told the House Homeland Security Committee during a hearing on election security.
This has allowed Ohio to leverage the expertise of security researchers who excel at finding vulnerabilities, said Frank LaRose, Ohio secretary of state.
America's pivot to electronic tallying at the ballot box has provoked fears that hackers - state-sponsored or otherwise - might skew outcomes. No evidence exists that hackers have affected elections, but not necessarily for lack of them trying. The Senate Intelligence Committee in 2019 concluded that the Russian government at least probed elections systems in all 50 states during the 2016 election. During the final weeks of the Obama administration, outgoing Homeland Security Secretary Jeh Johnson designated election systems as critical infrastructure.
The Ohio Secretary of State has a vulnerability disclosure policy on its website, which LaRose, a Republican, says provides hackers with a secure place to report vulnerabilities and receive credit if they so desire. Fewer than 10 other states have started to implement vulnerability disclosure programs of their own, but LaRose said interest is growing and could be further accelerated with the support of the Cybersecurity and Infrastructure Security Agency, a component of the Department of Homeland Security.
Ohio now also requires vulnerability disclosures from outside vendors, meaning that any third party that wishes to sign a contract with any of the state's 88 county boards of elections must satisfy certain cybersecurity requirements. The state also requires that all county election boards allow for scans inside their network perimeter, rather than just at the internet-facing level.
LaRose advised states to appoint a CISO solely responsible for securing the ballot box. That official should be able to use remote monitoring technology so that any security issues that arise during the evening or weekends can be mitigated right away.
He also urged federal agencies to quickly declassify information detailing successful countermeasures by state and local officials against cyberattacks. LaRose shared one such story himself, telling the committee that a 2021 attempt by an unidentified person to plug an unauthorized laptop into Lake County's governmental system in a bid to capture elections data failed to do so.
The elections system, LaRose said, is siloed off. The Washington Post reports the threat actor captured routine network traffic that was later circulated at a conference on election fraud hosted by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who promotes false claims that the 2020 presidential election was rigged.
The FBI is reportedly investigating the incident.