State Elections Official Touts Bug Bounties for Voting Systems

Ohio's Secretary of State Plugs Bug Bounties to Ensure the Integrity of Elections
State Elections Official Touts Bug Bounties for Voting Systems
Ohio Secretary of State Frank LaRose

An elections official today touted bug bounties for voting machines, telling a congressional panel that the federal government should support state governments that ask for the help of white hat hackers.

See Also: OnDemand | Agency Armor: Cybersecurity Compliance Essentials for Resource-Constrained Teams

Ohio was the first U.S. state to implement a vulnerability disclosure policy for its election systems, with the state asking researchers to find vulnerabilities and inform state authorities, the Buckeye State's top election official told the House Homeland Security Committee during a hearing on election security.

This has allowed Ohio to leverage the expertise of security researchers who excel at finding vulnerabilities, said Frank LaRose, Ohio secretary of state.

America's pivot to electronic tallying at the ballot box has provoked fears that hackers - state-sponsored or otherwise - might skew outcomes. No evidence exists that hackers have affected elections, but not necessarily for lack of them trying. The Senate Intelligence Committee in 2019 concluded that the Russian government at least probed elections systems in all 50 states during the 2016 election. During the final weeks of the Obama administration, outgoing Homeland Security Secretary Jeh Johnson designated election systems as critical infrastructure.

The Ohio Secretary of State has a vulnerability disclosure policy on its website, which LaRose, a Republican, says provides hackers with a secure place to report vulnerabilities and receive credit if they so desire. Fewer than 10 other states have started to implement vulnerability disclosure programs of their own, but LaRose said interest is growing and could be further accelerated with the support of the Cybersecurity and Infrastructure Security Agency, a component of the Department of Homeland Security.

Ohio now also requires vulnerability disclosures from outside vendors, meaning that any third party that wishes to sign a contract with any of the state's 88 county boards of elections must satisfy certain cybersecurity requirements. The state also requires that all county election boards allow for scans inside their network perimeter, rather than just at the internet-facing level.

LaRose advised states to appoint a CISO solely responsible for securing the ballot box. That official should be able to use remote monitoring technology so that any security issues that arise during the evening or weekends can be mitigated right away.

He also urged federal agencies to quickly declassify information detailing successful countermeasures by state and local officials against cyberattacks. LaRose shared one such story himself, telling the committee that a 2021 attempt by an unidentified person to plug an unauthorized laptop into Lake County's governmental system in a bid to capture elections data failed to do so.

The elections system, LaRose said, is siloed off. The Washington Post reports the threat actor captured routine network traffic that was later circulated at a conference on election fraud hosted by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who promotes false claims that the 2020 presidential election was rigged.

The FBI is reportedly investigating the incident.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.