The DNC Enlists Kids in Its Fight Against Hackers

Credit to Author: Issie Lapowsky| Date: Thu, 02 Aug 2018 15:05:27 +0000

Voting systems in the United States are so woefully hackable, even an 8-year-old could do it.

At least, that’s the conceit of a competition cosponsored by the Democratic National Committee at next week’s Def Con hacker conference in Las Vegas. The contest will include children, ages 8 to 16, who will be tasked with penetrating replicas of the websites that secretaries of state across the country use to publish election results. They’ll vie for $2,500 in prize money, $500 of which will come from the DNC and be awarded to the child who comes up with the best defensive strategy for states around the country.

The DNC’s chief technology officer, Raffi Krikorian, says he was inspired to team up with Def Con after scoping out an event at last year’s conference called Voting Village, where attendees—grown-ups this time—got to hack into various models of voting machines and find flaws. “We wanted to figure out how we could use this to our advantage,” Krikorian tells WIRED. “Let’s get those lessons back to secretaries of state.”

The Voting Village, which caters to experienced hackers, will continue this year. But the organizers behind the event wanted to expand their work to cover one of the most glaringly obvious holes in election security: state websites that post election results. International elections have already proven how these types of hacks can go horribly wrong. In 2014, Russian hackers penetrated the website of Ukraine's Central Election Commission and changed the election result, prompting Russian media to run with the false news.

But getting kids involved was more than just a cutesy ploy to get the public to pay attention to election security, says Jake Braun, who worked for the Department of Homeland Security under President Obama and is organizing the event. State election sites are so deeply flawed, Braun says, no adult hackers would be interested in cracking them. “The hackers would laugh us off the stage if we asked them to do this.”

So the Voting Village team partnered with r00tz Asylum, a nonprofit that runs security training for kids and is one of the cosponsors of the event along with the DNC and the University of Chicago. They tapped prominent cybersecurity expert Brian Markus to design mockups of state websites for 13 presidential battleground states, which the kids will attempt to hack.

Krikorian admits a lot of this work “is seriously low-hanging fruit,” but he says the most common questions he fields from local election officials are about how to defend their websites and voter databases. The fact that these officials are reaching out to the DNC—a campaigning organization that doesn’t administer elections—is a foreboding sign in and of itself. “If they’re reaching out to the party asking for advice, it sounds like they’re not getting the right advice from the government or any three-letter agencies,” Krikorian says.

'If they’re reaching out to the party asking for advice, it sounds like they’re not getting the right advice from the government or any three-letter agencies.'

Raffi Krikorian, Democratic National Committee

That’s concerning given the mounting signals that the 2018 midterm elections are already under attack. Director of national intelligence, Dan Coats, said that “the warning lights are blinking red again,” with regard to attacks on United States infrastructure. Microsoft says it’s already thwarted three attacks on Democrats, including senator Claire McCaskill. Krikorian says he is in steady communication with both Microsoft and Google about potential threats against Democrats' email and storage services. He acknowledges, however, that the party's coordination with social media companies like Facebook and Twitter isn't as strong.

Given the scale of the threat, the DNC will obviously have to do a lot more than entrust election security to kids if it wants to avoid a repeat of 2016's cybersecurity catastrophe. That's why Krikorian joined the party in 2017, after a long career working in tech at companies like Twitter and Uber. When he came on board, the DNC was still recovering from the devastating Russian hack of its servers in the run-up to the 2016 election. Since then, he’s worked to fortify the party, bringing in industry experts like Bob Lord, formerly of Yahoo, to be the DNC’s chief of security. Together, they’ve pushed the organization to adopt basic security measures like two-factor authentication, and are working with outside experts to monitor suspicious traffic. They’ve also launched phishing attacks on the whole staff, not unlike the one that allowed Russian hackers to infiltrate their system to begin with.

Krikorian says progress is steady, but the work is never complete. Recently, his team forged an email from the DNC’s new CEO, asking staffers to meet with her. “That level of attack is a pretty specific spear phishing attack, but a few people did fall for it,” Krikorian says.

Strengthening security at the party’s Washington headquarters is one thing. Protecting local candidates and election officials in some 6,000 races across the country is another. When local officials come calling, the DNC gives them a to-do list that covers security basics, advising them to change their default passwords, enable two-factor authentication, and update to the latest software. They're also proactively reaching out to high-profile campaigns to advise them on security protocol. "Are we going to get to all of them? Probably not. We’re trying to prioritize," Krikorian says.

Both he and Braun hope that Def Con will help raise awareness about election security. Dozens of local election officials are scheduled to visit the Voting Village, according to Braun, who says his team contacted thousands of election officials across the country. Braun also invited the Republican National Committee but says he received no response. The RNC didn't respond to WIRED's request for comment. Still, Braun says if the RNC wants to participate, the invitation's open. "Cybersecurity shouldn't be and isn't a political issue."

https://www.wired.com/category/security/feed/