There are a lot of unusual things to do at DEF CON, the annual hacker conference that draws tens of thousands of security enthusiasts to Las Vegas in the depths of summer—you can learn to lockpick, go fed-spotting, or hack an internet-connected sex toy. But last year offered something new. Jeff Moss, the founder of DEF CON and its more enterprise-focused sister conference, Black Hat, held a political fundraiser for Hillary Clinton.
Fundraising for Clinton might’ve been standard behaviour for most of the tech industry that summer, but doing it during Black Hat and DEF CON sparked backlash. Jake Braun, the CEO of Cambridge Global and a former White House liaison to the Department of Homeland Security, addressed the tension when he co-hosted last year’s controversial Clinton event. “I realised it’s not apolitical, it’s just a non-political chimera,” he said of DEF CON.
A week before the fundraiser—the first political fundraiser at either conference, Braun said—Trump called on Russia to “find the 30,000 emails that are missing” from Clinton’s disclosures. A month earlier, the cybersecurity firm CrowdStrike had announced its investigation into a hack at the Democratic National Committee and attributed the intrusion to Russia-linked hacking groups. Wikileaks and an individual or group calling themselves Guccifer 2.0 had recently begun posting emails and documents taken from the DNC. The impact wouldn’t become clear until November, but it was obvious to the assembled hackers that their industry was being yanked into the spotlight. The year of hacking-themed stories that followed thrust cybersecurity into mainstream politics like never before. Election hacking is now an exhausted meme; Russia is synonymous not with onion domes but with network intrusion.
“This last year, it really hit,” Moss told Gizmodo. It’s not as if election hacking is a new field (Moss recalled presentations about it at DEF CON in 2013) but it feels like the world is suddenly paying attention. Donald Trump’s presidency is giving hackers an exciting, if itchy, fame. Whether you love or hate him, he’s incredible for business, the best, big league. If you’re a DEF CON attendee, your grandma has seen stories about your world on TV, maybe even a pundit with your same job title. A hacked election isn’t necessarily how you wanted your work to get notoriety, but here you are and you might as well ask for a raise.
“A lot of hackers are happy in the sense that they’re being listened to more. Their advice is considered a little bit more. There’s a sense of, ‘We’ve been saying this for so long.’ It feels good to be validated but it sucks that things haven’t changed. We’ve been warning you about it for a decade, nothing’s happened, but at least you’re paying attention,” Moss told Gizmodo.
At last year’s fundraiser, Moss seemed apathetic, even apologetic, about Clinton as a candidate. (“I’m not in the endorsement game,” he said last week.) But he was as focused then as he is now on solving the security problems in election systems.
We’ve been warning you about it for a decade, nothing’s happened, but at least you’re paying attention.
Although Moss, who’s also known as The Dark Tangent, spoke for less than ten minutes at the fundraiser, it netted him a slew of hate mail. And there may have been professional consequences, too. Moss, who’s a member of the Homeland Security Advisory Council, has been told that the fundraiser earned him a spot on the Trump administration’s blacklist. Despite his role on the advisory council, he was not sought after to consult on cybersecurity issues during the transition. But Moss isn’t backing away from the cause, and DEF CON is getting more deeply involved with election security than ever before—this year, the event will host its first Voting Machine Hacking Village.
DEF CON villages are offshoots of the main event, where attendees get to tinker with technology. At the vote-hacking village, they’ll be invited to tamper with voting hardware and software. In addition to the hackers, the village is expecting visitors from US Congress, the National Institute of Standards and Technology, the Department of Homeland Security, and voting machine vendors.
Moss hopes to discover just how easy it is to compromise a voting system. Although US states test components of their systems, Moss couldn’t find any examples of a state testing their complete voting apparatus. Most manufacturers, he explained, test voting machines for their ability to withstand humidity rather than hackers. This is worrisome, particularly at a time when Americans are suddenly obsessed with qualifying the security of their electoral systems.
“We wanted to get our hands on enough equipment to build and run a complete fake election,” Moss told Gizmodo. He’s been tracking down the machines on eBay. The software, however, has been harder to obtain. “We couldn’t get our hands on one key piece of software that acts as the backend. We have some leads on them but couldn’t get them in time for this year.”
Security experts typically outline three possible routes of attack on elections. One is the Russiagate scenario that’s trickled out in intelligence assessments and headlines over the last year—an attacker steals compromising information from the leading candidate’s campaign, perhaps mixes it with faked documents to stir up even more scandal, and then leaks that information to level the playing field. The second possibility involves breaching states’ voter rolls and removing names or otherwise altering the data to make life difficult for voters as they show up to the polls. The third option is attacking voting machines directly to manipulate the vote count.
It’s this final possibility that’s the most exciting for hackers (and most alarming to everyone else). Although US officials have repeatedly said that there’s no evidence to suggest vote tallies were altered during the 2016 election, the idea of making a direct, measurable impact on an election—even if it’s just during a practice run at a conference—is tantalising.
At the vote-hacking village, participants will get a chance to find out how much impact they could have. “If there’s enough ways of messing with it, it will keep people interested,” Moss said. Plus, hackers have a legal advantage on their side, at least for now. New exemptions to the Digital Millennium Copyright Act were added in October that open a two-year window to allow cybersecurity research on certain devices, including voting machines.
While many academics have experimented with hacking voting machines, Moss wants the village to conduct a test of a complete election system. It’s not intended as academic research, Moss says, but more of a temperature check to see just how vulnerable state systems might be. Whatever is learned at the village will hopefully be used by state officials when they’re evaluating which systems to purchase, and how to configure and maintain them.
With an audience of Congressmen and DHS officials, the village could have a substantial impact. “We can be the sane voices in the room, not, ‘The sky is falling; elections are controlled by Russia,’” Moss explained. It’s an opportunity for attendees not just to test their skills, but to educate and shape policy on an issue, turning uninformed panic into experience.
“I did not see how popular this would be,” Moss said. “The machines have been for sale on eBay for years and nobody’s done this. Or if they have, nobody’s gotten attention. I guess it’s just the context of the presidential election.”
The spectre of last year’s election is still haunting security pros. But politics don’t always sit well at DEF CON, or in the security community in general. The liberal baseline that’s assumed in Silicon Valley vanishes when you’re surrounded by information security pros in Las Vegas, and many attendees, like Moss, seem uncomfortable taking an overtly political stance. There’s a pervasive (although often untrue) belief that security comes down to simple math—there’s one and only one right answer, with no room for opinion or nuance. A system is secure or it is broken, with no grey area in between. Democracy, and the state-run election networks that come along with it, are very grey systems.
Although some hackers may be unwilling to become entangled in politics, Moss sees the intense post-election interest in his community as an opportunity. “Part of it is dark because the average consumer is starting to know enough to worry about their refrigerator spying on them, where before that was an abstract. It might’ve been happening but it wasn’t on their radar. Now they will start questioning, ‘Why is my Nest tracking when I’m home and when I’m not? Now Alexa can get my questions subpoenaed by police, do I not speak out loud at home?’ The optimist in me says, now people know to ask those questions,” he said.