The Cyber-Security 202: Def Con Hackers Couldn't Crack a Mock Voter Database

"Def Con hackers easily burst into voting machines." "An 11-year-old changed election results on a Florida state website in under 10 minutes." "Hacking the US midterms? It's child's play."

Those were some of the headlines from this year's Def Con computer security conference in Las Vegas, where youth and adult hackers had little trouble rooting out flaws in voting equipment and cracking into mock state election websites. But there was one exercise that stumped them: They couldn't seem to break into a replica of a heavily protected voter registration database.

They tried all weekend to hack the database, which was modelled after a real Ohio county's and bolstered with extra layers of digital defences. One got close, but nobody was able to manipulate the voter information inside.

Cyber-attacks on voter registration databases have been a major concern for state election officials since the run-up to the 2016 election, in which officials say Russian government hackers broke into an Illinois database and stole records on hundreds of thousands of voters. So the fact that hackers at Def Con's Voting Village couldn't change anything in the mock database should bring them some relief -- showing that with the proper defences, this is no easy task.

And yet, to make it a challenge for the highly skilled security researchers who gathered for the conference, organisers had to fortify the site with additional security features that made it much harder to penetrate. In this sense, the exercise also offers an example of the steps state officials should consider to safeguard their networks against top-notch hackers.

"I'd rather have the people in this room do this than go through it on Election Day," Amber McReynolds, Denver's director of elections, told me alongside the Voting Village. "It's better to identify these vulnerabilities up front."

Dozens of other state and local election workers stopped by the demonstration at the Caesars Palace Hotel over the weekend, according to Jake Braun, organiser of the Voting Village and a former White House liaison to the Department of Homeland Security. That was a big increase over last year, he told me. "There's a lot to learn from these hackers. This isn't out of reach for local election officials to do," Braun said. "The whole point is that they should be part of it."

To create the mock database, Voting Village organisers downloaded a publicly available list of voters from the Ohio secretary of state's website. They then worked with officials from Cook County, Illinois, who helped them create a realistic replica of a county computer network. They uploaded the database there and secured it behind layers of firewalls set up by Bash Kazi, a cybersecurity contractor who consulted on the project.

Hackers were invited to try to gain enough access to change voter information. If this were to happen in the real world on Election Day, it could cause long delays and create confusion at the polls. And the risks are well known: The Senate Intelligence Committee found that Russian hackers were in a position to "alter or delete" voter registration data in a "small number" of states when they intruded on election websites in 2016.

Kazi, who runs the firm KIG, which specialises in cybersecurity simulation training, said he hoped the exercise would help election administrators understand the threats. "The idea is to bring attention to the need to train local officials in the vulnerabilities that exist and the types of scenarios they'll be encountering," Kazi told me. He said the system he helped set up was "one of the more sophisticated networks relative to other small counties, which haven't spent much money mitigating the risks that they have."

Kazi watched as different hackers tried their luck throughout the day Friday. "After six and a half hours, no cigar," he told me when I stopped by at the end of the afternoon. They didn't fare any better the rest of the weekend.

© The Washington Post 2018