“We are looking forward to expanding our Vulnerability Disclosure Program, further leveraging the expertise of independent researchers to help us find and address potential issues. We appreciate the researchers’ efforts, and we look forward to even more collaboration and greater protections for America’s elections.” – Chris Wlaschin, ES&S Vice President of Security
ES&S Details Voting Security Work with Synack, Independent Researchers
In its first presentation at Black Hat, ES&S affirmed its commitment to working with third-party security researchers to strengthen the nation’s voting infrastructure.
OMAHA, Nebr. – August 5, 2020 – Election Systems & Software (ES&S), the nation’s leading voting systems manufacturer, today discussed additional steps it is taking to strengthen election security, including greater involvement with America’s best independent security researchers.
During a talk at Black Hat USA 2020 Virtual, ES&S Vice President of Security and Chief Information Security Officer Chris Wlaschin stressed that an open and collaborative relationship with independent researchers is integral to its work to help states and localities carry out the safest and most secure elections possible.
Wlaschin discussed ES&S’s ongoing Vulnerability Disclosure Program, welcoming intelligence from researchers working to help improve the security of voting systems.
“We are looking forward to expanding our Vulnerability Disclosure Program, further leveraging the expertise of independent researchers to help us find and address potential issues,” said Wlaschin, who helped establish the program more than 18 months ago. “We appreciate the researchers’ efforts, and we look forward to even more collaboration and greater protections for America’s elections.”
In the briefing alongside Dr. Mark Kuhr, co-founder and Chief Technology Officer of Synack, the most trusted crowdsourced security platform, Wlaschin shared examples of independent researchers’ work, and remedies in place, through ES&S’s vulnerability disclosure program.
One such vulnerability Wlaschin addressed was discovered in January 2020 by researcher Jack Cable. A member of the Synack Red Team network of ethical hackers and a noted election security researcher, Cable discovered a vulnerability that could have allowed intruders to compromise the ES&S corporate VPN. No sensitive files were at risk, but reporting the vulnerability allowed ES&S to further strengthen its internal systems.
“I am glad to see election vendors launch vulnerability disclosure policies in order to enable smooth disclosures, such as in the case of the flaw I uncovered,” said Cable. “Such engagement will build crucial relationships between election vendors and the security community and aid in securing the 2020 election and beyond.”
In addition to reaffirming its commitment to working with outside security researchers, ES&S announced that it will be working with Synack to conduct penetration testing of its newest electronic poll book via Synack’s crowdsourced penetration testing platform.
More than 1,500 ethical hackers make up the Synack Red Team, a powerful collective force that has tested election security and national security assets as well as critical applications for other federal agencies, global banks and helps protect over $1 trillion in Fortune 500 revenue.
“Independent security researchers have played a pivotal role in securing elections and the ability to work more closely with companies such as ES&S will only improve efforts to safeguard U.S. democracy,” said Kuhr. “We hope others follow the lead of ES&S and the state of Colorado, who we are also working with, to open doors to security researchers such as the Synack Red Team, our community of ethical hackers, who can quickly help them find and fix dangerous vulnerabilities in voting machines, election systems and voter registration databases — all of which can be manipulated to derail the democratic process.”
In 2018, Synack launched its Secure the Election Campaign to help states and localities harness the power of ethical hackers to protect their election equipment and systems. Since then, Synack has worked with a number of states in an advisory capacity and in July announced that it is officially partnering with Colorado to help protect key election systems in that state ahead of the 2020 election.
“The State of Colorado considers pen testing, and Synack’s crowdsourced pen testing specifically, as a crucial part of a cybersecurity program,” said Trevor Timmons, the CIO of the State of Colorado Secretary of State.
Additionally, Synack is working with the Defense Advanced Research Agency (DARPA) on a bug bounty program to test hardware defenses in development on its System Security Integration Through Hardware and Firmware (SSITH) program. That initiative is an effort on the part of DARPA and its partners to remedy hardware vulnerabilities at the source. DARPA, the Department of Defense’s Defense Digital Service, and Synack launched the Finding Exploits to Thwart Tampering (FETT) Bug Bounty in July. Eventually, SSITH advancements could be used to prevent intrusions into a myriad of electronic systems, including election systems.
ABOUT Synack: Synack is the most trusted crowdsourced security platform on the market continuously protecting organizations with unparalleled ethical hacker talent and proprietary scanning technology. More than 1,500 of the world’s best security researchers from 82 countries are part of the Synack Red Team community that hunts for critical vulnerabilities. Their smarts combined with Synack’s powerful software safeguards leading global banks, federal agencies, DoD sensitive assets, and close to $1 trillion in Global 2000 revenue. A 4-time CNBC Disruptor 50 company, Synack was founded in 2013 by former NSA security experts Jay Kaplan, CEO, and Dr. Mark Kuhr, CTO. The company is located in Silicon Valley with regional offices around the world. For more information, please visit www.synack.com.