Actions

Ohio invites hackers to try to break into voting websites

Part of Vulnerability Disclosure Policy
Posted
and last updated

CINCINNATI — Ohio's chief elections officer has invited hackers to break into the state’s voting websites. It’s all about testing the sites’ protection, officials say.

The state calls it a Vulnerability Disclosure Policy. Only Ohio has one, and Ohio Secretary of State Frank LaRose thinks it makes voting safer.

LaRose discussed the plan at the latest November task force meeting, which included offers to hackers.

"If you find a hole and tell us about it, we're not going to sue you,” LaRose said at the meeting.

But he’s not letting foxes in the henhouse either.

"These are white-hat hackers," LaRose said.

White-hat hackers are routinely hired by private companies to find and help patch holes in cybersecurity, and they have been invited to scan nine state government sites including VoteOhio.gov and ohiosos.gov, the secretary of state’s own page.

The white-hat hackers play a unique role in Ohio election security, according to the U.S. Department of Homeland Security.

"Ohio really is ahead of the curve on this,” said Matt Masterson, DHS senior cybersecurity adviser. “They’re already taking proactive steps.”

The DHS info sharing and analysis center gets daily risk intelligence from all 50 states and sees no better partner than Ohio and it's one-of-a-kind vulnerability disclosure policy.

"Now you get the benefit of the incredible cybersecurity researchers across this country,” Masterson said. “You've given them permission to and an ability to work with you to identify those holes in your outer perimeter.”

To be clear, the white-hat hackers don’t have free rein.

Voting machines, electronic pollbooks, ballot markers and county voter registration systems are off limits, and so is phishing, spoofing, defacement and anything that could do damage.

And if hackers should find social security numbers, credit card or bank account numbers, Ohio’s policy asks them to immediately stop and tell authorities.

They are also supposed to keep quiet about problems found during the 120-day window created by Larose's staff to fix any bugs.

The feds and law enforcement could see these reports, but Ohio's policy promises no legal action, no lawsuits and anonymity.

LaRose is letting hackers use pseudonyms and throw-away email accounts to protect their identities.

“If you think of hackers as Jedi and Sith, I'm definitely on the good-guy side,” said Jeremiah Grossman, a white-hat hacker for 20 years.

Grossman just heard of Ohio's program, but sees no advantage for bad-guy hackers who if interested would barge in anyway.

"There's lots of people out there, myself included, who wouldn't mind testing the security of a system that we might have interest in,” said Grossman. “If we find a vulnerability, we would just, like, as good Samaritans, want to be able to report it to the right people so it can be fixed."

Critics say the difference between good and bad hackers is as thin as the double-yellow lines on the road. They wonder about the timing of Ohio's move and how the state plans to handle hackers who abuse access.