Sep 14 2020

Ohio Invites Ethical Hackers to Target Its Election Systems

The Buckeye State is aiming to find vulnerabilities in its election websites ahead of November.

Ohio Secretary of State Frank LaRose knows how important election cybersecurity is. Earlier this year, he told StateTech that his goal is to have Ohio “set the tone for the rest of the nation.” He’s doing that by inviting ethical hackers to find vulnerabilities in its election systems.

In August, LaRose’s office announced a new “vulnerability disclosure policy,” encouraging hackers and researchers to probe the state’s IT systems for vulnerabilities.

As StateScoop reports, it is the first such policy created by any statewide election authority.

The guidelines advise hackers not to compromise or exfiltrate data or cause damage to systems, and to make every effort to “avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data during security testing.”

LaRose says the policy is aimed at giving the state insight from “good guy hackers” who can help it make fixes. “They spend their time looking for vulnerabilities,” he said in August, according to local station WKSU. “But the whole point of the vulnerability disclosure agreement is, we’re saying, ‘Hey, if you find a hole and tell us about it, we’re not going to sue you.’”

Some of the website domains that are part of the program are integral to Ohio’s election systems, including ohiosecretaryofstate.govohiosos.govsos.state.oh.us and vote.ohio.gov.

Signs of a Mature Election Security Strategy

Ohio’s policy has won praise from both private sector and public sector cybersecurity leaders.

Matt Olney, a director at Talos, Cisco’s threat intelligence division, said it indicated how far some states had come in enhancing election security. “The vulnerability disclosure policy invites the best and brightest,” Olney said at an event in Ohio with LaRose in August, according to StateScoop.

Matt Masterson, a senior adviser on election cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, also praised Ohio’s stance.

“Ohio really is ahead of the curve on this,” Masterson said at the same event, according to local station WCPO. “They’re already taking proactive steps.”

DHS receives daily risk intelligence from all 50 states about election security threats and sees Ohio as a unique partner. “Now you get the benefit of the incredible cybersecurity researchers across this country,” Masterson said, according to WCPO. “You’ve given them permission to and an ability to work with you to identify those holes in your outer perimeter.”

The white-hat hacker policy applies to websites and not to voting machines, electronic poll books, remote ballot markers or county voter registration systems. It also does not permit phishing attacks, defacement, denial of service or DNS spoofing.

Of course, Ohio has been busy putting in place other election security measures ahead of November. The state has deployed endpoint detection and response software and “required counties to develop contingency plans for any incident that disrupts the voting process,” StateScoop reports.

“The bad guys only have to be right once,” LaRose said, according to StateScoop. “We have to be right every day.”

READ MORE: Find out how endpoint detection and response can aid election security.

zefart/Getty Images