Election hackers return to DEF CON as states look to Congress to fund solution

The hacker conference DEF CON launched its second annual election hacking extravaganza on Friday after last year's conference led cybersecurity enthusiasts to discover several security flaws in election equipment and are poised to do the same thing again this year.

The big picture: One secretary of state argued at the event that the problem may be less about rediscovering how unsecure machines are, and more about getting the funding to do anything about it.

What they're saying: "We spend $700 billion for defense," California Secretary of State Alex Padilla told Axios. "Last week, the White House said that election security was a national security issue. For less than 1 tenth of 1%, Congress could make a world of difference."

The event: Padilla was one of several high profile attendees at this year's conference. He and Homeland Security Assistant Secretary for the Office of Cybersecurity and Communication Jeanette Manfra both spoke at the event and several Homeland Security cybersecurity experts participated in the hacking.

The background: Congress fronted $380 million for new election systems earlier this year — but that money came from a fund started more than a decade ago.

• "The money Congress appropriated last month isn’t cybersecurity money, it’s still hanging chad money," said Padilla, who would later echo the remarks at a panel. "We need cybersecurity money."
• Padilla noted that the changing cybersecurity landscape requires continually updated systems and replacing equipment. The one-time Congressional gift would not be enough for every state to make necessary repairs, let alone keep systems secure on any long-term basis.

State officials worry the hacking event will be misconstrued. The speed and thoroughness with which hackers tunneled into voting machines and a poll book last year received widespread press coverage.

• On Thursday, the National Association of Secretaries of State said it supported the hacking event this year, but wanted to be clear the hacking did not accurately represent real world conditions.

"Providing conference attendees with unlimited physical access to voting machines...does not replicate accurate physical and cyber protections established by state and local governments. "

Hacking voting machines often needs to be done with physical access to each machine. Following proper security hygiene guidelines, including limiting access to machines, minimizes those threats.

• Still, the DEF CON event is very useful, argue Manfra and Padilla. "I'd rather learn what to defend against here than from a hacker," said Padilla.