We're about to get hacked – on purpose. The Ohio Secretary of State’s Office is allowing cybersecurity researchers to probe for weak spots in the state’s election computer systems.
The “vulnerability disclosure policy,” announced this month, invites experts to search Ohio’s election IT systems for flaws, as long as they don’t take sensitive data or cause damage.
The policy allows the state to work together with “good guy hackers,” Republican Secretary of State Frank LaRose said at a Thursday morning task force meeting on election preparations.
“They spend their time looking for vulnerabilities,” he said. “But the whole point of the vulnerability disclosure agreement is, we’re saying, ‘Hey, if you find a hole and tell us about it, we’re not going to sue you.’”
Researchers must notify the state about what they discover and cannot publish any findings for 120 days, giving the state time to fix the problems. Voting machines, poll books, ballot markers and county voter registration systems are off limits, according to the policy.
The U.S. Department of Homeland Security declared election systems to be “critical infrastructure” in the wake of the Russian-linked hacking of Democratic Committee emails in 2016. That same year, hackers connected to Russia briefly searched for weaknesses in Ohio’s election infrastructure, the secretary of state’s office learned in 2017.
With federal help, Ohio has tried to tighten information technology security at the state’s 88 county election boards over the past two years. This year, the state is giving boards $40,000 each in federal grant money to strengthen cybersecurity.
County boards of elections have joined a DHS-supported initiative to share news about potential cyber threats. The federal government also scans boards’ systems for holes and helps employees learn to spot phishing emails.
This new vulnerability disclosure policy will help Ohio expand on those efforts, according to DHS cybersecurity advisor Matt Masterson.
“Now you get the benefit of the incredible cybersecurity researchers across this country,” Masterson, a former Ohio election official, told the task force. “You’ve given them permission and an ability to work with you to identify those holes in your outer perimeter, those vulnerabilities, and then work with them to patch them.”
Late last year, DHS released draft guidelines instructing federal agencies to develop vulnerability disclosure policies.