Building a Vulnerability Disclosure Program that Works for Election Vendors and Hackers

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 1:30 p.m. (40 minutes)

<div><div><div>Election vendors are an integral part of American democracy. Because voting machines and the companies that manufacture them are so vital to our nation, their security practices and protections are under intense scrutiny, especially since the 2016 presidential election when Russian hackers attempted to disrupt American elections. This talk will explore the perspectives of voting vendors as well as security researchers. <br><br>Ensuring that critical vulnerabilities are found and fixed is a complicated and sensitive process — and urgently requires a comprehensive solution. There are challenges such as privacy, communication, the certification processes, and remediation. The voting industry and the security researchers who are examining their products need a Vulnerability Disclosure Program so both communities can effectively work together to fix problems in election systems and ultimately make America’s democracy stronger and more resilient.<br><br>The companies that make voting equipment and election systems are innovating to improve security, and looking for new ways to harden their systems against attacks. This presentation will explore those efforts as well as examine new models for researcher and election vendor collaboration including Coordinated Vulnerability Disclosure (CVD) programs, collaboration at the Voting Village at DEF CON and similar efforts, and Crowdsourced Penetration Testing. It will also look at ideas for improving the relationship between researchers and voting vendors. Additionally, the election industry has many lessons to share that leaders across the manufacturing space can learn from to better protect their own critical assets, information and customer base.</div></div></div>


  • Mark Kuhr - CTO, Synack
    <span>Dr. Kuhr co-founded Synack after focusing over nine years on Cyber Security in Academia and Defense industries. Most recently, at the National Security Agency (NSA), Dr. Kuhr worked in roles that include Technical Director, Computer Network Operations Operator, Network Analyst, and Computer Scientist.</span><br><br><span>Dr. Kuhr received a PhD. in Computer Science from Auburn University under a DoD/NSA-sponsored fellowship. He has published several papers on enterprise cyber security and </span><span>performed research under DoD contracts related to information security, network analysis, and jam-resistant network communication protocols. Dr. Kuhr holds a number of security related certifications from CNSS and ISC(2).</span>
  • Chris Wlaschin - VP, Systems Security and CISO, ES&S
    <p>Chris joined ES&S as the Vice President of Systems Security and Chief Information Security Officer (CISO) in April 2018. In this role he is responsible for company-wide security efforts including product, operational and infrastructure security.</p><p>Prior to joining ES&S, Chris was the Chief Information Security Officer for the Department of Health and Human Services in Washington D.C. where he oversaw cybersecurity efforts for the Department. He has held other senior cybersecurity leadership positions in both the public and private sector including the Department of Defense, Department of Veterans Affairs, National Research Corporation, and the University of Nebraska.</p><p>Chris served with the United States Navy for over 20 years in a variety of leadership positions. He earned his master’s degree from Northern Illinois University and a Bachelor of Science in Technology Education from Southern Illinois University. He also holds a current CISSP (Certified Information Systems Security Professional) certification.</p><p>Chris is the past Chair of the Election Industry - Subsector Coordinating Council (EI-SCC) and a Federal Advisory Board Member for the Dell/EMC Corporation.</p>


Similar Presentations: