How security researchers should view the Voting Systems Act (Includes interview) – Digital Journal

The legislation is a bill first introduced in 2019; and the bill one that is now appearing on Donald Trump’s desk for sign-off. What will the change mean for those engaged in ‘ethical hacking’ as opposed to criminal hacking?

Looking at the issue for Digital Journal Casey Ellis, Chief technology Officer at Bugcrowd, this legislation, while preventing rogue states from interfering in the election, would also criminalize the ethical hacking performed by security researchers.

An ethical hacker is a person who examines the security of computer systems by looking for weaknesses and vulnerabilities in target systems. The activity uses the same knowledge and tools as a malicious hacker; however, this is conducted in a lawful and legitimate manner to assess the security posture of a target system.

Ellis sees the Act as heading in the wrong direction, noting that: “By enacting the Act, the U.S. government is seeking to deter adversaries from meddling with the voting process.Howerver, the biggest impact is potentially criminalizing the actions of ethical hackers conducting security research to help secure the election process.”

He adds that the new law will be counter-productive: “If security researchers are unable to discover vulnerabilities in voting systems, then malicious hackers will have an open area to exploit other vulnerabilities within voting systems.”

There are more factors to consider, according to Ellis: “Another question that remains is whether this new bill will now make ethical security research of second hand voting equipment illegal by putting these machines into the protected computer class?”

In terms of the next steps in the process, Ellis observes that: “As the legislation now awaits the President’s signature for final approval, it would be remiss of cybersecurity industry leaders to ignore the fact that this legislation is a step in the wrong direction”.

Further to the legislative agenda, Ellis notes that: “The Computer Fraud and Abuse Act also prevents security researchers from doing their job. Every time it is broadened, ethical hackers are the ones most affected.”

There are also wider lessons for the industry to make note of, which Ellis summarizes: “As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet.”


Leave a Reply