Alleged Russian interference in the 2016 U.S. elections challenged the integrity of election systems. In the aftermath, vendors of voting machine systems faced unprecedented public scrutiny. This relatively small industry, with estimated $300 million in annual sales, suddenly needed to respond to public demand for more secure products.[i] One large voting-machine vendor, Election Systems & Software (ES&S), faced public pressure for open innovation of its products. Yet ES&S has resisted true open innovation, instead selectively expanding its partnerships to manage security risks. ES&S’s more “controlled open innovation” approach reflects the constraints that private companies face when working with the government on national critical infrastructure.
Public demand for ES&S to provide more transparency has resulted in unsanctioned open innovation of voting machines. In 2017, the world’s largest hacker convention Defcon added a new event “Voting Village” that gave hackers access to voting systems, including ES&S machines.[ii] Event organizers acquired these machines through third-party re-sellers without ES&S approval.[iii] Voting Village organizers believe this collaborative environment will help companies like ES&S gain important insights into security vulnerabilities. As one organizer explained, “This is about education, this is about letting more people have facts and experience.”[iv]
ES&S is understandably wary of this open innovation. Voting Village opens ES&S existing products to greater security risk, as potential cyber attackers could use the event to plan future attacks on voting machines. More importantly, the event is bad for ES&S business in the short-term by reducing customer confidence in the security of its products. Prior to this year’s event, ES&S informed its customers that the company did not approve of Voting Village.[v] ES&S’s primary customers, state governments, share these security concerns. The National Association of Secretaries of State (NASS) recently released a statement criticizing Voting Village.[vi]
Despite its reluctance, ES&S is addressing open innovation. In the short term, the voting-machine vendor has taken a “learning from a distance” approach. Two ES&S employees attended the 2018 Voting Village in early August to “learn about any ideas for enhancements to voting security.”[vii] Several weeks later, ES&S announced the installation of new advanced threat monitoring systems and a new partnership with DHS to audit ES&S products.[viii] These new security efforts suggest the general presence of open innovation has influenced ES&S product development.
In the medium term, ES&S appears to be moving towards a “controlled open innovation” approach to product development. ES&S recently announced new partnerships with several federal government agencies and non-profit organizations, including the FBI and DHS. As ES&S President and CEO Tom Burt explains, “This multi-layer, comprehensive approach enables ES&S, together with state and local election officials and the federal government, to bring a new level of protection to U.S. elections.”[ix] The voting-machine vendor therefore appears to be controlling its open innovation with a select group of organizations.
Given the annual Voting Village event will likely continue in future years, ES&S should try to collaborate with event organizers in exchange for greater event security. This collaboration would require buy-in from NASS as well to gain state government approval. As the executive director of NASS noted at the 2018 Voting Village event, “Anybody could break into anything if you put it in the middle of a floor and gave them unlimited access and unlimited time.”[x] Rather than criticize the current Voting Village event, ES&S and NASS should try to control this open innovation by increasing event security and simulating more realistic election threat scenarios.
ES&S also could be doing more to selectively partner with organizations that offer additional talent and resources to better innovate and secure election systems infrastructure. Proactive partnerships with for-profit cybersecurity companies like Crowdstrike could provide ES&S with endpoint security and threat intelligence from cyber experts. Collaborative “war game” exercises with state election officials could help ES&S simulate potential cyber threats to improve cyber response plans for Election Day.[xi] The voting-machine vendor should further expand its controlled open innovation to additional organizations.
The general belief that “more open innovation is better” does not apply to companies like ES&S. Events like Voting Village could expose voting machines to more sophisticated cyberattacks by malicious actors. Even if ES&S wanted to embrace fully open innovation, the company could face regulatory restrictions from state and federal government. ES&S therefore appears to be taking important steps towards open innovation within the constraints of its public-private partnerships.
ES&S offers an example of the role open innovation should play in industries working directly with the government on national critical infrastructure. Given limited demand for new innovative products, the voting-machine industry has minimal sales growth, and thus funding, to devote to new product development. Yet where many private companies would turn to open innovation under these circumstances, ES&S cannot given the national security risk.
[i] Kim Zetter, “The Crisis of Election Security,” The New York Times, September 26, 2018, sec. Magazine, https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html.
[ii] Lily Hay Newman, “To Fix Voting Machines, Hackers Tear Them Apart,” Wired, August 1, 2017, https://www.wired.com/story/voting-machine-hacks-defcon/.
[iii] Kim Zetter, “In Advance of the @VotingVillageDC Tomorrow, ES&S Sent a Message to Customers Today with Their Comments about the Hacking Village and the Security of Their Machines. I’ve Pasted Their Memo below, with Some Annotation from Me.Pic.Twitter.Com/6eQUYuuGJA,” Tweet, @KimZetter (blog), August 9, 2018, https://twitter.com/KimZetter/status/1027725965282050048.
[iv] Newman, “To Fix Voting Machines, Hackers Tear Them Apart.”
[v] Robert McMillan and Dustin Volz, “Tensions Flare as Hackers Root Out Flaws in Voting Machines,” Wall Street Journal, August 12, 2018, sec. Tech, https://www.wsj.com/articles/tensions-flare-as-hackers-root-out-flaws-in-voting-machines-1534078801.
[vi] “Analysis | The Cybersecurity 202: State Officials Bristle as Researchers — and Kids — at Def Con Simulate Election Hacks,” Washington Post, accessed November 12, 2018, https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/08/13/the-cybersecurity-202-state-officials-bristle-as-researchers-and-kids-at-def-con-simulate-election-hacks/5b704ff11b326b02079560ae/.
[vii] McMillan and Volz, “Tensions Flare as Hackers Root Out Flaws in Voting Machines.”
[viii] “ES&S Establishes Top-Level Partnerships and Albert Installation to Further Security | Election Systems & Software,” accessed November 12, 2018, https://www.essvote.com/blog/127/.
[ix] “ES&S Bolsters Security for 2018 Mid-Term Elections | Election Systems & Software,” accessed November 12, 2018, https://www.essvote.com/blog/135/.
[x] McMillan and Volz, “Tensions Flare as Hackers Root Out Flaws in Voting Machines.”
[xi] Benjamin Wofford, “The Hacking Threat to the Midterms Is Huge. And Technology Won’t Protect Us.,” Vox, October 25, 2018, https://www.vox.com/2018/10/25/18001684/2018-midterms-hacked-russia-election-security-voting.