LaRose says invitation to hackers will set new election security standard; expert says it's risky

Posted at 6:39 PM, Aug 26, 2020
and last updated 2020-09-14 12:02:20-04

Ohio Secretary of State Frank LaRose began worrying about the 2020 election on New Year’s Day, he told WCPO in an exclusive interview. That was the day his team recorded the year’s first targeted attacks on online election security.

The approach he’s chosen to address the problem is common in private industry, but a first for a state election system: Get ahead of outside hackers by recruiting your own.

“Bad news doesn’t get better with time,” LaRose said. “We need to know about any vulnerabilities that do exist.”

YESTERDAY'S STORY: Ohio invites hackers to try to break into voting websites

His first-of-its-kind Vulnerability Disclosure Policy invites Ohio’s crop of “white-hat” hackers — the good guys, opposite malevolent “black-hat” hackers — to break into the state’s election system, find bugs and report them so officials can ensure they’re fixed by Election Day.

There are some strings attached: White hats aren’t allowed to phish for information or tamper with electronic county voter registration systems, and actual voting machines — legally barred from being connected to the internet — are off-limits. If they do find sensitive information, they’re expected to report it.

It’s a risky play, corporate cybersecurity advisor Morgan Wright said.

“It will be interesting to see,” said Wright, who has trained with the Federal Bureau of Investigation and National Security Agency. “There is a reason why Ohio is maybe the first state that’s doing it. There may be a reason a lot of other states haven’t done it, and I would look at it and say, ‘Hey, we’re within 90 days of the election. That’s kind of a touchy time to start touching systems and doing things.”

LaRose has confidence in it. He might even make it a formal competition, he said.

“I told my team from the very beginning that we want to set the standard for the rest of the nation to follow, and I believe that's what we're doing here,” he said.

The federal government uses this strategy, too, offering “bug bounties” for hackers who help secure Pentagon servers. Although Ohio currently offers no prize for the good deed of shoring up its election security, professional hacker Jeremiah Grossman said he doesn’t think the state will have trouble with participation.

“People will do it for free,” he said. “I’ve done it for free many, many times and been offered the reward money, and I said, ‘You know what, just give it to charity or something.’”