How DEF CON’s election hackers are trying to protect themselves
Every August at a conference hall in Las Vegas, long lines of computer hackers armed with USB sticks, screwdrivers or their bare fingernails try breaking into election equipment — all in the hope of finding better ways to protect it.
But organizers of the event at this year’s DEF CON hacker convention — which ends Sunday — spent just as much time focusing on the physical safety of the security researchers hacking into machines as they did on the hardware. Since former President Donald Trump’s campaign to overturn the 2020 election, the researchers who scour election equipment for vulnerabilities have increasingly been targets of threats and harassment.
So the organizers of the conference’s “Voting Village” hacking event enlisted undercover security consultants, moved the event to a side room where they could more closely monitor who went in and out and briefed their nearly two dozen volunteers on what to do if any agitators showed up.
The measures offer a small window into an increasingly regular feature of America’s voting security landscape. The rise in disinformation-fueled threats is forcing election administrators, poll workers and security researchers to think more deeply about physical safety, and take a host of new precautions to do their job.
At last year’s DEF CON, a pair of minor but troubling incidents involving election conspiracy theorists set off alarm bells for said Catherine Terranova, one of the two organizers of the Voting Village.
“The day after DEF CON ended last year, I started pouring all of my time and energy into figuring out how to secure this village,” Terranova said. “I said to myself, ‘we are never doing this like this again.’”
It’s an issue government election security officials are thinking about as well.
“Any threat of violence against an election official, poll worker, or anyone else working to safeguard our democracy is completely unacceptable. These folks are members of our communities, and dedicated public servants,” CISA Director Jen Easterly said in a statement.
The Voting Village is a small part of the enormous DEF CON conference, which draws almost 30,000 hackers annually. It started in the aftermath of the 2016 presidential election, when Russian military and intelligence services sought to undermine the contest through a combination of hacking and disinformation.
Since then, the threats facing the country’s election systems have ratcheted up significantly. Trump’s accusations of widespread fraud in the aftermath of the 2020 election have fueled a raft of right-wing conspiracy theories and, with them, a surge in targeted harassment and intimidation against election workers.
Two election workers from Georgia are now suing Trump ally Rudy Giuliani for defamation, after they became the target of debunked accusations of voter fraud spread by allies of the former president.
Overall, according to a March 2022 study from NYU’s Brennan Center for Justice, one in six election workers have experienced threats because of their job, and 77 percent said those threats had increased in recent years.
No people had reported being harmed or harassed by late Saturday at of the Voting Village. But for the two organizers of it, the concerns around physical security are not abstract.
The other co-organizer, election security researcher Harri Hursti, said he has been receiving death threats for his work since before 2016. Those kicked up significantly in late 2021, however, after Hursti and a team of auditors disproved allegations of fraud in a controversial New Hampshire recount.
Though Hursti’s audit did not swing the outcome of the vote, it brought him into the crosshairs of allies of Trump, who cited the now-dismissed recount as evidence of “massive election fraud.”
“Because our work didn't fit into the false narrative that this was a statewide issue, it caused people to be very angry,” said Hursti.
At the DEF CON conference in 2022, individuals working for the right-wing media outlet One American News showed up at the Voting Village and began aggressively approaching individuals in the room with cameras.
Because DEF CON rules stipulate that you must ask individuals for permission before taking their photo, the conference’s volunteer security staff later escorted the OAN reporters from the property and banned them from the conference.
Also last year, a trio of individuals apparently bent on promoting election denialism showed up at the event and harassed some of the Voting Village’s speakers. They even followed one of them to the airport, per Hursti and Terranova.
One of the biggest changes Terranova said she made was moving the Voting Village to its own room. Previously, the event had shared a large auditorium with several other DEF CON events — an arrangement that made it impossible to see who was coming and going through the village, she said.
Three months before this year’s conference, she also enlisted two pro-bono consultants with a background in counter-terrorism to build and implement a physical and digital security roadmap.
DEF CON has a separate security staff, also volunteer, while Caesar’s Forum, where this year’s conference is being hosted, provides armed guards. But neither is big enough to offer round-the-clock support inside the 6,000-square-foot ballroom the Voting Village occupies.
Together with Terranova and Hursti, the two consultants spent months studying the new layout of the Voting Village to optimize safety, implemented more rigorous vetting procedures for their 25 volunteers and several dozen speakers, and drafted a digital security manual for staff.
During the conference, the two consultants also roamed the Voting Village undercover. At the last minute, they were joined by a third security volunteer, who was a friend of Hursti’s.
“This is something we've been working really hard on for almost a year, and we didn’t want to take any chances,” Terranova said.
Terranova said she is planning to put together white paper about the voting village’s experience. The hope is that the findings would be valuable not just in terms of physical safety: it could also aid cybersecurity and election integrity efforts, since many ways to hack voting systems require physical access to those devices.
Election vendors “always say that hacking is not possible because there's physical security at the election,” said Hursti. “But that's such bullshit.”
Pro-Trump activists in Mesa County, Colorado, and Coffee County, Georgia, helped unauthorized personnel access voting equipment, highlighting the growing risks of insider threats.
And election equipment is sometimes stored or transported in haphazard ways, as the Coffee County incident exposed. Hursti once even purchased a ballot-marking device made by Dominion Voting Systems off of EBay.
“We can walk and chew gum at the same time,” said Michael Moore, the chief information security office for the Arizona secretary of state. “We can maintain physical security and patch things too.”
Moore, who spoke at the Voting Village this year, struck an optimistic note overall about election workers’ ability to balance physical and digital challenges. But he acknowledged that the former are accelerating rapidly.
Maricopa County, in Arizona, processed 336 discrete threat events last year, said Moore, previously the information security officer in the county. The secretary of state’s office, meanwhile, counted 66 such events during the last two months of 2022, when it first started recording that data.
John Odum, a city clerk in Montpelier, Vermont, said that though the worst he’s ever got is “a bad phone call,” he has recently started to see the first hints of election denialism in the Vermont capital.
A local group of voters conducted an independent recount there in 2020, said Odum, who has overseen elections in Montpelier for roughly a decade. And in 2022, there were the first reports of voter intimidation at small polling places in the area.
“If this wave of violence is coming to this little corner of Vermont, then I shudder to think what it’s going to look like in some of the flashpoints in this country,” said Odum.
CORRECTION: A previous version of this story misspelled John Odum's name.
