2025-04-12 –, Track 1
In 2021, we presented at BSides Charm on the vulnerabilities plaguing state-level political party domains across the country. This year, we're back to share the evolution of that work into a non-partisan nationwide election cybersecurity initiative that discovered and shared thousands of vulnerabilities in political campaigns and party offices before the 2024 Election.
At BSides Charm 2021, we presented research uncovering vulnerabilities in state-level political party websites across the U.S. Fast forward to the 2024 elections, cybersecurity threats didn't just escalate—they mutated. Nation-states and APT groups funneled over half a billion dollars into disrupting the U.S. democratic process, leveraging AI to supercharge their efforts. While headlines fixated on federal infrastructure, the real story lay beneath: thousands of local campaigns and party offices running on outdated tech, misconfigured servers, and vulnerable code. This massive, overlooked attack surface was ripe for exploitation by adversaries wielding cutting-edge AI techniques to craft sophisticated phishing campaigns, generate disinformation, and automate attacks.
This talk will delve into the technical journey of building a scalable, hacker-powered platform to identify and mitigate these vulnerabilities in real-time for campaigns and party offices across the country. We’ll peel back the layers on how our team combined offensive security techniques, custom tooling, and automation to identify vulnerabilities associated with over 3,000 political organizations. Beyond that, we’ll share how we learned to responsibly disclose vulnerabilities to thousands of campaigns, build partnerships with industry vendors and non-profits, and navigate the chaotic world of election security. We’ll cover technical solutions that enabled large-scale breach detection and proactive defense, as well as the deeply human side of convincing overwhelmed, underfunded campaign teams to act. From the process of crafting an Election Threat Report that garnered national headlines to watching vulnerable systems transform into hardened defenses, this talk highlights the challenges, lessons, and surprising successes of protecting democracy in real time.
But, this talk is meant to be more than a recounting of a research project; it’s a call to action for the hacker community. It underscores the power of curiosity, persistence, and technical ingenuity to tackle some of the most pressing societal issues. Our hope is that attendees will both gain insights into tools and strategies for large-scale security assessments as well as the inspiration to drive community action by demonstrating how technical skills can have an outsized impact on critical societal issues.
Andrew Schoka is a former U.S. Army Cyber Warfare Officer and is currently a graduate student at the University of Virginia. He served in a variety of offensive cyber operations assignments with the Election Security Group at U.S. Cyber Command, and later with U.S. Special Operations Command. Andrew holds a master's in cybersecurity from Georgia Tech and teaches a graduate cybersecurity course at the University of Virginia School of Engineering.
Veronica Merril earned a double major in architectural history and music from the University of Virginia. She is pursuing her JD degree at the same institution, rendering her a “super Hoo.” Through her work with Voterguard, she’s solved the age old question, “how many engineers does it take to write a clear report?” Answer: None— there’s always an editor involved.