Report Calls for Enforcing Voting Machine StandardsStudy Recommends Federal Certification Program for Vendors Providing Election Infrastructure
A new report calls for the creation of a federal certification program that make sure vendors that build election infrastructure - including voting machines - meet cybersecurity standards.
The report from the Brennan Center for Justice, a nonpartisan law and public policy institute connected to New York University Law School, recommends that Congress should have the U.S. Election Assistance Commission take on this standard-setting and enforcement role.
Vulnerable Voting Machines
Voting machines, registration databases, ballot designs, websites and other infrastructure are increasingly being developed and maintained by private companies with little federal oversight when it comes to cybersecurity, according to the study released Tuesday.
And while voting machines are voluntarily tested before an election to determine if they are functioning properly, little or no attention is paid to the security vulnerabilities in these systems, the report states. In addition, about 80 percent of all voting machines are maintained by three private companies with little to no federal oversite over how they operate, the study notes, citing an investigative report from the New York Times.
"There is almost no federal regulation of the vendors that design and maintain the systems that allow us to determine who can vote, how they vote, or how their votes are counted and reported," according to the report. "While voting systems are subject to some functional requirements under a voluntary federal testing and certification regime, the vendors themselves are largely free from federal oversight."
Earlier, at this year's DEF CON Voting Village gathering in Las Vegas, researchers showed how voting machines in the U.S remain susceptible to tampering, hacking and other security vulnerabilities (see: Report: US Voting Machines Still Prone to Hacking)
Reports of Russian attempts to interfere in the 2016 presidential election and warnings about the risk of similar interference in 2020 are leading to discussions of the best way to enhance election security.
The Brennan Center report proposes giving new powers to the U.S. Election Assistance Commission, an independent, nonpartisan government body created in 2002. The commission administers grants to states related to election security and develops guidance for states and local officials to allow them to meet the requirements of the federal Help America Vote Act.
"Unfortunately, from its founding, the [Election Assistance Commission] has had a history of controversy and inaction in carrying out its core mission," according to the report. It calls for Congress to direct the commission to take on new responsibilities, such as issuing standards for election machines and other equipment.
"Most of the focus has been on election officials and what election officials can do to improve our election security, and I felt like election system vendors ... play a critical part in election security, and that role and what to do about it has largely been missing from the conversation," Lawrence Norden, one of the report's authors, told The Hill.
The Election Assistance Commission has a Technical Guidelines Development Committee, which can recommend technical guidelines for voting systems. But this committee needs to have to power to create specific requirements for voting machine vendors to certify that they have met goals for cybersecurity, disclosure of ownership and foreign control, incident reporting and supply chain integrity, the report states.
Until Congress authorizes a security certification process vendors, the commission could ask these companies to take voluntary steps to ensure better cybersecurity, the report notes.
"EAC could, without any additional legislation, issue voluntary guidance for election vendors and take many of the steps recommended in this paper as they relate to voting system vendors," according to the report.
Other Election Security Steps
In 2018, Congress approved $380 million in grants for state and local agencies to help secure their election infrastructure. The Election Assistance Commission's Inspector General announced on Nov. 1 that it would audit how that money is being used in several states, including Arkansas, Florida, Kentucky, Massachusetts, New Mexico, and West Virginia.
A group of 22 state attorneys general, mainly from Democratic-leaning states, recently demanded that Congress offer local officials more support - including grants and equipment standards - to improve election infrastructure security in the run-up to the 2020 presidential contest (see: 22 State Attorneys General Seek Election Security Help).
On Nov. 8, the Trump administration revealed new protocols for notifying the public of nation-state hacking or other interference during the 2020 presidential election cycle (see: Election Interference Notification Protocols Unveiled).