The private vendors that manufacture voting equipment and build and maintain voter registration databases lack federal oversight despite the critical role they play in U.S. elections, leaving America’s election infrastructure vulnerable to attack, according to a new report.
The report, published by the Brennan Center for Justice (BJC), calls on Congress to establish a framework for federal certification of election vendors. The BJC notes that this could be developed as a voluntary program, similar to how voting machines are certified, with incentives for state and local election officials to contract with vendors that participate in the process. It would include the establishment of federal guidelines and the ability for federal officials to monitor compliance and respond to any violations.
According to the report:
More than 80 percent of voting systems in use today are under the purview of three vendors. A successful cyberattack against any of these companies could have devastating consequences for elections in vast swaths of the country.
Other systems that are essential for free and fair elections, such as voter registration databases and electronic pollbooks, are also supplied and serviced by private companies. Yet these vendors, unlike those in other sectors that the federal government has designated as critical infrastructure, receive little or no federal review. This leaves American elections vulnerable to attack. To address this, the Brennan Center for Justice proposes a new framework for oversight that includes the following:
- Independent oversight. A new federal certification program should be empowered to issue standards and enforce vendors’ compliance. The Election Assistance Commission (EAC) is the most logical agency to take on the role. Unfortunately, from its founding, the EAC has had a history of controversy and inaction in carrying out its core mission. In this paper, we assume that the EAC would be charged with overseeing the new program, and we make a number of recommendations for strengthening the agency so that it could take on these additional responsibilities. Whichever agency takes on this role must be structured to be independent of partisan political manipulation, fully staffed with leaders who recognize the importance of vendor oversight, and supported by enough competent professionals and experts to do the job.
- Issuance of vendor best practices. Congress should reconstitute the EAC’s Technical Guidelines Development Committee (TGDC) to include members with more cybersecurity expertise and empower it to issue best practices for election vendors. (The TGDC already recommends technical guidelines for voting systems.) At the very least, these best practices should encourage election vendors to attest that their conduct meets certain standards concerning cybersecurity, personnel, disclosure of ownership and foreign control, incident reporting, and supply chain integrity. Given the EAC’s past failures to act on the TGDC’s recommendations in a timely manner, we recommend providing a deadline for action. If the EAC does not meet that deadline, the guidelines should automatically go into effect.
- Vendor certification. To provide vendors a sufficient incentive to comply with best practices, Congress should expand the EAC’s existing voluntary certification and registration power to include election vendors and their various products. This expanded authority would complement, and not replace, the current voluntary federal certification of voting systems, on which ballots are cast and counted. Certification should be administered by the EAC’s existing Testing and Certification Division, which would require additional personnel.
- Ongoing review. In its expanded oversight role, the EAC should task its Testing and Certification Division with assessing vendors’ ongoing compliance with certification standards. The division should continually monitor vendors’ quality and configuration management practices, manufacturing and software development processes, and security postures through site visits, penetration testing, and cybersecurity audits performed by certified independent third parties. All certified vendors should be required to report any changes to the information provided during initial certification, as well as any cybersecurity incidents, to the EAC and all other relevant agencies.
- Enforcement of guidelines. There must be a clear protocol for addressing violations of federal guidelines by election vendors.
The report notes that congressional inaction has intensified the pressure on state and local election officials to secure their voting systems and have measures in place to respond to a potential security breach. Although Congress sent $380 million to states last year for election security, the report says it was a “drop in the bucket” of what is needed as state and local election officials look to procure new voting systems, cybersecurity personnel, and additional security upgrades.
Federal officials have warned that Russia remains interested in disrupting elections after a multipronged effort to interfere in 2016. Although the United States Department of Homeland Security notified Maryland that is was one of 21 states with suspicious online activities before the election, there’s no evidence that Maryland’s election systems or voter data were breached or compromised.
The Maryland State Board of Elections (SBE) will spend about $7.4 million to improve election security by upgrading its systems and software in time for elections in 2020. SBE has also earmarked $1 million for upgrading voter registration equipment and software and $1.5 million for cybersecurity upgrades and training for election security personnel.
Because counties administer and fund elections at the local level — overseeing polling places and coordinating poll workers every two years, MACo has partnered with the SBE and local boards of elections to maintain the integrity of state and local election systems and data. This collaborative effort will promote best practices and information sharing to protect the methods and data we use to conduct elections.