Voting Machines Must Be Test Hacked for Certification, Under Proposed Bill

After cyber threats from foreign actors cast a shadow on the 2022 elections, lawmakers introduced bipartisan legislation on Wednesday to fortify the nation’s election infrastructure cybersecurity and improve voter confidence by requiring penetration testing as part of voting machine certification, according to an announcement. 

Sens. Mark Warner, D-Va., and Susan Collins, R-Maine, introduced the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing—or SECURE IT—Act which orders the Election Assistance Commission to mandate that systems looking for certification undergo penetration testing to allow researchers to search for vulnerabilities and simulate cyber attacks. 

“The SECURE IT Act would allow researchers to step into the shoes of cybercriminals and uncover vulnerabilities and weaknesses that might not be found otherwise,” Warner said. “As foreign and domestic adversaries continue to target U.S. democracy, I’m proud to introduce legislation to harness a critical cybersecurity practice that will help safeguard our elections infrastructure.”  

Existing regulations under the Help America Vote Act require the Commission to provide for testing and certification, decertification and recertification of voting systems—including hardware and software—by accredited laboratories, but this does not specifically require penetration testing.

“This bipartisan legislation will strengthen the integrity of our election process by ensuring that voting systems are safe and secure,” Collins said. “It will help protect and bolster public confidence in our elections.”

The SECURE IT Act would have EAC and the National Institute of Standards and Technology accredit entities to perform the penetration testing. EAC must also establish a voluntary Coordinated Vulnerability Disclosure Program for election systems where researchers would obtain access to voting systems from the manufacturer to discover and disclose vulnerabilities to the company and EAC. After 180 days, the vulnerability will be added to the Common Vulnerabilities and Exposures database.

“This bill will allow independent election system researchers like myself to contribute more fully to … maintaining public confidence in our elections,” Juan E. Gilbert, chair of the Computer and Information Science and Engineering Department at the University of Florida, said in the press release. “The SECURE IT Act will create a space where researchers and election systems manufacturers can work together to find—and fix—any cybersecurity vulnerability that may exist in our election infrastructure.”

“Programmatic testing performed by independent security experts helps ensure equipment stays ahead of threats, and it helps increase voter confidence in the overall security of elections,” Tom Burt, CEO and president of Election Systems & Software, the largest manufacturer of voting systems in the United States, said in the press release.

The SECURE IT act comes amid concerns across the government about election security. In March, the Cybersecurity and Infrastructure Security Agency noted that cyber and physical threats, particularly from foreign actors, are still a concern for election security.