States might miss new voting system specs for 2020

As Congress debates whether to allocate more funding to states to replace voting machines and upgrade cybersecurity of their election systems, Republicans have made it a sticking point to request more data around how those states are spending $380 million in federal funds approved last year.

"Right now, we're still waiting for [the Voluntary Voting System Guidelines] to be promulgated by the EAC, then voting machine manufacturers need to test their systems to those standards,"Illinois State Board of ElectionsExecutive Director Steven Sandvosstold House appropriators on Feb 27. "It's going to take a long time and I can't guarantee it will be done by 2020."

The Voluntary Voting System Guidelines are meant to guide election tech purchasing decisions by state and local election officials. The standards, last updated in 2015, are developed by the EACin conjunction with the National Institute of Standards and Technology. New guidelineswith a focus on cybersecurity were developed last year, but the EAC was unable to move the process forward due to the lack of a quorum after then-Speaker Paul Ryan declined to re-nominate Chair Matthew Masterson to the commission last year.

That status quo held until this month, when two new members, Benjamin Hovland and Donald Palmer, were sworn in as commissioners. The commission quickly moved to open up to public comment, a process that will take another three months.

Still, it will be some time before states are using the new standards for purchasing decisions. After the public comment period ends for the principles and guidelines, EAC and NIST must still finalize the actual technical guidelines that certification laboratories will use to test machines. That will be followed by another round of public comment and EAC hearings before the commission votes for final approval. After that, voting machine vendors must submit their machines for testing and certification against the new standards.

Since the commission doesn't know what feedback it will receive during that process, it's difficult to project how much the documents might need to be modified or how long it will take before the commission votes to approve final versions, an EAC employee explained. However, given the numerous procedural and testing hurdles, theemployeesaid it was "probably accurate" that states won't be able to test their systems against the new standards before the 2020 election.

Alex Haldeman, a University of Michigan professor and election security expert,told lawmakers the updated standards were "relatively weak in their scope" and do not include guidance around post-election audits and other holistic components of a secure election system.

Haldeman noted that the voluntary nature of the guidelineslimits theirimpact, and asked lawmakers to requireminimum viable securityregulations for states and voting machine vendors to follow as a condition of federal funding.

"I think we do need stronger minimum standards for election technology and auditing just so we can make sure that we can bring up the states that are most weakly protected to a reasonable level, but at the same time we have to acknowledge…that there are important differences between states and being overly prescriptive just isn't going to work," said Haldeman.

Joshua Franklin, who helped develop the initial draft of the guidelines for NIST before leaving government in 2018, noted in a Feb. 22 blogpost that the standards only cover technical aspects of a voting system and not procedural practicesthat could also have an impact on cybersecurity. Further, the standards do not cover other common forms of election technology, such as voter registration systems or electronic pollbooks, that are known to have been probed and attacked by Russian hackers in 2016.