Report: election vendors need more federal oversight

A virtual oligopoly over voting technology by three private vendors and a lack of federal regulatory pressure has led to dangerous security vulnerabilities in the nation's election infrastructure, according to a new report.

The Brennan Center for Justice, which tracks how states are upgrading their legacy voting machines, argues in a report released Nov. 12 that more federal oversight is needed to ensure that election vendors, particularly the three companies who provide 80% of the voting systems used in the United States (ES&S, Dominion and Hart InterCivic), are doing all they can to ensure their technology is safe and secure.

For years, election security specialists have criticized the outsized role that a handful of private vendors have played in the way U.S. election technology is managed and administered. These companies have historically spurned calls to conduct independent testing of their equipment and threatened legal action against security researchers who point out vulnerabilities.

The authors of the report argue that voting machine companies and other election vendors operate with near-complete autonomy outside of voluntary standards, unlike other heavily regulated critical infrastructure sectors.

"There is almost no federal regulation of the vendors that design and maintain the systems that allow us to determine who can vote, how they vote, or how their votes are counted and reported," write report authors Lawrence Norden, Christopher Deluzio and Gowri Ramachandran. "While voting systems are subject to some functional requirements under a voluntary federal testing and certification regime, the vendors themselves are largely free from federal oversight."

The report calls for a new federal certification program to issue standards and enforce vendor compliance, the reconstitution of a technical guidelines committee stocked with cybersecurity experts, the expansion of vendor certification activities to include other election systems beyond voting machines and more robust enforcement from bodies like the Election Assistance Commission when it comes to compliance.

While federal scrutiny of voting machine vendors is viewed by many experts as insufficient, bodies like the EAC aren't even allowed to subject that same level of oversight to vendors who provide other critical components of election infrastructure, like voter registration systems, e-pollbooks and election night reporting systems. Investigations by intelligence agencies and Special Counsel Robert Mueller found that voter registration systems were systemically targeted, probed and in some cases penetrated by Russian hackers seeking to interfere in the 2016 U.S. presidential election.

EAC is likely the best home for these new programs and authorities, the authors say, but they don't rule out the creation of a new agency.

"I think [EAC is] a critical agency but it's been very short staffed, very underfunded, it often suffered from gridlock [and] they now have a situation where they don't have an executive director," said Norden, who sits on the board of advisors for the EAC but clarified that the report and his comments were being made in his capacity as director of the Election Reform Program at the Brennan Center.

In fact, while recommendations like the expansion of testing and certification to encompass election systems beyond voting machines would require an act of Congress, the organization believes EAC commissioners already have the authority to institute other changes, like stricter certification standards and compelling more transparency from voting machine vendors about their products. Norden also said that Congress must give the agency more money and do a better job selecting commissioners who will focus on the core mission of the agency.

"It should be easy enough to find people who are experts and committed to the substantive issues that the EAC works on and are less tied to the political apparatus and partisan fights that we have over elections, which I frankly don't think should be part of what the EAC is doing," he said.

Eddie Perez, a former Director of Product Management at Hart InterCivic who has since joined the nonprofit OSET Institute dedicated to improving voting security and integrity, told FCW in an email that while he was not in favor of "excessive regulation," he does support state and federal regulations that would increase transparency from voting machine vendors who have "gotten a pass for too long."

"Everyone intuitively understands that it's right and reasonable for the government to regulate providers of critical infrastructure – for example, energy, aviation, telecommunications, dams, defense industries, and emergency services," he said. "Voting technology is also critical infrastructure, and it requires oversight, just like the other critical infrastructure sectors."

However, Perez expressed skepticism about whether the EAC would be up to the task of holding election vendors more accountable, saying a new agency may be needed.

"We're not persuaded that the EAC has the mandate, resources or expertise to provide strong oversight and regulation of vendor behavior, due to its self-cited lack of enforcement or rulemaking authority," he said.

Part of the problem is that election systems were not designated as critical infrastructure by the federal government until January 2017, in the last days of the Obama administration. In its report, the Brennan Center calls for more aggressive decertification of voting machines with substandard security, though Norden said that must also be paired with robust notification procedures and enough flexibility to ensure underfunded states aren't left with uncertified equipment they can't replace come election day.

"The threat against our election systems up until recently has not been treated in the same breadth as the threat against the energy sector or the nuclear sector or defense and so there's probably some catching up that we need to do," said Norden.