Skip Navigation
  • Home
  • Our Work
  • Analysis & Opinion
  • Report Finds Inadequate Oversight of Private Vendors Critical to Election Security; Proposes Framework to Increase Transparency and Protections
Press Release

Report Finds Inadequate Oversight of Private Vendors Critical to Election Security; Proposes Framework to Increase Transparency and Protections

Private vendors build and maintain much of the election infrastructure in the United States with minimal oversight by the federal government. A report released today by the Brennan Center for Justice at NYU Law presents the risks this poses to the security of our elections and offers a solution.

November 11, 2019
Contact: Alexandra Ringe, Media Contact, ringea@brennan.law.nyu.edu, 646-925-8744

New York, NY – Private vendors build and main­tain much of the elec­tion infra­struc­ture in the United States with minimal over­sight by the federal govern­ment. A report released today by the Bren­nan Center for Justice at NYU Law presents the risks this poses to the secur­ity of our elec­tions and offers a solu­tion.

“Vendors manu­fac­ture and main­tain much of Amer­ica’s elec­tion infra­struc­ture, yet they’re subject to fewer federal govern­ment regu­la­tions than the compan­ies that make colored pencils,” said Lawrence Norden, one of the authors of A Frame­work for Elec­tion Vendor Over­sight and director of the Bren­nan Center’s elect­oral reform program. “After the 2016 elec­tion, we have no doubt that our voting systems are a target of foreign adversar­ies. Congress must do more to protect our elec­tions from attack.” 

Because the elec­tion vendors are allowed to keep their secur­ity prac­tices secret, elec­tion offi­cials have little of the inform­a­tion they need to protect their voting systems. The report’s author­s—Norden, Chris­topher Deluzio, and Gowri Ramachandran—­pro­pose a federal over­sight struc­ture to improve trans­par­ency and secur­ity. For the short term, they recom­mend contin­gency plans to compensate for attacks on elec­tion systems in 2020.

As the report details, the private compan­ies that manu­fac­ture and main­tain elec­tion systems are not required under federal law to disclose to their custom­ers if their networks have been hacked, disclose who owns or controls them (includ­ing whether those owners have ties to foreign govern­ments), share their cyber­se­cur­ity prac­tices, or provide their screen­ing proced­ures for employ­ees in crit­ical posi­tions.

The authors note that most of the voting system industry is controlled by a few compan­ies, creat­ing fewer and larger targets for adversar­ies. In addi­tion, private vendors are involved in all aspects of elec­tions, produ­cing, servi­cing and program­ming regis­tra­tion data­bases, elec­tronic poll­books, voting machines, and elec­tion night report­ing systems.

“Private vendors domin­ate every stage of the voting process, supply­ing and servi­cing part or all of the elec­tion systems across the nation. Their involve­ment is soup to nuts, from voter regis­tra­tion to vote count­ing,” said Norden. “Congress must estab­lish a robust over­sight system for this industry. We have to do a better job at protect­ing the vote.”

The nation’s elec­tion systems were desig­nated as “crit­ical infra­struc­ture” by the Depart­ment of Home­land Secur­ity in 2016. A Frame­work for Elec­tion Vendor Over­sight compares the over­sight and regu­la­tion of elec­tion systems to that of the defense, energy, and nuclear indus­tries and other sectors whose products have been deemed crit­ical infra­struc­ture. The authors found that elec­tion vendors are subject to signi­fic­antly less federal scru­tiny than the compan­ies in these other sectors.

To provide elec­tion offi­cials and the public with more inform­a­tion about the vendors who play such a crit­ical role in the integ­rity and secur­ity of our nation’s elec­tions, and to set new federal stand­ards for these vendors, the report proposes:

  • Estab­lish­ing a volun­tary federal vendor certi­fic­a­tion program
  • Over­haul­ing the Elec­tion Assist­ance Commis­sion’s Tech­nical Guidelines Devel­op­ment Commit­tee with more cyber­se­cur­ity expert­ise so it can issue a set of best prac­tices
  • Ensur­ing that certi­fied vendors comply with best prac­tices related to cyber­se­cur­ity, person­nel, trans­par­ent owner­ship, report­ing cyber incid­ents, and supply chain integ­rity, and devel­op­ing a protocol for address­ing viol­a­tions of those prac­tices

The report’s authors call on Congress to enact those reforms and also to fund state and local efforts to identify and recover quickly from inter­fer­ence during the 2020 elec­tion. They recom­mend that all juris­dic­tions:

  • Stock paper backups for voting machines that don’t produce paper records
  • Create backups for elec­tronic poll books and for regis­tra­tion data­bases
  • Conduct post-elec­tion audits
  • Hire cyber­se­cur­ity experts to spot and fix prob­lems

A Frame­work for Elec­tion Vendor Over­sight is avail­able here. For more inform­a­tion about the Bren­nan Center’s elec­tion secur­ity work, click here.