Skip Navigation
Doug Chayka
Doug Chayka
Policy Solution

A Framework for Election Vendor Oversight

Key Point: The federal government regulates colored pencils, which are subject to mandatory standards promulgated by the Consumer Product Safety Commission, more stringently than it does America’s election infrastructure.

Published: November 12, 2019

Executive Summary

More than 80 percent of voting systems in use today are under the purview of three vendors. foot­note1_6ybid5o 1 Kim Zetter, “The Crisis of Elec­tion Secur­ity,” New York Times Magazine, Sept. 26, 2018, https://www.nytimes.com/2018/09/26/maga- zine/elec­tion-secur­ity-crisis-midterms.html. A success­ful cyber­at­tack against any of these compan­ies could have devast­at­ing consequences for elec­tions in vast swaths of the coun­try. Other systems that are essen­tial for free and fair elec­tions, such as voter regis­tra­tion data­bases and elec­tronic poll­books, are also supplied and serviced by private compan­ies. Yet these vendors, unlike those in other sectors that the federal govern­ment has desig­nated as crit­ical infra­struc­ture, receive little or no federal review. This leaves Amer­ican elec­tions vulner­able to attack. To address this, the Bren­nan Center for Justice proposes a new frame­work for over­sight that includes the follow­ing:

  • Inde­pend­ent over­sight. A new federal certi­fic­a­tion program should be empowered to issue stand­ards and enforce vendors’ compli­ance. The Elec­tion Assist­ance Commis­sion (EAC) is the most logical agency to take on the role. Unfor­tu­nately, from its found­ing, the EAC has had a history of contro­versy and inac­tion in carry­ing out its core mission. In this paper, we assume that the EAC would be charged with over­see­ing the new program, and we make a number of recom­mend­a­tions for strength­en­ing the agency so that it could take on these addi­tional respons­ib­il­it­ies. Whichever agency takes on this role must be struc­tured to be inde­pend­ent of partisan polit­ical manip­u­la­tion, fully staffed with lead­ers who recog­nize the import­ance of vendor over­sight, and suppor­ted by enough compet­ent profes­sion­als and experts to do the job.
  • Issu­ance of vendor best prac­tices. Congress should recon­sti­t­ute the EAC’s Tech­nical Guidelines Devel­op­ment Commit­tee (TGDC) to include members with more cyber­se­cur­ity expert­ise and empower it to issue best prac­tices for elec­tion vendors. (The TGDC already recom­mends tech­nical guidelines for voting systems.) At the very least, these best prac­tices should encour­age elec­tion vendors to attest that their conduct meets certain stand­ards concern­ing cyber­se­cur­ity, person­nel, disclos­ure of owner­ship and foreign control, incid­ent report­ing, and supply chain integ­rity. Given the EAC’s past fail­ures to act on the TGDC’s recom­mend­a­tions in a timely manner, we recom­mend provid­ing a dead­line for action. If the EAC does not meet that dead­line, the guidelines should auto­mat­ic­ally go into effect.
  • Vendor certi­fic­a­tion. To provide vendors a suffi­cient incent­ive to comply with best prac­tices, Congress should expand the EAC’s exist­ing volun­tary certi­fic­a­tion and regis­tra­tion power to include elec­tion vendors and their vari­ous products. This expan­ded author­ity would comple­ment, and not replace, the current volun­tary federal certi­fic­a­tion of voting systems, on which ballots are cast and coun­ted. Certi­fic­a­tion should be admin­istered by the EAC’s exist­ing Test­ing and Certi­fic­a­tion Divi­sion, which would require addi­tional person­nel.
  • Ongo­ing review. In its expan­ded over­sight role, the EAC should task its Test­ing and Certi­fic­a­tion Divi­sion with assess­ing vendors’ ongo­ing compli­ance with certi­fic­a­tion stand­ards. The divi­sion should continu­ally monitor vendors’ qual­ity and config­ur­a­tion manage­ment prac­tices, manu­fac­tur­ing and soft­ware devel­op­ment processes, and secur­ity postures through site visits, penet­ra­tion test­ing, and cyber­se­cur­ity audits performed by certi­fied inde­pend­ent third parties. All certi­fied vendors should be required to report any changes to the inform­a­tion provided during initial certi­fic­a­tion, as well as any cyber­se­cur­ity incid­ents, to the EAC and all other relev­ant agen­cies.
  • Enforce­ment of guidelines. There must be a clear protocol for address­ing viol­a­tions of federal guidelines by elec­tion vendors.

Congres­sional author­iz­a­tion is needed for some but not all elements of our proposal. The EAC does not currently have the stat­utory author­ity to certify most elec­tion vendors, includ­ing those that sell and service some of the most crit­ical infra­struc­ture, such as voter regis­tra­tion data­bases, elec­tronic poll­books, and elec­tion night report­ing systems. For this reason, Congress must act in order for the EAC or other federal agency to adopt the full set of recom­mend­a­tions in this report. foot­note2_a7617ul 2 The For the People Act, H.R. 1, 116th Cong. (2019) and the Secur­ing Amer­ica’s Federal Elec­tions Act, the SAFE Act, H.R. 2722, 116th Cong. (2019) both would accom­plish much, but not all, of this report’s rec- ommend­a­tions. Specific­ally, these bills provide for EAC over­sight of a broader array of elec­tion system products and vendors in exchange for receipt and use of federal funds but do not provide for ongo­ing certi­fic­a­tion and monit­or­ing of vendors. They also do not speak to best prac­tices on person­nel decisions or supply chain secur­ity. These bills also do not fully address how to define foreign owner­ship and control. Where this report’s recom­mend­a­tions could be accom­plished by adopt­ing one of these bills, we have attemp­ted to flag that for the reader. Regard­less, the EAC could, without any addi­tional legis­la­tion, issue volun­tary guid­ance for elec­tion vendors and take many of the steps recom­men­ded in this paper as they relate to voting system vendors. Specific­ally, it is our legal judg­ment that the EAC may require, through its regis­tra­tion process, that voting system vendors provide key inform­a­tion relev­ant to cyber­se­cur­ity best prac­tices, person­nel policies, and foreign control. Further­more, the EAC may deny or suspend regis­tra­tion based on noncom­pli­ance with stand­ards and criteria that it publishes.

Ulti­mately, the best course of action would be for Congress to create a uniform frame­work for elec­tion vendors that adopts each of the elements discussed in this paper. In the short run, however, we urge the EAC to take the steps it can now to more thor­oughly assess voting system vendors.

End Notes

Introduction

The unpre­ced­en­ted attacks on Amer­ica’s elec­tions in 2016, and repeated warn­ings by the coun­try’s intel­li­gence agen­cies of future foreign inter­fer­ence, have raised the profile of elec­tion secur­ity in a way few could have imagined just a few years ago. The response has largely focused on improv­ing the test­ing of voting machines before they are purchased and on train­ing state and local elec­tion offi­cials to insti­tute best prac­tices to prevent, detect, and recover from cyber­at­tacks.

Yet private vendors, not elec­tion offi­cials, build and main­tain much of our elec­tion infra­struc­ture. They create elec­tion websites that help voters determ­ine how to register and where to vote; print and design ballots; config­ure voting machines; and build and main­tain voter regis­tra­tion data­bases, voting machines, and elec­tronic poll­books. Not every juris­dic­tion outsources all of these func­tions, but all rely on vendors for some of this work and many for nearly all of it. Under­stand­ably, many local govern­ments under fiscal pres­sure would rather contract out these func­tions than increase their elec­tion office staff, espe­cially consid­er­ing the cyclical nature of elec­tion-related work.

There is almost no federal regu­la­tion of the vendors that design and main­tain the systems that allow us to determ­ine who can vote, how they vote, or how their votes are coun­ted and repor­ted. While voting systems are subject to some func­tional require­ments under a volun­tary federal test­ing and certi­fic­a­tion regime, the vendors them­selves are largely free from federal over­sight.

This is not the case in other sectors that the federal govern­ment has desig­nated as crit­ical infra­struc­ture. Vendors in the defense sector, for example, face substan­tial over­sight and must comply with vari­ous require­ments, includ­ing rules govern­ing the hand­ling of clas­si­fied inform­a­tion and supply chain integ­rity. The federal govern­ment regu­lates colored pencils, which are subject to mandat­ory stand­ards promul­gated by the Consumer Product Safety Commis­sion, more strin­gently than it does Amer­ica’s elec­tion infra­struc­ture. foot­note1_nln8qbp 1 Compare, for example, The Labeling of Hazard­ous Art Mater­i­als Act, 15 U.S.C. 1277, and 16 C.F.R. §§ 1500.14, with 11 CFR §§ 9405.1 et seq. Indeed, Chapter II of Title 11 of the Code of Federal Regu­la­tions, the prin­cipal regu­la­tions applic­able to the EAC, does not address the certi- fica­tion of voting systems or any poten­tial over­sight of elec­tion vendors more broadly. Nor does the legis­la­tion that estab­lished the EAC (the Help Amer­ica Vote Act of 2002) — which sets some require­ments for voting systems used in federal elec­tions, see 52 U.S.C. § 21081 — require the EAC to issue any mandat­ory regu­la­tions on those topics. See, e.g., 52 U.S.C § 20971 (regard­ing the certi­fic­a­tion and test­ing of voting systems), § 20929 (“The Commis­sion shall not have any author­ity to is- sue any rule, promul­gate any regu­la­tion, or take any other action which imposes any require­ment on any State or unit of local govern­ment . . .”), § 21101 (regard­ing the EAC’s adop­tion of volun­tary guid­ance).

There is a grow­ing bipar­tisan appre­ci­ation that federal action is needed to address the risks that vendors might intro­duce into elec­tion infra­struc­ture. Rep. Zoe Lofgren (D–CA), who chairs the Commit­tee on House Admin­is­tra­tion, has said that a signi­fic­ant elec­tion-related “vulner­ab­il­ity comes from elec­tion tech­no­logy vendors . . . who have little finan­cial incent­ive to prior­it­ize elec­tion secur­ity and are not subject to regu­la­tions requir­ing them to use cyber secur­ity best prac­tices.” foot­note2_65bnowd 2 Hear­ing on Elec­tion Secur­ity, Before the Comm. on House Admin­is­tra­tion, 116th Cong. (May 8, 2019) (state­ment of Zoe Lofgren, chair­per­son). Alabama’s Repub­lican secret­ary of state, John Merrill, has called for the EAC to under­take “a cent­ral­ized effort to eval­u­ate the effect­ive­ness of elec­tion equip­ment, whether it be for voter admin­is­tra­tion purposes, elec­tronic poll books,” or the like. foot­note3_rsqdtgq 3 Hear­ing on Elec­tion Secur­ity, Before the Comm. on House Admin­is­tra­tion, 116th Cong. (May 8, 2019) (state­ment of John Merrill, Alabama secret­ary of state).

While state and local govern­ments retain primacy in running elec­tions, only the federal govern­ment has the resources and consti­tu­tional respons­ib­il­ity to ensure that the more than 8,000 local elec­tion juris­dic­tions have access to inform­a­tion and expert­ise to safe­guard federal elec­tions from insec­ure vendor prac­tices. foot­note4_c049yda 4 U.S. Senate Select Commit­tee on Intel­li­gence, Report of the Select Commit­tee on Intel­li­gence, U.S. Senate, on Russian Active Meas­ures Campaigns and Inter­fer­ence in the 2016 U.S. Elec­tion, Volume 1, July 5, 2019, https://www.intel­li­gence.senate.gov/sites/default/files/docu­ments/Report_Volume1.pdf (“State elec­tion offi­cials, who have primacy in running elec­tions, were not suffi­ciently warned or prepared to handle an attack from a hostile nation-state actor.”); U.S. Const. art. I, § 4 (permit­ting Congress to regu­late elec­tions); U.S. Const. art. IV, § 4 (requir­ing Congress to guar­an­tee a repub­lican form of govern­ment to the states and to protect them from inva­sion). The abil­ity of a foreign power to exploit the vulner­ab­il­it­ies of a vendor in a single county in Pennsylvania could have extraordin­ary reper­cus­sions for the coun­try.

Vendor Involvement in Elections Sidebar REVA/Noun Project, Pravin Unagar/Noun Project, Aisyah/

Given the lack of federal over­sight, the relat­ively small number of vendors with signi­fic­ant market share, foot­note5_5ks9a2j 5 Lorin Hitt et al., The Busi­ness of Voting: Market Struc­ture and Innov­a­tion in the Elec­tion Tech­no­logy Industry, Univer­sity of Pennsylvania Whar­ton School, 2017, 15, https://public­policy.whar­ton.upenn.edu/live/files/270-the-busi­ness-of-voting. and their “severe under­in­vest­ment in cyber­se­cur­ity,” foot­note6_81zx­h3a 6 Frank Bajak, “US Elec­tion Integ­rity Depends on Secur­ity-Chal­lenged Firms,” Asso­ci­ated Press, Oct. 29, 2018, https://apnews.com/f6876669cb6b4e4c9850844f8e015b4c (quot­ing Sen. Ron Wyden). the Bren­nan Center proposes that the federal govern­ment take on a more substan­tial over­sight role. Under our proposal, the EAC would extend its exist­ing certi­fic­a­tion regime from voting systems to include all vendors that manu­fac­ture or service key parts of the nation’s elec­tion infra­struc­ture. The commis­sion would also continu­ously monitor vendors, with the power to revoke certi­fic­a­tion. (The EAC currently has that power but only uses it to over­see the systems them­selves.)

Defin­i­tion of Elec­tion Vendor

This paper refers to “elec­tion vendors” when discuss­ing those entit­ies that provide elec­tion services to juris­dic­tions through­out the United States. A 2017 Univer­sity of Pennsylvania report on the elec­tion tech­no­logy industry described these entit­ies as those “that design, manu­fac­ture, integ­rate, and support voting machines and the asso­ci­ated tech­no­lo­gical infra­struc­ture.” foot­note7_63p9pen 7 Hitt et al., The Busi­ness of Voting, 7. While the report focused largely on voting systems, quan­ti­fy­ing the sector’s annual revenue at $300 million, foot­note8_lfjc­seu 8 Hitt et al., The Busi­ness of Voting, 8. the elec­tion vendors referred to also include those that do not parti­cip­ate in the voting systems market but provide other elec­tion-related goods and services. For the purposes of this paper, “vendor” is defined to include any private indi­vidual or busi­ness that manu­fac­tures, sells, programs, or main­tains machines that assist in the cast­ing or tally­ing of votes, voter regis­tra­tion data­bases, elec­tronic poll­books, or elec­tion night report­ing systems.

Vendors Present Points of Attack into Elec­tion Infra­struc­ture

Private vendors’ cent­ral role in Amer­ican elec­tions makes them prime targets for adversar­ies. Yet it is impossible to assess the precise level of risk asso­ci­ated with vendors — or how that risk impacts elec­tion secur­ity. As a 2018 U.S. Senate Intel­li­gence Commit­tee report observed, “State local, territ­orial, tribal, and federal govern­ment author­it­ies have very little insight into the cyber secur­ity prac­tices of [elec­tion] vendors.” foot­note9_oeqt7yd 9 U.S. Senate Select Commit­tee on Intel­li­gence, Russian Target­ing of Elec­tion Infra­struc­ture During the 2016 Elec­tion: Summary of Initial Find­ings and Recom­mend­a­tions, May 8, 2018, https://www.intel­li­gence.senate.gov/public­a­tions/russia-inquiry.

This limited visib­il­ity into vendors includes

  • vendor cyber­se­cur­ity prac­tices (how vendors protect their own inform­a­tion tech­no­logy infra­struc­ture and data);
  • foreign owner­ship of vendors (whether foreign nation­als, or agents of foreign govern­ments, own compan­ies perform­ing crit­ical elec­tion func­tions);
  • person­nel policies and proced­ures (whether back­ground checks and other proced­ures are in place to safe­guard against inside attacks);
  • cyber­se­cur­ity incid­ent response (how vendors alert relev­ant author­it­ies of attacks); and
  • supply chains (where parts, soft­ware patches, and install­a­tions come from; how are they trans­por­ted; and how they are kept secure).

Revel­a­tions that Russian actors targeted an elec­tion vendor in the lead-up to the 2016 elec­tion provide a useful example of how little insight there is into vendor secur­ity.

Special Coun­sel Robert Mueller’s report to the attor­ney general and indict­ment of 12 Russian intel­li­gence officers both included alleg­a­tions that these officers hacked a private U.S. elec­tions systems vendor. The vendor is believed to oper­ate in at least eight states, includ­ing the battle­ground states of North Caro­lina, Virginia, and Flor­ida. foot­note10_gjzis7q 10 United States v. Netyk­sho et al., No. 1:18CR00215, 2018 WL 3407381, 26 (D.D.C. Jul. 13, 2018); Robert S. Mueller III, Report on the Invest­ig­a­tion into Russian Inter­fer­ence in the 2016 Pres­id­en­tial Elec­tion, U.S. Depart­ment of Justice, 2019, 50, https://www.justice.gov/stor­age/report.pdf; Casey Tolan, “Humboldt County Shores Up Voting Systems after Russian Hack of Elec­tion Contractor,” Mercury News, June 6, 2017, https://www.mercurynews.com/2017/06/06/humboldt-county-moves-to-shore-up-voting-systems-after-elec­tion-contractor-hack/ (list­ing VR Systems’ own website as the source for its list of states in which the company oper­ates).

Accord­ing to the special coun­sel, hack­ers gained access to the vendor’s computers and used an email account designed to look like the vendor’s to send spearph­ish­ing emails to Flor­ida elec­tion offi­cials. foot­note11_rq0yekb 11 Sam Biddle, “A Swing-State Elec­tion Vendor Repeatedly Denied Being Hacked by Russi­ans. The New Mueller Indict­ment Says Other­wise,” Inter­cept, July 13, 2018, https://thein­ter­cept.com/2018/07/13/a-swing-state-elec­tion-vendor-repeatedly-denied-being-hacked-by-russi­ans-new-mueller-indict­ment-says-other­wise/. Per the indict­ment, “the spearph­ish­ing emails contained malware that the Conspir­at­ors embed­ded into Word docu­ments bear­ing [the vendor’s] logo.” foot­note12_32n5wqp 12 United States v. Netyk­sho et al., No. 1:18CR00215, 2018 WL 3407381, 26 (D.D.C. Jul. 13, 2018). Accord­ing to Flor­ida Governor Ron DeSantis, the hack­ers breached the elec­tion systems of two Flor­ida counties. foot­note13_dmms0hy 13 Miles Parks, “Flor­ida Governor Says Russian Hack­ers Breached Two Counties in 2016,” NPR, May 14, 2019, https://www.npr.org/2019/05/14/723215498/flor­ida-governor-says-russian-hack­ers-breached-two-flor­ida-counties-in-2016.

We still don’t know all the facts. Even in the rare instance that the public learns of a vendor hack — as it did through the special coun­sel’s invest­ig­a­tion — many ques­tions remain unanswered. When and how did the vendor learn of these attacks? What prevent­ive meas­ures were in place? What steps did the vendor take after discov­er­ing it was targeted to ensure that it was not infilt­rated? Did it imme­di­ately inform its custom­ers? The public gener­ally never learns the answers to these ques­tions, and there are no federal laws or regu­la­tions requir­ing private vendors to take any action in the event of a cyber­at­tack.

Simil­arly, Vice recently repor­ted that elec­tion night report­ing systems sold by Elec­tion Systems and Soft­ware (ES&S), the coun­try’s lead­ing elec­tion vendor, had been exposed to the public inter­net, poten­tially for years on end. (ES&S denied the substance and signi­fic­ance of the report.) Although ES&S voting machines are certi­fied by the EAC, its trans­mis­sion config­ur­a­tion is not. foot­note14_76oldzf 14 Kim Zetter, “Exclus­ive: Crit­ical U.S. Elec­tion Systems Have Been Left Exposed Online Despite Offi­cial Deni­als,” Vice, Aug. 8, 2019, https://www.vice.com/en_us/article/3kxzk9/exclus­ive-crit­ical-us-elec­tion-systems-have-been-left-exposed-online-despite-offi­cial-deni­als (quot­ing ES&S market­ing liter­at­ure).

The lack of visib­il­ity into vendors and their cyber­se­cur­ity can also contrib­ute to an inab­il­ity to detect poor prac­tices that might affect vendor perform­ance until it is too late. In 2017, ES&S left the sens­it­ive personal inform­a­tion of 1.8 million Chicago voters publicly exposed on an Amazon cloud server. foot­note15_oumcn3n 15 Dan O’Sul­li­van, “The Chicago Way: An Elec­tronic Voting Firm Exposes 1.8M Chica­goans,” Upguard, Dec. 13, 2018, https://www.upguard.com/breaches/cloud-leak-chicago-voters. That inform­a­tion reportedly included “addresses, birth dates and partial Social Secur­ity numbers,” foot­note16_wify8kz 16 Bajak, “US Elec­tion Integ­rity.” inform­a­tion valu­able to hack­ers.

Opaque supply chains further exacer­bate the prob­lem. Earlier this year, an IBM Secur­ity Services invest­ig­a­tion on behalf of Los Angeles County found that compat­ib­il­ity issues between the voter list and an ES&S subsi­di­ary’s soft­ware contrib­uted to nearly 120,000 voters being left out of prin­ted poll­books and forced to request provi­sional ballots. foot­note17_6jsua8e 17 “Report Blames Soft­ware Error for Los Angeles Voting Prob­lem,” Asso­ci­ated Press, Aug. 1, 2018, https://www.apnews.com/95b056­ab2e­ab47fe­baf721a1d285a045, IBM Secur­ity Services, Inde­pend­ent Invest­ig­a­tion of Elec­tion System Anom­alies in Los Angeles County on June 5, 2018, Aug. 1, 2018, http://file.lacounty.gov/SDSInter/lac/1042885_FINALEx­ec­ut­ive­Sum­maryAugust12018.pdf; See also Board of Super­visors, Request for Approval: Amend­ment Number Eight to Agree­ment Number 76010 with Data Inform­a­tion Manage­ment Systems, LLC for Voter Inform­a­tion Manage­ment System Main­ten­ance and Support Services, County of Los Angeles, 2015, https://www.lavote.net/docu­ments/05052015.pdf (identi­fy­ing ES&S subsi­di­ary Data Inform­a­tion Manage­ment Systems, LLC as vendor respons­ible for main­tain­ing and servi­cing Los Angeles County’s voter inform­a­tion manage­ment system).

The abil­ity of a foreign power to exploit the vulner­ab­il­it­ies of a vendor in a single county in Pennsylvania could have extraordin­ary reper­cus­sions.

Although the EAC can conduct manu­fac­tur­ing site visits through its Qual­ity Monit­or­ing Program, foot­note18_75ibeen 18 U.S. Elec­tion Assist­ance Commis­sion, “Qual­ity Monit­or­ing Program,” https://www.eac.gov/voting-equip­ment/qual­ity-moni­tring-program/. this program extends only to voting systems that are submit­ted for volun­tary certi­fic­a­tion and does not cover the full menu of vendor products and services. There is no federal scru­tiny of supply chains for compon­ents sourced for noncer­ti­fied products and services, for example, despite the find­ing of the Depart­ment of Home­land Secur­ity (DHS) that “contract­ors, sub-contract­ors, and suppli­ers at all tiers of the supply chain are under constant attack.” foot­note19_sqlh­be5 19 National Protec­tion and Programs Direct­or­ate, “DHS and Private Sector Part­ners Estab­lish Inform­a­tion and Commu­nic­a­tions Tech­no­logy Supply Chain Risk Manage­ment Task Force,” U.S. Depart­ment of Home­land Secur­ity, Oct. 30, 2018, https://www.dhs.gov/news/2018/10/30/dhs-and-private-sector-part­ners-estab­lish-inform­a­tion-and-commu­nic­a­tions-tech­no­logy.

The recent ban on certain tech­no­lo­gies made by the Chinese company Huawei is a stark illus­tra­tion of the grow­ing recog­ni­tion of supply chain risk. foot­note20_9is7u3g 20 See, e.g., Sean Keane, “Huawei Ban: Full Timeline on How and Why Its Phones Are Under Fire,” CNET, May 30, 2019, https://www.cnet.com/news/huawei-ban-full-timeline-on-how-and-why-its-phones-are-under-fire/. Vendors’ use of local or regional part­ners or subcon­tract­ors adds to the lack of visib­il­ity. For instance, Unisyn Voting Solu­tion, a digital scan voting system manu­fac­turer whose systems have been certi­fied by the EAC, iden­ti­fies a range of part­ners in several states on its website. foot­note21_a4q2ao0 21 Unisyn Voting Systems, “Part­ners,” https://unisyn­vot­ing.com/part­ners/. Neither Unisyn nor these part­ners are currently subject to the kind of over­sight we recom­mend.

Elec­tion offi­cials often depend on vendors whose prac­tices are opaque. Yet these compan­ies — unlike those in other crit­ical infra­struc­ture sectors, such as defense, nuclear, dams, and energy — face almost no federal over­sight of their secur­ity systems. There are no require­ments that vendors report breaches, screen employ­ees’ back­grounds, patch secur­ity flaws, report foreign owner­ship or control, or ensure the phys­ical secur­ity of sens­it­ive soft­ware and hard­ware.

Inde­pend­ent Federal Over­sight

This paper assumes that the Elec­tion Assist­ance Commis­sion would be the agency charged with over­see­ing elec­tion vendors. There are many reas­ons why the EAC is the most logical choice for this role. One among them is that the EAC already certi­fies voting equip­ment and issues volun­tary guid­ance. Because it is struc­tured as an inde­pend­ent agency with bipar­tisan member­ship, it faces less risk of undue polit­ical meddling in the tech­nical work of over­see­ing elec­tion vendors than a tradi­tional exec­ut­ive agency would. Its struc­ture could also help avoid dramatic shifts in over­sight approaches with a change of pres­id­en­tial admin­is­tra­tions. foot­note22_gcuj3su 22 The EAC’s bipar­tisan struc­ture provides import­ant checks and balances, but it also carries a risk of the sort of pervas­ive grid­lock that has hamstrung the Federal Elec­tion Commis­sion, lead­ing the Bren­nan Center to advoc­ate for a funda­mental over­haul of that agency. See Daniel I. Weiner, Fixing the FEC: An Agenda for Reform, Bren­nan Center for Justice, 2019, https://www.bren­nan­cen­ter.org/sites/default/files/public­a­tions/2019_04_FECV_Final.pdf. But the EAC’s mission is very differ­ent from that of the FEC, which over­sees campaign finance. Because of the tech­nical nature of much of its work, the EAC has not been para­lyzed by the same partisan ideo­lo­gical divi­sions, lead­ing us to conclude that its bipar­tisan struc­ture remains viable, at least for now.

Unfor­tu­nately, the EAC has been plagued by contro­versy for years. Its lead­ers have waded into conten­tious issues, such as voter iden­ti­fic­a­tion and proof of citizen­ship, that have little rela­tion to the agency’s core respons­ib­il­it­ies. foot­note23_0u2lkkp 23 Ian Urbina, “Panel Said to Alter Find­ing on Voter Fraud,” New York Times, Apr. 11, 2007, https://www.nytimes.com/2007/04/11/wash­ing­ton/11voters.html. It has missed dead­lines for complet­ing crit­ical func­tions, such as adopt­ing voting system guidelines. foot­note24_xupccaz 24 Eric Geller, “Federal Elec­tion Offi­cial Accused of Under­min­ing His Own Agency,” Politico, June 15, 2019, https://www.politico.com/story/2019/06/15/federal-elec­tion-brian-newby-2020–1365841. And there are concerns that it has not taken elec­tion secur­ity seri­ously enough, foot­note25_8iyt­fug 25 Kim Zetter, “Experts: Elec­tions Commis­sion Down­play­ing Unseen Risks to 2020 Vote,” Politico, Mar. 15, 2019, https://www.politico.com/story/2019/03/15/elec­tion-machine-secur­ity-2020-cyber­se­cur­ity-1222803. as well as “complaints of infight­ing, high [staff] turnover and crater­ing morale.” foot­note26_j2khtmk 26 Geller, “Federal Elec­tion Leader Accused.”

If the EAC were chosen for this role, Congress would need to take a number of actions to make its success more likely. First, it would need to increase the agency’s budget. The new role would consti­tute a major expan­sion of the EAC’s regu­lat­ory mandate. In recent years, despite the increased threat of cyber­at­tacks against our nation’s elec­tion infra­struc­ture, fund­ing for the EAC has dropped sharply. The agency’s budget in fiscal year 2019 was just $9.2 million, down from $18 million in fiscal year 2010. foot­note27_k07jgem 27 U.S. Elec­tion Assist­ance Commis­sion, Fiscal Year 2019 Congres­sional Budget Justi­fic­a­tion, Feb. 12, 2018, https://www.eac.gov/assets/1/6/fy_2019_cbj_feb_12_2018_final.Pdf; Omni­bus Appro­pri­ations Act, 2009, Pub. L. No. 111–8 (2009); Elec­tion Assist­ance Commis­sion Termin­a­tion Act, H.R. Rept. 114–361 (2015).

With expan­ded over­sight author­ity, the EAC would need to dramat­ic­ally increase its cyber­se­cur­ity compet­ency and know­ledge. To facil­it­ate this increased tech­nical focus, we outline below how the exist­ing Tech­nical Guidelines Devel­op­ment Commit­tee would need to be modi­fied to emphas­ize tech­nical profi­ciency and, specific­ally, cyber­se­cur­ity expert­ise. We also recom­mend greater defer­ence to this modi­fied tech­nical commit­tee, permit­ting its recom­men­ded volun­tary guidelines to take effect absent over­rid­ing action by the EAC. These changes, too, would require congres­sional action.

On the person­nel front, Congress would need to commit to keep­ing EAC seats filled by lead­ers who are dedic­ated to work­ing with each other and with career staff to ensure the secur­ity of our elec­tion infra­struc­ture. Congress’s fail­ure to replace commis­sion­ers left the EAC without a quorum between Decem­ber 2010 and Decem­ber 2014 and then again between March 2018 and Febru­ary 2019.

Finally, given the breadth and scope of this new mandate, Congress would need to subject the agency to more scru­tiny and over­sight than it has in the past. foot­note28_b6dsk41 28 Both the House and Senate held EAC over­sight hear­ings this year, but they were the first over­sight hear­ings in either cham­ber in over eight years. See Commit­tee on House Admin­is­tra­tion, “Hear­ings,” https://cha.house.gov/commit­tee-activ­ity/hear­ings; “Congres­sional Hear­ings,” Govinfo, https://www.govinfo.gov/app/collec­tion/chrg/116/house/Commit­tee%20on%20House%20Ad­min­is­tra­tion; Senate Commit­tee on Rules and Admin­is­tra­tion, “Hear­ings,” https://www.rules.senate.gov/hear­ings.

If Congress is unable or unwill­ing to take these steps, it should find a differ­ent agency to over­see elec­tion vendor certi­fic­a­tion. Any agency placed in that role must be struc­tured so as to remain inde­pend­ent of partisan control. It will need exper­i­enced, effect­ive staff and lead­er­ship who are commit­ted to elec­tion secur­ity, cyber­se­cur­ity, tech­nical compet­ency, and good and effect­ive elec­tion admin­is­tra­tion.

Most of the policies sugges­ted in this report will require congres­sional author­iz­a­tion. Not least of these is the abil­ity of the Elec­tion Assist­ance Commis­sion’s regu­lat­ory author­ity to reach elec­tion system vendors for products and services other than voting machines — includ­ing voter regis­tra­tion data­bases, elec­tronic poll­books and elec­tion night report­ing. However, the EAC can under its current author­ity insti­tute a volun­tary system of over­sight of the secur­ity prac­tices of vendors that supply voting systems, using a combin­a­tion of its regis­tra­tion and certi­fic­a­tion schemes.

In order to register, voting system vendors must already provide the EAC with crit­ical inform­a­tion about their owner­ship, along with writ­ten policies regard­ing their qual­ity assur­ance mech­an­isms. Vendors must agree to certain program require­ments, and regis­trants can be suspen­ded if they fail to continue to abide by the regis­tra­tion require­ments. A system cannot be submit­ted for certi­fic­a­tion unless its manu­fac­turer is currently registered with the EAC. i The need for this type of inform­a­tion is clear: in order to carry out its certi­fic­a­tion, decer­ti­fic­a­tion, and recer­ti­fic­a­tion author­ity, includ­ing the provi­sion of a fair process to vendors who risk decer­ti­fic­a­tion or denial of certi­fic­a­tion, the EAC must be able to main­tain commu­nic­a­tion with voting system vendors and ensure compli­ance with qual­ity assur­ance mech­an­isms on an ongo­ing basis.

To ensure that certi­fied voting systems are secure, the EAC can adopt Volun­tary Voting System Guidelines (VVSG) that outline best prac­tices for vendors as they relate to cyber­se­cur­ity, person­nel, foreign control, and supply chain integ­rity. Voting system vendors can then be required, as part of regis­tra­tion, to provide inform­a­tion on their compli­ance with these stand­ards.

For instance, the current VVSG provide special guidelines for voting systems that use public tele­com­mu­nic­a­tions networks in order to ensure that they are protec­ted against external threats, includ­ing monit­or­ing require­ments. Simil­arly, the guidelines require veri­fic­a­tion meth­ods for both soft­ware setup and any soft­ware update pack­ages. ii New guidelines could outline why back­ground checks for person­nel are neces­sary to ensure the ongo­ing secur­ity of voting systems, includ­ing upgrades and changes. iii

The current regis­tra­tion process could also allow the EAC to ensure that vari­ous voting system vendor best prac­tices remain in force over time. The process imposes a continu­ing respons­ib­il­ity on vendors to report any changes in the inform­a­tion supplied to the EAC and to “oper­ate . . . consist­ent with the proced­ural require­ments” estab­lished by the EAC’s test­ing and certi­fic­a­tion manual. Thus, if regis­tra­tion mandated, for example, the provi­sion of cyber­se­cur­ity inform­a­tion from vendors, they would be required to report cyber­se­cur­ity changes or incid­ents pursu­ant to their respons­ib­il­ity to keep regis­tra­tion inform­a­tion up to date. Regis­tra­tion could be suspen­ded if vendors failed to main­tain policies consist­ent with the EAC’s require­ments. iv

While expand­ing over­sight of voting system vendors to ensure compli­ance with the basic secur­ity meas­ures discussed in this paper would not be a substi­tute for a full certi­fic­a­tion system for all elec­tion system vendors, it would be a signi­fic­ant step toward provid­ing greater account­ab­il­ity for voting system vendors.

i U.S. Elec­tion Assist­ance Commis­sion, Test­ing and Certi­fic­a­tion Program Manual, Version 2.0, 12–19.

ii Volun­tary Voting Systems Guidelines, Vol.1, Version 1.1, §7.4.6, §7.5, §7.5.2, §7.5.3.

iii The adop­tion of modern approaches such as agile soft­ware devel­op­ment and the provi­sion of ongo­ing tech­nical support makes inform­a­tion about a vendor’s ongo­ing compli­ance with best prac­tices crit­ical for determ­in­ing the level of risk posed by upgrades and changes, includ­ing some that might be deemed de minimis if vendor secur­ity prac­tices are strong. See U.S. Elec­tion Assist­ance Commis­sion, Test­ing and Certi­fic­a­tion Program Manual, Version 2.0

iv U.S. Elec­tion Assist­ance Commis­sion, Test­ing and Certi­fic­a­tion Program Manual, Version 2.0, 17. Suspen­sion of an entire vendor, like decer­ti­fic­a­tion of a vendor, would simil­arly need to be handled thought­fully. See Enfor­cing Guidelines section on this report.

End Notes

A New Framework for Election Vendor Oversight

Under the Bren­nan Center’s proposal, the Elec­tion Assist­ance Commis­sion’s over­sight role would be substan­tially expan­ded. Over­sight would extend beyond voting equip­ment foot­note1_eo58s2n 1 Under the Help Amer­ica Vote Act, Pub. L. No. 107–252 (2002), this includes all equip­ment that is used to “define ballots; . . . cast and count votes; . . . report or display elec­tion results; and . . . main­tain and product any audit trail inform­a­tion.” It does not include certi­fic­a­tion of other elec­tion systems, such as elec­tronic poll­books; such machines are now used widely and are crit­ical to running elec­tions around the coun­try. See Andrea Cordova, “Want a Simple Way to Increase Elec­tion Secur­ity? Use Paper,” Bren­nan Center for Justice, Oct. 8, 2018, https://www.bren­nan­cen­ter.org/blog/want-simple-way-increase-elec­tion-secur­ity-use-paper. They, too, should be added to this system test­ing regime, as was proposed recently in the Elec­tion Secur­ity Assist­ance Act, H.R. 3412, 116th Cong. (2019), § 3(a) . to elec­tion vendors them­selves. The current voting system test­ing is inten­tion­ally quite limited: it occurs at the end of the design, devel­op­ment, and manu­fac­ture of voting system equip­ment. It does not ensure that the vendors have engaged in best supply chain or cyber­se­cur­ity prac­tices when devel­op­ing equip­ment or when servi­cing or program­ming it once it is certi­fied. foot­note2_7qw9rjt 2 The EAC can conduct manu­fac­tur­ing site visits through its Qual­ity Monit­or­ing Program, but a site visit is unlikely to uncover insec­ure devel­op­ment prac­tices, which can pose prob­lems at later stages, such as during the provi­sion of tech­nical support to elec­tion offi­cials or the program­ming of a ballot style or candid­ate register. Nor does the system ensure that the vendor has conduc­ted back­ground checks on employ­ees or set up controls limit­ing access to sens­it­ive inform­a­tion.

Despite its limit­a­tions, the EAC’s Test­ing and Certi­fic­a­tion Program — a volun­tary program that certi­fies and decer­ti­fies voting system hard­ware and soft­ware — provides a good template for a vendor over­sight program. A vari­ety of bills, includ­ing the Elec­tion Secur­ity Assist­ance Act proposed by Rep. Rodney Davis (R–IL) and the Demo­cratic-sponsored SAFE Act and For the People Act, have called for elec­tronic poll­books, which are not currently considered voting systems and covered by the program, to be included in its hard­ware and soft­ware test­ing regime. foot­note3_pxtjjrt 3 For the People Act, H.R. 1, 116th Cong. (2019), § 3302; Secur­ing Amer­ica’s Federal Elec­tions Act, H.R. 2722, 116th Cong. (2019), § 204; Elec­tion Secur­ity Assist­ance Act, H.R. 3412, 116th Cong. (2019), § 3(a).

Currently, the Tech­nical Guidelines Devel­op­ment Commit­tee, a commit­tee of experts appoin­ted jointly by the National Insti­tute of Stand­ards and Tech­no­logy (NIST) and the EAC, sets certi­fic­a­tion stand­ards for voting systems. These guidelines, known as the Volun­tary Voting System Guidelines (VVSG), can be adop­ted, with modi­fic­a­tions, by a major­ity of EAC commis­sion­ers. Once approved, they become the stand­ards against which voting machines are tested for federal certi­fic­a­tion. The VVSG ensures that voting systems have the basic func­tion­al­ity, access­ib­il­ity, and secur­ity capab­il­it­ies required by the Help Amer­ica Vote Act (HAVA). foot­note4_wmkt46k 4 U.S. Elec­tion Assist­ance Commis­sion, Volun­tary Voting System Guidelines, Vol. 1, Version 1.1, 2015, https://www.eac.gov/assets/1/28/VVSG.1.1.VOL.1.FINAL1.pdf.

Future iter­a­tions of the VVSG and certi­fic­a­tion process may change slightly: commis­sion­ers have sugges­ted that they may support a new version of the VVSG that adopts high-level prin­ciples and guidelines for the commis­sion to approve, along with a more gran­u­lar set of certi­fic­a­tion require­ments, which staff could adjust from time to time. foot­note5_xhfltt4 5 U.S. Elec­tion Assist­ance Commis­sion, VVSG Public Hear­ing (Apr. 10, 2019) (state­ment of Vice Chair­man Ben Hovland).

Once new voting system guidelines are adop­ted, the EAC’s Test­ing and Certi­fic­a­tion Divi­sion tests the systems (per the VVSG), certi­fies them, monit­ors them, and, if crit­ical prob­lems are later discovered, decer­ti­fies them. The EAC conducts field tests of voting machines only if invited or given permis­sion by a state elec­tion offi­cial. It does not do this on a routine basis. foot­note6_35rxyq1 6 U.S. Elec­tion Assist­ance Commis­sion, Test­ing and Certi­fic­a­tion Program Manual, Version 2.0, 2015, 71, https://www.eac.gov/assets/1/6/Cert_Manual_7_8_15_FINAL.pdf. Rather, elec­tion offi­cials using the certi­fied voting machines have the option to report system anom­alies to the EAC. If the EAC deems a report cred­ible, it may begin a formal invest­ig­a­tion and work with the vendor to address the prob­lem. If the vendor fails to fix the anom­aly, the EAC is oblig­ated to decer­tify the voting system. foot­note7_hm53zf3 7 Test­ing and Certi­fic­a­tion Program Manual, Version 2.0, EAC, 71–75.

With some import­ant modi­fic­a­tions, we recom­mend a similar regime for certi­fy­ing elec­tion system vendors. The commis­sion­ers should adopt a set of prin­ciples and guidelines for vendors recom­men­ded by a Tech­nical Guidelines Devel­op­ment Commit­tee, as well as a more detailed set of require­ments that could be adjus­ted as needed by EAC staff. We recom­mend that the EAC routinely monitor certi­fied vendors to ensure ongo­ing compli­ance and estab­lish a process for address­ing viol­a­tions of federal stand­ards, includ­ing through decer­ti­fic­a­tion.

A Volun­tary Regime

Federal certi­fic­a­tion will only be mean­ing­ful if state and local govern­ments that contract with elec­tion system vendors rely on it when making purchas­ing decisions.

For this reason, some have recom­men­ded that state and local govern­ments be required to use only vendors that have been feder­ally certi­fied. For instance, the Elec­tion Vendor Secur­ity Act proposes that state and local elec­tion admin­is­trat­ors be banned from using any vendor for federal elec­tions that does not meet some minimum stand­ards. foot­note8_qeuunzl 8 Elec­tion Vendor Secur­ity Act, H.R.6435, 115th Cong. (2018).

There are obvi­ous bene­fits to a mandat­ory regime. Most import­ant, it would ensure that all juris­dic­tions through­out the coun­try use vendors that have met minimum secur­ity stand­ards. But there are draw­backs as well. Not least of these is that some states and local­it­ies might view a federal mandate to use certain vendors as a usurp­a­tion of their power to over­see their own elec­tions, making the creation of a federal program polit­ic­ally chal­len­ging.

Moreover, since private vendors are so deeply entwined in the running of our elec­tions, requir­ing towns, counties, and states to use only certi­fied vendors could present prob­lems. If a vendor failed the certi­fic­a­tion process (or decided not to apply for certi­fic­a­tion), some counties would not be able to run their elec­tions. Others might be forced to spend tens of millions of dollars to purchase new equip­ment and services before they could run elec­tions again, even if they had determ­ined that they could have run their elec­tions securely.

A volun­tary approach — leav­ing it to the states and local juris­dic­tions to decide whether to contract with non–fed­er­ally certi­fied vendors — could draw states into the voting system certi­fic­a­tion process. It may also be more polit­ic­ally feas­ible. A volun­tary approach would give state and local juris­dic­tions the flex­ib­il­ity to take addi­tional secur­ity meas­ures if their current vendors did not obtain federal certi­fic­a­tion. In select­ing new vendors, most states and local elec­tion offi­cials would likely rely on federal certi­fic­a­tion in making purchases, as they do with voting machines. Demo­crats in Congress opted for this approach in the For the People Act and the SAFE Act. Both meas­ures would incentiv­ize parti­cip­a­tion by provid­ing grants to states that acquire goods and services from qual­i­fied elec­tion infra­struc­ture vendors or imple­ment other voting system secur­ity improve­ments. foot­note9_bpnf2ya 9 For the People Act, H.R. 1, 116th Cong. (2019), § 298A; Secur­ing Amer­ica’s Federal Elec­tions Act, H.R. 2722, 116th Cong. (2019), § 297A.

The draw­back of a volun­tary program is that states and vendors may ignore it. But there is reason to believe that there would be wide parti­cip­a­tion in a volun­tary federal program. Even though the current voting machine certi­fic­a­tion program is volun­tary, 47 of 50 states rely on the EAC’s certi­fic­a­tion process for voting machines in some way. foot­note10_x0ex0en 10 U.S. Elec­tion Assist­ance Commis­sion, “Fact Sheet: The U.S. Elec­tion Assist­ance Commis­sion’s Voting System Test­ing and Certi­fic­a­tion Program,” Mar. 7, 2017, https://www.eac.gov/news/2017/03/07/fact-sheet-the-us-elec­tion-assist­ance-commis­sions-voting-system-test­ing-and-certi­fic­a­tion-program-voting-systems-certi­fic­a­tion-commu­nic­a­tions-fact-sheet/. Another volun­tary program, DHS’s Elec­tion Infra­struc­ture Sector Coordin­at­ing Coun­cil, was foun­ded in 2018 to share inform­a­tion among elec­tion system vendors. Numer­ous major elec­tion vendors have suppor­ted it as organ­iz­ing members. foot­note11_dxdy9w6 11 U.S. Depart­ment of Home­land Secur­ity, Elec­tion Infra­struc­ture Subsector Coordin­at­ing Coun­cil Charter, Version 1.0, 2018, 3, https://www.dhs.gov/sites/default/files/public­a­tions/govt-facil­it­ies%20-EIS-scc-charter-2018–508.pdf.

Guidelines Developed by an Empowered, More Tech­nical Commit­tee

A new Tech­nical Guidelines Devel­op­ment Commit­tee, with addi­tional cyber­se­cur­ity experts, should be charged with craft­ing vendor certi­fic­a­tion guidelines for use by the Elec­tion Assist­ance Commis­sion, incor­por­at­ing best prac­tices that elec­tion vendors must meet. These guidelines should go into effect unless the EAC over­rides the recom­mend­a­tion within a specified period of time. This defer­ence to the tech­nic­ally expert TGDC in the absence of an over­ride by poli­cy­makers is neces­sary to avoid the kinds of lengthy delays that have stood in the way of prior attempts to update the VVSG. foot­note12_j96edsp 12 When the TGDC advised a restruc­tur­ing of the VVSG in 2007, its recom­mend­a­tions were never adop­ted. Work began on a “patch,” the VVSG 1.1, but that was halted for years, when the EAC lost a quorum, and was ulti­mately adop­ted only in 2015. A new VVSG 2.0 was provided by the TGDC in Feb. 2017 and was recom­men­ded for adop­tion that Septem­ber, but again the EAC lost its quorum. It is now out for public comment. U.S Elec­tion Assist­ance Commis­sion, VVSG Public Hear­ing Apr. 10, 2019) (state­ment of Ryan Macias), https://www.eac.gov/events/2019/04/10/vvsg-public-hear­ing/. The NIST cyber­se­cur­ity frame­work should be the start­ing point for these best prac­tices, and the TGDC need only apply elec­tion-specific refine­ments to this exist­ing frame­work.

The TGDC is chaired by the director of the NIST. Its 14 other members are appoin­ted jointly by the director and the EAC. foot­note13_m8i5tuu 13 U.S. Elec­tion Assist­ance Commit­tee, “Tech­nical Guidelines Devel­op­ment Commit­tee,” https://www.eac.gov/about/tech­nical-guidelines-devel­op­ment-commit­tee/. We recom­mend that Congress author­ize NIST to expand TGDC’s member­ship to include the wider range of expert­ise neces­sary to fulfill its role in defin­ing vendor best prac­tices. These new members should expli­citly be required to have cyber­se­cur­ity expert­ise. Congress should also mandate that a repres­ent­at­ive from the new DHS Cyber­se­cur­ity and Infra­struc­ture Secur­ity Agency (CISA), a lead­ing voice in cyber­se­cur­ity defense, includ­ing in the elec­tions sector, join the TGDC. The Vendor System Cyber Secur­ity Act of 2019, intro­duced by Sen. Gary Peters (D–MI), would require this step. foot­note14_zy2l656 14 Voting System Cyber­se­cur­ity Act of 2019, S. 1454, 116th Cong. (2019), § 2. Simil­arly, Congress should mandate the inclu­sion of a repres­ent­at­ive from the National Asso­ci­ation of State Chief Inform­a­tion Officers (NACIO) with expert­ise in cyber­se­cur­ity. foot­note15_1u9b­hz0 15 A possible config­ur­a­tion of the NIST-chosen repres­ent­at­ives could be: One repres­ent­at­ive from CISA with tech­nical and scientific expert­ise related to cyber­se­cur­ity in elec­tion tech­no­logy; one repres­ent­at­ive of state elec­tion inform­a­tion tech­no­logy direct­ors selec­ted by the National Asso­ci­ation of State Elec­tion Direct­ors; one repres­ent­at­ive from the National Asso­ci­ation of State Chief Inform­a­tion officers (NACIO) with expert­ise in cyber­se­cur­ity; one repres­ent­at­ive from the EI-ISAC with tech­nical and scientific expert­ise related to cyber­se­cur­ity in elec­tions; two repres­ent­at­ives who are academic or scientific research­ers with tech­nical and scientific expert­ise related to cyber­se­cur­ity, chosen by NIST; one repres­ent­at­ive who possesses tech­nical and scientific expert­ise relat­ing to the access­ib­il­ity and usab­il­ity of voting systems, chosen by NIST; one repres­ent­at­ive of manu­fac­tur­ers of voting system hard­ware and soft­ware who possesses tech­nical and scientific expert­ise relat­ing to cyber­se­cur­ity and the admin­is­tra­tion of elec­tions, selec­ted jointly by the EAC and NIST; and one repres­ent­at­ive of a labor­at­ory accred­ited under section 231(b) who possesses tech­nical and scientific expert­ise relat­ing to cyber­se­cur­ity and the admin­is­tra­tion of elec­tions, selec­ted by the NIST National Volun­tary Labor­at­ory Assess­ment Program (NVLAP). A similar proposal to modify the TGDC appears in S. Amdt. 3983 to H.R. 6157, 115th Cong. (2018).

Recon­sti­t­ut­ing the TGDC in this manner would not only ensure that it has the relev­ant expert­ise to set guidelines for vendors but also that there are more members with tech­nical back­grounds.

As noted above, we recom­mend permit­ting the guidelines developed by the TGDC to take effect in the event that the EAC fails to act on them within a specified time period. We also recom­mend that vendors seek­ing certi­fic­a­tion must always meet the most recent set of guidelines. This, along with the expan­ded member­ship of the TGDC, will provide the neces­sary assur­ance that best prac­tices are updated in a timely fash­ion and that vendors seek­ing certi­fic­a­tion meet the most up-to-date stand­ards. foot­note16_fa3l­cix 16 Currently, guidelines issued by the TGDC do not go into effect absent approval by the EAC, which can create signi­fic­ant delays, and voting system vendors have obtained certi­fic­a­tion to older versions of the VVSG, even after new versions have been approved by the EAC. See Tim Starks, “EAC Finally Near­ing Abil­ity to Take Major Action,” Politico, Nov. 28, 2018, https://www.politico.com/news­let­ters/morn­ing-cyber­se­cur­ity/2018/11/28/eac-finally-near­ing-abil­ity-to-take-major-action-433181 (describ­ing the EAC’s lack of a quorum since March 2018, which preven­ted it from approv­ing a new version of the VVSG). See U.S. Elec­tion Assist­ance Commis­sion, “Certi­fied Voting Systems,” https://www.eac.gov/voting-equip­ment/certi­fied-voting-systems/ (show­ing voting systems as certi­fied in 2017, 2018, and 2019 to VVSG 1.0, a set of guidelines that was replaced by VVSG 1.1 in 2015).

The new TGDC will be respons­ible for devel­op­ing federal certi­fic­a­tion guidelines that vendors must satisfy to sell key elec­tion infra­struc­ture and services for use in federal elec­tions. Areas that should be covered in such guidelines include

  • cyber­se­cur­ity best prac­tices,
  • back­ground checks and other secur­ity meas­ures for person­nel,
  • trans­par­ent owner­ship,
  • processes for report­ing cyber incid­ents, and
  • supply chain integ­rity.

Below, we discuss the import­ance of each of these items, what guidelines in each of these areas could look like, and how to ensure compli­ance.

Cyber­se­cur­ity Best Prac­tices

The lead-up to the 2016 pres­id­en­tial elec­tion provided numer­ous examples of the devast­at­ing consequences of fail­ing to heed cyber­se­cur­ity best prac­tices. Through a series of attacks that included spearph­ish­ing emails, Russian hack­ers gained access to internal commu­nic­a­tions of the Demo­cratic National Commit­tee (DNC). foot­note17_fjeowkb 17 Philip Bump, “Timeline: How Russian Agents Allegedly Hacked the DNC and Clin­ton’s Campaign,” Wash­ing­ton Post, July 13, 2018, https://www.wash­ing­ton­post.com/news/polit­ics/wp/2018/07/13/timeline-how-russian-agents-allegedly-hacked-the-dnc-and-clin­tons-campaign/?utm_term=.618a5496022b; Eric Lipton, David E. Sanger, and Scott Shane, “The Perfect Weapon: How Russian Cyber­power Invaded the U.S.,” New York Times, Dec. 13, 2016, https://www.nytimes.com/2016/12/13/us/polit­ics/russia-hack-elec­tion-dnc.html. The DNC reportedly did not install a “robust set of monit­or­ing tools” to identify and isol­ate spearph­ish­ing emails on its network until April 2016, which, in retro­spect, was far too late. foot­note18_edztu4m 18 Lipton et al., “The Perfect Weapon.” The chair­man of Hillary Clin­ton’s campaign, John Podesta, fell prey to a similar attack. foot­note19_jiwb7gu 19 Lipton et al., “The Perfect Weapon.” These threats did not end in 2016; in the run-up to the 2018 elec­tions, hack­ers targeted congres­sional candid­ates includ­ing Sen. Claire McCaskill (D–MO) and Hans Keirstead, who ran in a Demo­cratic Party primary in Cali­for­nia. foot­note20_gu6d0e3 20 Eric Geller, “Microsoft Reveals First Known Midterm Campaign Hack­ing Attempts,” Politico, July 19, 2018, https://www.politico.com/story/2018/07/19/midterm-campaign-hack­ing-microsoft-733256; Kevin Poulsen and Andrew Desid­erio, “Russian Hack­ers’ New Target: A Vulner­able Demo­cratic Senator,” Daily Beast, July 26, 2018, https://www.thedailybeast.com/russian-hack­ers-new-target-a-vulner­able-demo­cratic-senator; Andy Kroll, “Docu­ments Reveal Success­ful Cyber­at­tack in Cali­for­nia Congres­sional Race,” Rolling Stone, Aug. 15, 2018, https://www.rolling­stone.com/polit­ics/polit­ics-news/cali­for­nia-elec­tion-hack­ing-711202/.

Guard­ing against spearph­ish­ing emails is Cyber­se­cur­ity 101. Yet the numer­ous reports of success­ful spearph­ish­ing attacks suggest that many indi­vidu­als and organ­iz­a­tions fail to meet even that low bar of cyber read­i­ness. Are vendors guard­ing against these (and other) attacks? foot­note21_5ay0nac 21 Using remote-access soft­ware to access a computer risks open­ing up access to the entire network that computer is connec­ted to. Yet it has been alleged that VR systems used such soft­ware in 2016 to connect to the North Caro­lina State Board of Elec­tions, in order to down­load a voter list for Durham County. Kim Zetter, “Soft­ware Vendor May Have Opened a Gap for Hack­ers in 2016 Swing State,” Politico, June 5, 2019, https://www.politico.com/story/2019/06/05/vr-systems-russian-hack­ers-2016–1505582. Special Coun­sel Robert Mueller’s report on 2016 elec­tion inter­fer­ence indic­ates that an employee at an elec­tion vendor fell victim to a spearph­ish­ing attack, enabling malware to be installed on that vendor’s network. The vendor, which many assume is VR Systems, has denied that that the attack­ers were able to breach its system. foot­note22_r8jzthf 22 Mueller, Report on the Invest­ig­a­tion into Russian Inter­fer­ence, 51; Kim Zetter, “Flor­ida Elec­tion Vendor Says It Has Proof It Wasn’t Breached by Russi­ans,” Politico, May 23, 2019, https://www.politico.com/story/2019/05/23/flor­ida-vendor-russia-1469086. Under the current regime, which lacks any mean­ing­ful visib­il­ity into vendors’ cyber­se­cur­ity prac­tices, we simply do not, and cannot, know.

The new Tech­nical Guidelines Devel­op­ment Commit­tee should craft cyber­se­cur­ity best prac­tices that include not only equip­ment- and service-related offer­ings but also internal inform­a­tion tech­no­logy prac­tices, cyber hygiene, data access controls, and the like. Vari­ous bills have proposed that the TGDC take on this role, includ­ing the SAFE Act, the Elec­tion Secur­ity Act, and the For the People Act. foot­note23_bay3ui3 23 Secur­ing Amer­ica’s Federal Elec­tions Act, H.R. 2722, 116th Cong. (2019), § 297A; Elec­tion Secur­ity Act, H.R. 2660, 116th Cong. (2019), § 297A; Elec­tion Secur­ity Act of 2019, S. 1540, 116th Cong. (2019), § 297A; For the People Act, H.R. 1, 116th Cong. (2019), § 298A.

Vulner­ab­il­ity to attacks by insiders is a threat separ­ate and apart from a hack over the inter­net.

The NIST Cyber­se­cur­ity Frame­work foot­note24_busx­c5a 24 National Insti­tute of Stand­ards and Tech­no­logy, “Cyber­se­cur­ity Frame­work,” https://www.nist.gov/cyber­frame­work. should be the start­ing point and be supple­men­ted by elec­tion-specific refine­ments. NIST advises that “the Frame­work should not be imple­men­ted as an un-custom­ized check­list or a one-size-fits-all approach for all crit­ical infra­struc­ture organ­iz­a­tions. . . . [It] should be custom­ized by differ­ent sectors and indi­vidual organ­iz­a­tions to best suit their risks, situ­ations, and needs.” foot­note25_e0jq2qu 25 National Insti­tute of Stand­ards and Tech­no­logy, “Ques­tions & Answers,” https://www.nist.gov/cyber­frame­work/ques­tions-and-answers#check­list.

When seek­ing Elec­tion Assist­ance Commis­sion certi­fic­a­tion, vendors should have to demon­strate that they meet the TGDC’s cyber­se­cur­ity best prac­tices. The EAC should consider provid­ing a self-assess­ment hand­book or other form of guid­ance to facil­it­ate vendor compli­ance with this require­ment.

Such a self-assess­ment hand­book exists in the defense sector for contract­ors that handle certain sens­it­ive inform­a­tion. Depart­ment of Defense contract­ors “that process, store or trans­mit Controlled Unclas­si­fied Inform­a­tion must meet the Defense Federal Acquis­i­tion Regu­la­tion Supple­ment minimum secur­ity stand­ards” and certify that they comply with published require­ments. foot­note26_3l4568w 26 Patri­cia Toth, NIST Hand­book 162: NIST MEP Cyber­se­cur­ity Self-Assess­ment Hand­book For Assess­ing NIST SP 800–171 Secur­ity Require­ments in Response to DFARS Cyber­se­cur­ity Require­ments, National Insti­tute for Stand­ards and Tech­no­logy, 2017, https://nvlpubs.nist.gov/nist­pubs/hb/2017/NIST.HB.162.pdf. See also, “DFARS Cyber­se­cur­ity Require­ments,” Manu­fac­tur­ing Exten­sion Part­ner­ship, National Insti­tute of Stand­ards and Tech­no­logy, created Dec. 1, 2017, updated June 28, 2018, https://www.nist.gov/mep/cyber­se­cur­ity-resources-manu­fac­tur­ers/dfars800–171-compli­ance. An EAC resource along these lines would provide vendors with clar­ity about how to assess compli­ance and agreed-upon metrics.

Simil­arly, DHS has published resources asso­ci­ated with its Cyber Resi­li­ence Review program, which “align[s] closely with the Cyber­se­cur­ity Frame­work . . . developed by the National Insti­tute of Stand­ards and Tech­no­logy.” foot­note27_p3ts6sz 27 U.S. Depart­ment of Home­land Secur­ity, “Cyber Resi­li­ence Review,” https://www.us-cert.gov/sites/default/files/c3vp/crr-fact-sheet.pdf. They include a self-assess­ment pack­age and a “Ques­tion Set with Guid­ance,” foot­note28_8ck0efi 28 See gener­ally U.S. Depart­ment of Home­land Secur­ity, “Cyber­se­cur­ity Frame­work,” Crit­ical Infra­struc­ture Cyber Community Volun­tary Program, https://www.us-cert.gov/ccubedvp/cyber­se­cur­ity-frame­work. which could prove useful in devel­op­ing analog­ous resources for the EAC.

Back­ground Checks And Other Secur­ity Meas­ures For Person­nel

Much of the conver­sa­tion about elec­tion cyber­se­cur­ity has imagined attack­ers in distant lands reach­ing our elec­tion infra­struc­ture through the inter­net. But some of the most effect­ive cyber­at­tacks of recent years have involved insiders. To mitig­ate these risks, vendors should demon­strate during certi­fic­a­tion that they have sound person­nel policies and prac­tices in place.

At a minimum, vendors should describe how they screen prospect­ive employ­ees for secur­ity risks, includ­ing back­ground checks, and how they assess employ­ees for suit­ab­il­ity on an ongo­ing basis, includ­ing substance-abuse screen­ing. The Elec­tion Assist­ance Commis­sion should also require vendor disclos­ure of controls govern­ing staff access to sens­it­ive elec­tion-related inform­a­tion. Since the bulk of such sens­it­ive inform­a­tion would presum­ably not consti­tute clas­si­fied inform­a­tion, which is subject to its own set of robust controls, the EAC’s scru­tiny of vendor person­nel risk manage­ment will be crit­ical.

Vulner­ab­il­ity to attacks by insiders is a threat separ­ate and apart from a hack over the inter­net, demand­ing entirely differ­ent controls and defens­ive meas­ures. Without adequate person­nel screen­ing and other safe­guards, vendors that provide crit­ical elec­tion services could be exposed to malfeas­ance from within. The FBI’s thor­ough back­ground checks for Justice Depart­ment attor­neys and other law enforce­ment person­nel provide a good model for aggress­ively vetting person­nel. In the event elec­tion vendors require access to form­ally clas­si­fied inform­a­tion, examples abound in the defense, nuclear, and other sectors of how to handle secur­ity clear­ances.

The Nuclear Regu­lat­ory Commis­sion (NRC) regu­lates person­nel in ways poten­tially relev­ant to elec­tion vendors. foot­note29_en6i2g9 29 U.S. Nuclear Regu­lat­ory Commis­sion, “About NRC,” last updated Feb. 12, 2018, https://www.nrc.gov/about-nrc.html. Its fitness-for-duty program requires that indi­vidu­als licensed to oper­ate a nuclear reactor foot­note30_45zcybf 30 See gener­ally, 10 C.F.R. §§ 26.1–26.825. meet several perform­ance object­ives, includ­ing “reas­on­able assur­ance” that they

  • “are trust­worthy and reli­able as demon­strated by the avoid­ance of substance abuse,” and
  • “are not under the influ­ence of any substance, legal or illegal, or mentally or phys­ic­ally impaired from any cause, which in any way adversely affects their abil­ity to safely and compet­ently perform their duties.” foot­note31_6591euk 31 10 C.F.R. § 26.23.

These programs also include “reas­on­able meas­ures for the early detec­tion of indi­vidu­als who are not fit to perform the duties.” foot­note32_4j28afn 32 10 C.F.R. § 26.23. The regu­la­tions include train­ing require­ments foot­note33_ibnylsu 33 10 C.F.R. § 26.29. and penal­ties for viol­a­tions, foot­note34_e9t35o2 34 10 C.F.R. §§ 26.181–26.189. as well as robust substance-abuse test­ing proto­cols. foot­note35_6a2wr34 35 10 C.F.R. §§ 26.81–26.119. The NRC also regu­lates access to national secur­ity inform­a­tion foot­note36_7pol894 36 10 C.F.R. § 10.5 (“National Secur­ity Inform­a­tion means inform­a­tion that has been determ­ined under Exec­ut­ive Order 13526 or any prede­cessor or successor order to require protec­tion against unau­thor­ized disclos­ure and that is so desig­nated.”). and nuclear-related restric­ted data foot­note37_2ntmj3w 37 10 C.F.R. § 10.5 (“Restric­ted Data means all data concern­ing design, manu­fac­ture, or util­iz­a­tion of atomic weapons, the produc­tion of special nuclear mater­ial, or the use of special nuclear mater­ial in the produc­tion of energy, but shall not include data declas­si­fied or removed from the Restric­ted Data category pursu­ant to section 142 of the Atomic Energy Act of 1954, as amended.”). by indi­vidu­als work­ing for entit­ies regu­lated by the commis­sion. foot­note38_0rbqr6b 38 10 C.F.R. § 10.1(a) (“This part estab­lishes the criteria, proced­ures, and meth­ods for resolv­ing ques­tions concern­ing:…(3) The eligib­il­ity of indi­vidu­als who are employed by or are applic­ants for employ­ment with NRC licensees, certi­fic­ate hold­ers, hold­ers of stand­ard design approvals under part 52 of this chapter, applic­ants for licenses, certi­fic­ates, and NRC approvals, and others who may require access related to a license, certi­fic­ate, or NRC approval, or other activ­it­ies as the Commis­sion may determ­ine, for access to Restric­ted Data under the Atomic Energy Act of 1954, as amended, and the Energy Reor­gan­iz­a­tion Act of 1974, or for access to national secur­ity inform­a­tion.”).

The defense sector also tightly circum­scribes processes on person­nel clear­ances and the hand­ling of sens­it­ive clas­si­fied inform­a­tion. For example, the National Indus­trial Secur­ity Program Oper­at­ing Manual (Depart­ment of Defense guid­ance on the regu­la­tion of contract­ors in the indus­trial secur­ity sector) addresses contract­ors’ protec­tion of such inform­a­tion and the processes for contractor person­nel to obtain clear­ances. foot­note39_sdcu16y 39 National Indus­trial Secur­ity Program, Oper­a­tion Manual, Feb. 2006, §§ 2–200–2–211, https://www.esd.whs.mil/Portals/54/Docu­ments/DD/issu­ances/dodm/522022M.pdf.

Fail­ure to have robust and adequate person­nel safe­guards can lead to signi­fic­ant harm inflic­ted by those on the inside. The Swiss finan­cial insti­tu­tion UBS provides a telling example. A systems admin­is­trator who worked for UBS in New Jersey, Robert Duro­nio, wreaked havoc on company systems after reportedly express­ing dissat­is­fac­tion with his salary and bonuses. Duro­nio planted a “logic bomb” in UBS’s systems that activ­ated after his depar­ture and brought down roughly 2,000 UBS computers. The attack cost the company more than $3 million in repairs, in addi­tion to lost revenue stem­ming from crippled trad­ing capab­il­ity. foot­note40_guozb4j 40 U.S. Depart­ment of Justice, “Disgruntled UBS PaineWebber Employee Charged with Allegedly Unleash­ing ‘Logic Bomb’ on Company Computers,” Dec. 17, 2002, https://www.justice.gov/archive/crim­inal/cyber­crime/press-releases/2002/duro­nioIn­dict.htm; Stephen Foley, “Disgruntled Worker 'Tried to Cripple UBS in Protest over $32,000 Bonus’,” Inde­pend­ent, June 8, 2006, https://www.inde­pend­ent.co.uk/news/busi­ness/news/disgruntled-worker-tried-to-cripple-ubs-in-protest-over-32000-bonus-481515.html. (Duro­nio was sentenced to 97 months in prison.) foot­note41_046jdwy 41 Ericka Chick­owski, “Former UBS System Admin­is­trator Gets Eight Years for Logic Bomb,” SC Media, Dec. 18, 2006, https://www.scmagazineuk.com/article/1467247.

We should assume that determ­ined foreign adversar­ies are capable of hiring program­mers who can damage Amer­ican elec­tions. We have certainly seen foreign govern­ments engage in similar actions against private compan­ies. In 2006, Dong­fan “Greg” Chung, a former engin­eer at Boeing, was arres­ted for hoard­ing trade secrets about the U.S. space shuttle program with the intent to pass this inform­a­tion to the Chinese govern­ment. Federal agents found sens­it­ive docu­ments in his home, along with journ­als detail­ing his commu­nic­a­tions with Chinese offi­cials. Chung was convicted in 2009 of economic espi­on­age and acting as an agent of China, foot­note42_uwrtoyf 42 U.S. Depart­ment of Justice, “Former Boeing Engin­eer Convicted of Economic Espi­on­age in Theft of Space Shuttle Secrets for China,” July 16, 2009, https://www.justice.gov/opa/pr/former-boeing-engin­eer-convicted-economic-espi­on­age-theft-space-shuttle-secrets-china. and sentenced to 15 years in prison. foot­note43_6th9iix 43 “Chinese-Born Engin­eer Gets 15 Years for Spying,” Asso­ci­ated Press, Feb. 8, 2010, http://www.nbcnews.com/id/35300466/ns/us_news-secur­ity/t/chinese-born-engin­eer-gets-years-spying/#.XUrYm-hKg2w.

Trans­par­ent Owner­ship

Lack of trans­par­ency into owner­ship and control of elec­tion vendors can mask foreign influ­ence over an elec­tion vendor and corrup­tion in local certi­fic­a­tion and contract­ing. We recom­mend mandated disclos­ure of signi­fic­ant — more than 5 percent — owner­ship interests and a prohib­i­tion on signi­fic­ant foreign owner­ship or control (with the option to request a waiver, if certain condi­tions are met). The purpose is not only to deter malfeas­ance and corrup­tion but also to reas­sure voters that the motives of elec­tion vendors are aligned with the public’s interest in free and fair elec­tions.

The threats posed by foreign influ­ence over a U.S. elec­tion vendor — includ­ing the heightened poten­tial for foreign infilt­ra­tion of the vendor’s supply chain or know­ledge of client elec­tion offi­cials’ capab­il­it­ies and systems — should be obvi­ous. A federal frame­work for secur­ing elec­tions should limit signi­fic­ant foreign owner­ship of elec­tion system vendors.

Over the last several years, the topic of foreign owner­ship of elec­tion vendors has occa­sion­ally made head­lines. foot­note44_0e2564q 44 For example, there were reports that Venezuelan interests with ties to the Venezuelan govern­ment owned the parent company of an elec­tion vendor, Sequoia Voting Systems, which Domin­ion later acquired. See Tim Golden, “U.S. Invest­ig­ates Voting Machines’ Venezuela Ties,” New York Times, Oct. 29, 2006, https://www.nytimes.com/2006/10/29/wash­ing­ton/29bal­lot.html. The Venezuelan owners of Sequoi­a’s parent company even­tu­ally agreed to sell Sequoia. See Zachary A. Gold­farb, “U.S. Drops Inquiry of Voting Machine Firm,” Wash­ing­ton Post, Dec. 23, 2006, http://www.wash­ing­ton­post.com/wp-dyn/content/article/2006/12/22/AR2006122201304.html. In 2018, the FBI informed Mary­land offi­cials that a vendor servi­cing the state, ByteG­rid LLC, had been under the control of a Russian olig­arch with close ties to Pres­id­ent Vladi­mir Putin. foot­note45_dxou824 45 Mark Morales, “Mary­land Elec­tion Contractor Has Ties to Russian Olig­arch,” CNN, July 16, 2018, https://www.cnn.com/2018/07/16/polit­ics/mary­land-elec­tions-russia/index.html; Chase Cook and E.B. Furgurson III, “FBI Informs Mary­land of Elec­tion Soft­ware Owned by Russian Firm, No Known Breaches,” Capital Gazette, July 13, 2018, https://www.capit­al­gaz­ette.com/news/govern­ment/ac-cn-russian-elec­tion-0714-story.html. In 2019, ByteG­rid sold all of its facil­it­ies and customer agree­ments to a company called Lincoln Rack­house. foot­note46_scia53r 46 Rich Miller, “Lincoln Rack­house Contin­ues Expan­sion With Purchase of ByteG­rid,” Data Center Fron­tier, May 8, 2019, https://data­center­fron­tier.com/lincoln-rack­house-contin­ues-expan­sion-with-purchase-of-byteg­rid/.

At the same time, lack of insight into elec­tion vendor owner­ship presents a seri­ous risk that vendor-led influ­ence campaigns and public offi­cials’ conflicts of interest will escape public scru­tiny. Offi­cials might award vendor contracts in exchange for gifts or special treat­ment rather than to those that would best facil­it­ate free and fair elec­tions. Trans­par­ency into owner­ship and control is required for the public to assess whether offi­cials engaged in procure­ment and regu­la­tion have been improp­erly influ­enced.

There are a range of approaches to these prob­lems of improper foreign and domestic influ­ence. We recom­mend a strin­gent yet flex­ible stand­ard: a require­ment to disclose all entit­ies or persons with a greater than 5 percent owner­ship or control interest, along with a ban on foreign owner­ship in that same amount, foot­note47_ophjmng 47 We recom­mend defin­ing “foreign national” as someone who is neither a U.S. citizen nor a U.S. perman­ent resid­ent, as this is the defin­i­tion used by the FEC in prohib­it­ing foreign contri­bu­tions to candid­ates. with an option for the EAC to grant a waiver after consulta­tion with DHS. While this proposal would address instances of foreign control over elec­tion vendors, such as ByteG­rid, it could also impact compan­ies such as Domin­ion Voting Systems, the second-largest voting machine vendor in the United States, whose voting machines are used by more than one-third of Amer­ican voters and whose headquar­ters are in Toronto. Simil­arly, Scytl Secure Elec­tronic Voting, which offers elec­tion night report­ing and other elec­tion tech­no­lo­gies to hundreds of elec­tion juris­dic­tions around the United States, is based in Barcelona. foot­note48_umjt344 48 Jordan Wilkie, “‘They Think They Are Above the Law’: The Firms that Own Amer­ica’s Voting System,” Guard­ian, Apr. 23, 2019, https://www.theguard­ian.com/us-news/2019/apr/22/us-voting-machine-private-compan­ies-voter-regis­tra­tion; Hitt et al., The Busi­ness of Voting; Scytl, “US Elec­tions,” https://www.scytl.com/en/custom­ers/us-elec­tions/. A waiver would provide a means for these and other vendors with foreign ties to disclose those rela­tion­ships and put in place safe­guards to prevent foreign influ­ence and alle­vi­ate secur­ity concerns, thus offer­ing a reas­on­able path for a wide range of vendors to parti­cip­ate in the elec­tion tech­no­logy market. Beyond this initial disclos­ure require­ment, vendors should have an ongo­ing oblig­a­tion to notify their custom­ers and the EAC of any subsequent changes in their owner­ship or control.

The EAC can look to other sectors for examples of vendor disclos­ure of owner­ship or control agree­ments. The Depart­ment of Defense’s National Indus­trial Secur­ity Program Oper­at­ing Manual is instruct­ive. It requires compan­ies to “complete a Certi­fic­ate Pertain­ing to Foreign Interests when . . . signi­fic­ant changes occur to inform­a­tion previ­ously submit­ted,” foot­note49_uxo3k1x 49 National Indus­trial Secur­ity Program, Oper­a­tion Manual, Feb. 2006, § 2–302, https://www.esd.whs.mil/Portals/54/Docu­ments/DD/issu­ances/dodm/522022M.pdf. and it requires vendors to submit reports when there is “any mater­ial change concern­ing the inform­a­tion previ­ously repor­ted by the contractor concern­ing foreign owner­ship control or influ­ence.” foot­note50_l5aq2k9 50 National Indus­trial Secur­ity Program, Oper­a­tion Manual, §1–302(g)(5).

Lawmakers have already intro­duced legis­la­tion to improve trans­par­ency in owner­ship or control of elec­tion system vendors, with mech­an­isms ranging from disclos­ure require­ments to strict bans on foreign owner­ship or control. One approach recently adop­ted in North Caro­lina requires disclos­ure of all owners with a stake of 5 percent or more in a vendor’s company, subsi­di­ary, or parent, so that the state’s Board of Elec­tions can consider this inform­a­tion before certi­fy­ing a voting system. foot­note51_w4aoimg 51 North Caro­lina Board of Elec­tions, Elec­tion Systems Certi­fic­a­tion Program, amended June 2019, 3–20, https://s3.amazon­aws.com/dl.ncsbe.gov/State_Board_Meet­ing_Docs/2019–06–13/Voting%20Sys­tem%20Cer­ti­fic­a­tion/NCSBE­Vot­ing­Sys­tem­s­Cer­ti­fic­a­tion­Pro­gram_06132019.pdf; Ben Popken, “State Offi­cials Demand Voting System Vendors Reveal Owners after Russian Hacks and Invest­ments,” NBC News, June 24, 2019, https://www.nbcnews.com/polit­ics/elec­tions/voting-system-vendors-reveal-owners-after-russian-hacks-invest­ments-n1020956.

On the other end of the spec­trum, the For the People Act and the SAFE Act would require that vendors in states receiv­ing federal grants be owned and controlled by U.S. citizens or perman­ent resid­ents, with no option for a waiver. foot­note52_kw5h4uu 52 For the People Act, H.R. 1, 116th Cong. (2019), § 298A; Secur­ing Amer­ica’s Federal Elec­tions Act, H.R. 2722, 116th Cong. (2019), § 297A. Simil­arly, the Elec­tion Vendor Secur­ity Act would have required each vendor to certify that “it is owned and controlled by a citizen, national, or perman­ent resid­ent of the United States, and that none of its activ­it­ies are direc­ted, super­vised, controlled, subsid­ized, or financed, and none of its policies are determ­ined by, any foreign prin­cipal” or agent. foot­note53_534a8t9 53 Elec­tion Vendor Secur­ity Act, H.R. 6435, 115th Cong. (2018).

Other propos­als would prohibit foreign control but provide for a waiver, as we suggest. For instance, the Protect Elec­tion Systems from Foreign Control Act would require vendors to be “solely owned and controlled by a citizen or citizens of the United States” absent a waiver. foot­note54_uzqqdad 54 Protect Elec­tion Systems from Foreign Control Act, H.R. 6449, 115th Cong. (2018). Such waivers could be gran­ted if the vendor “has imple­men­ted a foreign owner­ship, control, or influ­ence mitig­a­tion plan that has been approved by the [DHS] Secret­ary . . . ensur[ing] that the parent company cannot control, influ­ence, or direct the subsi­di­ary in any manner that would comprom­ise or influ­ence, or give the appear­ance of comprom­ising or influ­en­cing, the inde­pend­ence and integ­rity of an elec­tion.” foot­note55_cedljaf 55 Protect Elec­tion Systems from Foreign Control Act, H.R. 6449, 115th Cong. (2018).

With respect to defin­ing an owner­ship or control interest of greater than 5 percent, the EAC could borrow from the approach used by the Federal Commu­nic­a­tions Commis­sion (FCC). The FCC typic­ally defines foreign owner­ship, includ­ing indir­ect owner­ship, by multiply­ing the percent­age of shares an owner has in one company by the percent­age of shares that company owns in a regu­lated broad­cast or common carrier licensee. For instance, if a foreign person owned 30 percent of company A, and company A owned 25 percent of company B, the foreign person would be deemed to own 7.5 percent of company B. For purposes of voting shares, the FCC treats a major­ity stake as 100 percent, whereas for equity shares, the actual percent­ages are used. foot­note56_0lx4edq 56 In Review of Foreign Owner­ship Policies for Broad­cast, Common Carrier and Aero­naut­ical Radio Licensees under Section 310(b)(4) of the Commu­nic­a­tions Act of 1934, as Amended, FCC 16–128, §1.5001(f) (Sept. 29, 2016).

Processes For Report­ing Cyber Incid­ents

Both the public and local and state govern­ments are often kept in the dark about secur­ity breaches that affect elec­tion vendors. This state of affairs can under­mine faith in the vote and leave elec­tion offi­cials unsure about vendor vulner­ab­il­it­ies. To address these concerns, vendors should face robust incid­ent report­ing require­ments and a mandate to work with affected elec­tion author­it­ies.

Federal over­sight should require vendors to agree to report secur­ity incid­ents as a condi­tion of certi­fic­a­tion. The Elec­tion Assist­ance Commis­sion should require that vendors report to it and to all poten­tially impacted juris­dic­tions within days of discov­er­ing an incid­ent. The EAC’s exist­ing Qual­ity Monit­or­ing Program requires only that vendors with certi­fied voting equip­ment “submit reports of any voting system irreg­u­lar­it­ies.” foot­note57_wuw06hx 57 U.S. Elec­tion Assist­ance Commis­sion, “Frequently Asked Ques­tions: Voting System Certi­fic­a­tion Ques­tions,” https://www.eac.gov/voting-equip­ment/frequently-asked-ques­tions/. At present, the report­ing require­ment extends only to vendors of voting systems and does not encom­pass any other facets of those vendors’ services, equip­ment, or oper­a­tions. Elec­tion offi­cials have long complained that vendors do not always share reports of prob­lems with their systems. foot­note58_1u4fuzk 58 Lawrence Norden, Voting System Fail­ures: A Data­base Solu­tion, 2010, 9, https://www.bren­nan­cen­ter.org/sites/default/files/legacy/Demo­cracy/Voting_Machine_Fail­ures_Online.pdf. Compound­ing the prob­lem, a single vendor often serves many juris­dic­tions. foot­note59_qbqi­w25 59 Hitt et al., The Busi­ness of Voting, 9–27.

Some legis­la­tion has already sought to mandate more fulsome incid­ent report­ing by vendors. The Secure Elec­tions Act, which had bipar­tisan support before losing momentum in 2018, included a mandat­ory report­ing provi­sion. Under the bill, if a so-called elec­tion service provider has “reason to believe that an elec­tion cyber­se­cur­ity incid­ent may have occurred, or that an inform­a­tion secur­ity incid­ent related to the role of the provider as an elec­tion service provider may have occurred,” then it must “notify the relev­ant elec­tion agen­cies in the most expedi­ent time possible and without unreas­on­able delay (in no event longer than 3 calen­dar days after discov­ery of the possible incid­ent)” and “cooper­ate with the elec­tion agen­cies in provid­ing [their own required noti­fic­a­tions].” foot­note60_6mnd­n0g 60 Secure Elec­tions Act, S. 2261, 115th Cong. (2017); in a similar vein, the Elec­tion Vendor Secur­ity Act, H.R. 6435, 115th Cong. (2018), requires vendors to “report any known or suspec­ted secur­ity incid­ents involving elec­tion systems . . . not later than 10 days after the vendor first knows or suspects that the incid­ent occurred.”

Absent robust incid­ent report­ing, elec­tion offi­cials and the public can be left unaware of poten­tial threats that vendors might intro­duce into elec­tions. As previ­ously discussed, there is still consid­er­able uncer­tainty concern­ing the alleged spearph­ish­ing attack and hack of a vendor involved in the 2016 elec­tions. Much of what is known stems from the leak of a clas­si­fied intel­li­gence report obtained by the Inter­cept, foot­note61_e6lk­d0w 61 Secure Elec­tions Act, S. 2261, 115th Cong. (2017); In a similar vein, the Elec­tion Vendor Secur­ity Act, H.R. 6435, 115th Cong. (2018) requires vendors to “report any known or suspec­ted secur­ity incid­ents involving elec­tion systems . . . not later than 10 days after the vendor first knows or suspects that the incid­ent occurred.” which iden­ti­fied the hack­ing victim as a Flor­ida-based vendor, coupled with Special Coun­sel Robert Mueller’s report to the attor­ney general and indict­ment of 12 Russian intel­li­gence officers. foot­note62_dhxb9ro 62 United States v. Netyk­sho et al., No. 1:18CR00215, 2018 WL 3407381, at 26 (D.D.C. Jul. 13, 2018). Further complic­at­ing the picture of what happened, the Flor­ida-based vendor, VR Systems, respon­ded to an inquiry from Sen. Ron Wyden (D–OR) via letter, claim­ing that “based on our internal review, a private sector cyber secur­ity expert forensic review, and the DHS review, we are confid­ent that there was never an intru­sion in our EViD serv­ers or network.” foot­note63_cu10d56 63 VR Systems, Letter to Sen. Ron Wyden, May 16, 2019, https://www.politico.com/f/?id=0000016a-e72c-d72a-af6e-f72e­b6550002. Accord­ing to the letter, EViD “is a front-end system used to check voters in at the polls and to provide inform­a­tion such as a voter’s polling loca­tion when they search for it.” This uncer­tainty offers little for the vendor’s clients to rely on in assess­ing the vendor’s ongo­ing cyber read­i­ness and whether to continue to contract with the vendor in future elec­tions.

With mandated incid­ent report­ing, the EAC could provide the neces­sary assur­ance to elec­tion offi­cials regard­ing the secur­ity of vendors by shar­ing inform­a­tion with elec­tion offi­cials who need it, as well as by requir­ing appro­pri­ate remedial action, up to and includ­ing decer­ti­fic­a­tion.

Supply Chain Integ­rity

Federal regu­lat­ors should require vendors to follow best prac­tices for managing supply chain risks to elec­tion secur­ity. The new Tech­nical Guidelines and Devel­op­ment Commit­tee should define categor­ies of subcon­tract­ors or products that pose seri­ous risks, such as serv­ers and server host­ing, soft­ware devel­op­ment, trans­port­a­tion of sens­it­ive equip­ment such as voting machines, and inform­a­tion stor­age. For instance, Liberty Systems, one of Unisyn Voting Solu­tions’ regional part­ners, would likely be covered, given that it “provides elec­tion and vital stat­ist­ics, soft­ware, and support through­out counties in the State of Illinois.” foot­note64_s8xuu8k 64 Liberty Systems, LLC, “About Us,” http://liber­tysys­temsllc.com/. The TGDC’s guidelines could then require that vendors have a frame­work to ensure that high-risk subcon­tract­ors and manu­fac­tur­ers also follow best prac­tices on cyber­se­cur­ity, back­ground checks, and foreign owner­ship and control, as well as report­ing cyber incid­ents to the vendor.

This approach is being used in other areas of govern­ment, where a grow­ing recog­ni­tion of supply chain risk to national secur­ity exists. The Depart­ment of Defense has recently stepped up its enforce­ment of supply chain integ­rity and secur­ity stand­ards, requir­ing review of prime contract­ors’ purchas­ing systems to ensure that Depart­ment of Defense contrac­tual require­ments pertain­ing to covered defense inform­a­tion and cyber incid­ent report­ing “flow down appro­pri­ately to . . . Tier 1 level suppli­ers” and that prime contract­ors have proced­ures in place for assess­ing suppli­ers’ compli­ance with those require­ments. foot­note65_knhfel4 65 Under­sec­ret­ary of Defense, Memor­andum Address­ing Cyber­se­cur­ity Over­sight as Part of a Contract­or’s Purchas­ing System Review, U.S. Depart­ment of Defense, Jan. 21, 2019, https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA000140–19%20TAB%20A%20USD(AS)%20Signed%20Memo.pdf.

The Depart­ment of Defense now requires that contract­ors hand­ling controlled unclas­si­fied inform­a­tion (CUI) “flow down” contrac­tual clauses to subcon­tract­ors whose “perform­ance will [also] involve [the depart­ment’s] CUI.” The TGDC should develop an analog­ous category of subcon­tract­ors and manu­fac­tur­ers for which the same cyber­se­cur­ity, back­ground check require­ments, and foreign owner­ship concerns that apply to elec­tion vendors would apply, based on the subcon­tract­or’s role and the oppor­tun­ity for elec­tion secur­ity risk to be intro­duced.

Monit­or­ing Vendor Compli­ance

To make its over­sight most effect­ive, the Elec­tion Assist­ance Commis­sion must have the abil­ity to confirm that feder­ally certi­fied vendors continue to meet their oblig­a­tions. The fact that a vendor was, at some point in time, certi­fied as meet­ing relev­ant federal stand­ards is no guar­an­tee that circum­stances have not changed. Fail­ure to stay in compli­ance should lead to appro­pri­ate remedial action by the EAC, up to and includ­ing decer­ti­fic­a­tion.

The EAC’s Qual­ity Monit­or­ing Program for voting systems provides a start­ing point for how this might work. The EAC offers a mech­an­ism for elec­tion offi­cials on the ground to provide inform­a­tion about any voting system anom­alies present in certi­fied voting machines. If an elec­tion worker submits a cred­ible report of an anom­aly, the EAC distrib­utes it to state and local elec­tion juris­dic­tions with similar systems, the manu­fac­turer of the voting system, and the test­ing lab that certi­fied the voting system. foot­note66_qwdtnsc 66 U.S. Elec­tion Assist­ance Commis­sion, Test­ing and Certi­fic­a­tion Program Manual, Version 2.0, 71. Accord­ing to the EAC’s certi­fic­a­tion manual, “the Qual­ity Monit­or­ing Program is not designed to be punit­ive but to be focused on improv­ing the process.” foot­note67_jfb9eux 67 U.S. Elec­tion Assist­ance Commis­sion, Test­ing and Certi­fic­a­tion Program Manual, Version 2.0, 73. The program, then, is focused more on compli­ance than certi­fic­a­tion or decer­ti­fic­a­tion, although decer­ti­fic­a­tion can result in cases of persist­ent noncom­pli­ance.

The SAFE Act and the For the People Act call for the test­ing of voting systems nine months before each federal general elec­tion, as well as for the decer­ti­fic­a­tion of systems that do not meet current stand­ards. foot­note68_2zuq­iz7 68 Secur­ing Amer­ica’s Federal Elec­tions Act, H.R. 2722, 116th Cong. (2019), § 202; For the People Act, H.R. 1, 116th Cong. (2019), § 3301.

A crit­ical differ­ence between the abil­ity to monitor voting equip­ment and the prac­tices of an elec­tion system vendor is that thou­sands of elec­tion offi­cials and poll work­ers, and hundreds of millions of voters, inter­act with voting equip­ment on a regu­lar basis. They can report anom­alies when they see them. By contrast, most of the work of elec­tion system vendors happens out of public view.

For this reason, vendors must be oblig­ated on an ongo­ing basis to remedy known secur­ity flaws or risk losing federal certi­fic­a­tion. Congress should provide the EAC with a mandate to ensure that vendors contract with inde­pend­ent secur­ity firms to conduct regu­lar audits, penet­ra­tion test­ing, and phys­ical inspec­tions and site visits, and to provide the results of those assess­ments to the EAC. One legis­lat­ive proposal — the Protect Elec­tion Systems from Foreign Control Act — sought to do some­thing similar by subject­ing vendors to an annual eval­u­ation to assess compli­ance with cyber­se­cur­ity best prac­tices. foot­note69_f3hk2m5 69 Protect Elec­tion Systems from Foreign Control Act, H.R. 6449, 115th Cong. (2018), § 304. The EAC’s effect­ive­ness in its new over­sight role would be dimin­ished absent some power to monitor vendors’ efforts on this front — a power Congress ought to provide.

The EAC could require regu­lar penet­ra­tion test­ing by third parties to assess vendors’ cyber read­i­ness in real time. Such test­ing would give the EAC (and vendors) an oppor­tun­ity to identify and remedi­ate secur­ity flaws, hope­fully before adversar­ies take advant­age of them. The EAC should also consider using bug bounty programs, which have become a common tool deployed by private industry and govern­ment entit­ies, includ­ing the Depart­ment of Defense. foot­note70_5r62wzb 70 U.S. Depart­ment of Defense, “Depart­ment of Defense Expands ‘Hack the Pentagon’ Crowd­sourced Digital Defense Program,” Oct. 24, 2018, https://dod.defense.gov/News/News-Releases/News-Release-View/Article/1671231/depart­ment-of-defense-expands-hack-the-pentagon-crowd­sourced-digital-defense-pr/. Under bug bounty programs, friendly so-called white-hat hack­ers earn compens­a­tion for report­ing vulner­ab­il­it­ies and risks to program spon­sors. The For the People Act calls for such a program, foot­note71_qanrkh9 71 For the People Act, H.R. 1, 116th Cong. (2019), § 3402. as does the Depart­ment of Justice’s Frame­work for a Vulner­ab­il­ity Disclos­ure Program for Online Systems. foot­note72_9pth3b4 72 A Frame­work for a Vulner­ab­il­ity Disclos­ure Program for Online Systems, Version 1.0, Cyber­se­cur­ity Unit, Computer Crime & Intel­lec­tual Prop­erty Section, Crim­inal Divi­sion, U.S. Depart­ment of Justice, July 2017, https://www.justice.gov/crim­inal-ccips/page/file/983996/down­load.

Certi­fied vendors should be required to submit to extens­ive inspec­tion of their facil­it­ies. To assess compli­ance with cyber­se­cur­ity best prac­tices, person­nel policies, incid­ent report­ing and phys­ical secur­ity require­ments, and the like, the EAC must be gran­ted wide latit­ude to demand inde­pend­ent audit­ors’ access to vendor systems and facil­it­ies. This should include unan­nounced, random inspec­tions of vendors. The element of surprise could serve as a power­ful motiv­ator for vendors to stay in compli­ance with EAC guid­ance.

The Defense Contract Manage­ment Agency (DCMA) performs an analog­ous, if broader, role for milit­ary contract­ors. Serving as the Defense Depart­ment’s “inform­a­tion brokers and in-plant repres­ent­at­ives for milit­ary, Federal, and allied govern­ment buying agen­cies,” DCMA’s duties extend to both “the initial stages of the acquis­i­tion cycle and through­out the life of the result­ing contracts.” foot­note73_grrtl9q 73 Defense Contract Manage­ment Agency, “About the Agency,” https://www.dcma.mil/About-Us/. In that latter stage of a contract, DCMA monit­ors “contract­ors’ perform­ance and manage­ment systems to ensure that cost, product perform­ance, and deliv­ery sched­ules are in compli­ance with the terms and condi­tions of the contracts.” foot­note74_iw00chp 74 Defense Contract Manage­ment Agency, “About the Agency.” This func­tion includes having person­nel in contractor facil­it­ies assess perform­ance and compli­ance. foot­note75_j3hw1gj 75 See gener­ally, Defense Contract Manage­ment Agency, “What DCMA Does,” Aug. 22, 2016, https://www.dcma.mil/News/Videos/videoid/480264/nav/Default/. Although our proposal does not envi­sion the EAC perform­ing an ongo­ing contract compli­ance role, the EAC’s enhanced over­sight role could take some cues from DCMA’s inspec­tion proto­cols and abil­ity to closely scru­tin­ize vendors.

The NRC simil­arly holds inspec­tion rights over those subject to its regu­la­tions, includ­ing compan­ies that handle nuclear mater­ial and those hold­ing licenses to oper­ate power plants. foot­note76_499n327 76 10 C.F.R. §§ 19.1–19.40. The NRC regu­la­tion requir­ing that those regu­lated “afford to the Commis­sion at all reas­on­able times oppor­tun­ity to inspect mater­i­als, activ­it­ies, facil­it­ies, premises, and records under the regu­la­tions in this chapter” is of partic­u­lar relev­ance to poten­tial EAC over­sight. foot­note77_rcu63cm 77 10 C.F.R. § 19.14(a). The NRC also has an extens­ive set of regu­la­tions concern­ing phys­ical secur­ity at nuclear sites and of nuclear mater­ial. foot­note78_faccjle 78 10 C.F.R. §§ 73.1–73.81. Although these require­ments are prob­ably more oner­ous than those needed in the elec­tion sector (espe­cially since nuclear mater­ial poses unique phys­ical secur­ity risks), they could nonethe­less prove instruct­ive in craft­ing phys­ical secur­ity require­ments for vendors. Such require­ments should go hand in hand with the cyber­se­cur­ity best prac­tices discussed above.

Enfor­cing Guidelines

It is crit­ical to have a clear protocol for address­ing elec­tion system vendor viol­a­tions of federal guidelines. If states require their elec­tion offices to use only feder­ally certi­fied vendors, revoc­a­tion of federal certi­fic­a­tion could have a poten­tially devast­at­ing impact on the abil­ity of juris­dic­tions to run elec­tions and ensure that every voter is able to cast a ballot.

Again, the Elec­tion Assist­ance Commis­sion’s process for address­ing anom­alies in voting equip­ment through its Qual­ity Monit­or­ing Program is instruct­ive. If it finds that a system is no longer in compli­ance with the VVSG, the manu­fac­turer is sent a notice of noncom­pli­ance. This is not a decer­ti­fic­a­tion of the machine but rather a noti­fic­a­tion to the manu­fac­turer of its noncom­pli­ance and its proced­ural rights before decer­ti­fic­a­tion. The manu­fac­turer has the right to present inform­a­tion, access the inform­a­tion that will serve as the basis of the decer­ti­fic­a­tion decision, and cure system defects prior to decer­ti­fic­a­tion. The right to cure system defects is limited; it must be done before any indi­vidual juris­dic­tion that uses the system next holds a federal elec­tion. foot­note79_grtdnf0 79 U.S. Elec­tion Assist­ance Commis­sion, Test­ing and Certi­fic­a­tion Program Manual, Version 2.0, 65.

If decer­ti­fic­a­tion moves forward after attempts to cure or oppor­tun­it­ies to submit addi­tional inform­a­tion, the manu­fac­turer may appeal the decision. If the appeal is denied, then the decer­ti­fied voting system will be treated as any other uncer­ti­fied system. The EAC will also notify state and local elec­tion offi­cials of the decer­ti­fic­a­tion. foot­note80_y25qsoz 80 U.S. Elec­tion Assist­ance Commis­sion, Test­ing and Certi­fic­a­tion Program Manual, Version 2.0, 69. A decer­ti­fied system may be resub­mit­ted for certi­fic­a­tion and will be treated as any other system seek­ing certi­fic­a­tion.

The EAC’s applic­a­tion of this process to the ES&S voting system Unity 3.2.0.0 provides an example of how this can happen. Certi­fic­a­tion of this system was gran­ted in 2009. foot­note81_9yz7ksb 81 Thomas R. Wilkey (exec­ut­ive director, U.S. Elec­tion Assist­ance Commis­sion), letter to Steve Pear­son (vice pres­id­ent, Elec­tion Systems & Soft­ware), July 21, 2009, https://www.eac.gov/voting-equip­ment/-unity-3200/. In 2011, the EAC’s Qual­ity Monit­or­ing Program received inform­a­tion about an anom­aly in the system and began a formal invest­ig­a­tion. foot­note82_b6969sr 82 Brian J. Hancock (director, Test­ing & Certi­fic­a­tion Program, U.S. Elec­tion Assist­ance Commis­sion), letter to Steve Pear­son (vice pres­id­ent, Elec­tion Systems & Soft­ware), Mar. 1, 2011, https://www.eac.gov/voting-equip­ment/-unity-3200/. A notice of noncom­pli­ance was then sent to ES&S in 2012, list­ing the specific anom­alies found in the voting system and inform­ing ES&S that if these anom­alies were not remedied, the EAC would be oblig­ated to decer­tify the voting system. foot­note83_mgb7jbq 83 Mark Robbins (general coun­sel and acting exec­ut­ive director, U.S. Elec­tion Assist­ance Commis­sion), letter to Steve Pear­son (vice pres­id­ent, Elec­tion Systems & Soft­ware), Feb. 1, 2012, https://www.eac.gov/voting-equip­ment/-unity-3200/. ES&S attemp­ted to cure the defects, as was its right, and produced a new, certi­fied version of the Unity system. foot­note84_fs05gzr 84 Steve Pear­son (vice pres­id­ent, Elec­tion Systems & Soft­ware), letter to Mark Robbins (general coun­sel and acting exec­ut­ive director, U.S. Elec­tion Assist­ance Commis­sion), Feb. 7, 2012, https://www.eac.gov/voting-equip­ment/-unity-3200/. The vendor then reques­ted that its old system be with­drawn from the list of EAC certi­fied systems. foot­note85_2mg2o7p 85 Kathy Rogers (vice pres­id­ent, Elec­tion Systems & Soft­ware), letter to Brian J. Hancock (director, Test­ing & Certi­fic­a­tion Program, U.S. Elec­tion Assist­ance Commis­sion), Aug. 3, 2012, https://www.eac.gov/voting-equip­ment/-unity-3200/.

Decer­ti­fic­a­tion of a vendor would need to be handled thought­fully, so that local elec­tion offi­cials are not left scram­bling to contract new elec­tion services close to an elec­tion. In this sense, close coordin­a­tion among federal and local offi­cials and relev­ant vendors to proact­ively identify and fix issues would be neces­sary for any scheme to succeed. The EAC would also have to be left with the flex­ib­il­ity to decide what, if any, equip­ment and services could no longer be used or sold as feder­ally certi­fied. To that end, decer­ti­fic­a­tion should incor­por­ate these key elements:

  • A voting system decer­ti­fic­a­tion should not neces­sar­ily result in a vendor decer­ti­fic­a­tion and vice versa. For instance, a voting machine vendor might be found to be out of compli­ance with federal require­ments for back­ground checks on employ­ees. If the EAC determ­ines this noncom­pli­ance did not impact the secur­ity of voting machines already in the field, it could leave the voting system certi­fied but ban the vendor from selling addi­tional machines (or certain employ­ees from servi­cing exist­ing machines) until the fail­ure is remedied. Altern­at­ively, it could allow the vendor’s voting machines to continue to be used for a limited time, subject to addi­tional secur­ity meas­ures, such as extra preelec­tion test­ing and postelec­tion audits.
  • There should be a clear process ahead of a formal decer­ti­fic­a­tion, with noti­fic­a­tion to affected state and local offi­cials and plenty of oppor­tun­it­ies for the relev­ant vendor to address issues before the EAC takes more drastic action. Only the most urgent and grave cyber­se­cur­ity lapses should trun­cate this decer­ti­fic­a­tion process.
  • Any decer­ti­fic­a­tion order should include specific guid­ance to state and local offi­cials on how exist­ing vendor products or services are affected, assist­ance to those offi­cials with repla­cing those goods or services (if neces­sary), and a road map for the vendor to regain certi­fic­a­tion.

End Notes

Conclusion

Private elec­tion vendors play a crucial role in secur­ing the nation’s elec­tions against mali­cious actors who have already taken steps toward comprom­ising elec­tions and the public’s confid­ence in our demo­cracy. Yet these vendors are currently subject to little over­sight to ensure that they remain secure against these threats and that many of the products and services they provide, such as elec­tronic poll­books, are secure. Currently, only voting systems — the systems used to cast and tabu­late ballots — are subject to robust federal over­sight, and then only via a volun­tary certi­fic­a­tion program. We recom­mend that Congress empower the Elec­tion Assist­ance Commis­sion to certify elec­tion vendors more broadly as compli­ant with volun­tary guidelines relat­ing to cyber­se­cur­ity, person­nel, trans­par­ent owner­ship and control, report­ing of cyber incid­ents, and supply chain integ­rity. In the mean­time, the EAC should employ its regis­tra­tion and certi­fic­a­tion processes to ensure that vendors of certi­fied voting systems keep up with these prac­tices.

About the Authors

Lawrence Norden is director of the Elec­tion Reform Program at the Bren­nan Center for Justice, where he leads efforts to bring balance to campaign fund­ing and break down barri­ers that keep Amer­ic­ans from parti­cip­at­ing in polit­ics, ensure that U.S. elec­tion infra­struc­ture is secure and access­ible to every voter, and protect elec­tions from foreign inter­fer­ence. He has authored several nation­ally recog­nized reports and articles related to voting rights and voting tech­no­logy, includ­ing Secur­ing Elec­tions From Foreign Inter­fer­ence (2017), Amer­ica’s Voting Machines at Risk (2015), and How to Fix Long Lines (2013). His work has been featured in media outlets across the coun­try, includ­ing the New York Times, the Wall Street Journal, Fox News, CNN, MSNBC, and National Public Radio. He has test­i­fied before Congress and several state legis­latures on numer­ous occa­sions. Norden is a member of the Elec­tion Assist­ance Commis­sion’s Board of Advisors. This report is not affil­i­ated with his role as an EAC advisor. He is a gradu­ate of the Univer­sity of Chicago and NYU School of Law.

Chris­topher R. Deluzio is the policy director of the Univer­sity of Pitt­s­burgh’s Insti­tute for Cyber Law, Policy, and Secur­ity. He was previ­ously coun­sel in the Demo­cracy Program at the Bren­nan Center for Justice, where his writ­ing included nation­ally recog­nized work on voter purges, a procure­ment guide to assist in the selec­tion and manage­ment of elec­tion vendors, and legal analysis of speech restric­tions in polling places. Prior to join­ing the Bren­nan Center, he was a litig­a­tion asso­ci­ate in private prac­tice with Wach­tell, Lipton, Rosen & Katz and, before that, law clerk to Judge Richard J. Sulli­van of the U.S. District Court for the South­ern District of New York. He gradu­ated magna cum laude from Geor­getown Law, where he was elec­ted to the Order of the Coif, served as an exec­ut­ive articles editor of the Geor­getown Law Journal, and was selec­ted as the top oral­ist in the Robert J. Beau­dry Moot Court Compet­i­tion and the Thur­good A. Marshall Memorial Moot Court Compet­i­tion. He received a bach­el­or’s degree from the U.S. Naval Academy and, follow­ing gradu­ation, served as an active-duty naval officer.

Gowri Ramachandran is senior coun­sel in the Bren­nan Center for Justice’s Demo­cracy Program. She comes to the Bren­nan Center from South­west­ern Law School in Los Angeles, Cali­for­nia, where she is on leave from her posi­tion as professor of law. At South­west­ern, she taught courses in consti­tu­tional law, employ­ment discrim­in­a­tion, and crit­ical race theory, as well as the Ninth Circuit Appel­late Litig­a­tion Clinic, which received the Ninth Circuit’s 2018 Distin­guished Pro Bono Service Award. She received her under­gradu­ate degree in math­em­at­ics from Yale College and a master’s degree in stat­ist­ics and JD from Harvard Univer­sity. While in law school, she served as editor in chief of the Yale Law Journal. After gradu­at­ing from law school in 2003, Ramachandran served as law clerk to Judge Sidney R. Thomas of the U.S. Court of Appeals for the Ninth Circuit in Billings, Montana. After a fellow­ship at Geor­getown Law, she joined the South­west­ern faculty in 2006.

Acknowledgments

The Bren­nan Center grate­fully acknow­ledges BLT Char­it­able Trust, Carne­gie Corpor­a­tion of New York, Craig Newmark Phil­an­throp­ies, Ford Found­a­tion, Lee Halprin and Abby Rock­e­feller, The JPB Found­a­tion, Leon Levy Found­a­tion, Open Soci­ety Found­a­tions, Barbara B. Simons, Wallace Global Fund, and Leslie Willi­ams for their gener­ous support of our elec­tion secur­ity work.

The authors would like to thank the numer­ous Bren­nan Center colleagues who collab­or­ated in prepar­ing this report. Bren­nan Center Fellow Derek Tisler and Legal Intern Cara Ortiz contrib­uted crucial research and edit­or­ial support. Edgardo Cortés, Eliza­beth Howard, and Daniel I. Weiner provided help­ful revi­sions. Jeanne Park and Matthew Harwood of the Bren­nan Center’s commu­nic­a­tions team lent valu­able review and edit­ing assist­ance. The authors are grate­ful to Research and Program Asso­ci­ate Andrea Córdova McCad­ney for assist­ance in cita­tion-check­ing and edit­ing. The edit­or­ial and design assist­ance of Alex­an­dra Ringe, Alden Wallace, Rebecca Autrey, and Zachary Laub allowed this report to reach public­a­tion.

This report also benefited from the many people will­ing to share their valu­able expert­ise and provide insight in the review process. We grate­fully acknow­ledge the follow­ing indi­vidu­als for their help­ful feed­back: Marian Schneider, pres­id­ent, Veri­fied Voting; Ryan Macias, elec­tion tech­no­logy and secur­ity expert; Susan Green­halgh, vice pres­id­ent for programs, National Elec­tion Defense Coali­tion; Bruce Schneier, secur­ity tech­no­lo­gist and adjunct lecturer in public policy, Harvard Kennedy School; Gregory A. Miller, cofounder and chief oper­at­ing officer, OSET Insti­tute; E. John Sebes, cofounder and chief tech­no­logy officer, OSET Insti­tute; and Eddie Perez, global director of tech­no­logy R&D, OSET Insti­tute.