A Framework for Election Vendor Oversight

More than 80 percent of voting systems in use today are under the purview of three vendors. ¹ A successful cyberattack against any of these companies could have devastating consequences for elections in vast swaths of the country. Other systems that are essential for free and fair elections, such as voter registration databases and electronic pollbooks, are also supplied and serviced by private companies. Yet these vendors, unlike those in other sectors that the federal government has designated as critical infrastructure, receive little or no federal review. This leaves American elections vulnerable to attack. To address this, the Brennan Center for Justice proposes a new framework for oversight that includes the following:

• Independent oversight. A new federal certification program should be empowered to issue standards and enforce vendors’ compliance. The Election Assistance Commission (EAC) is the most logical agency to take on the role. Unfortunately, from its founding, the EAC has had a history of controversy and inaction in carrying out its core mission. In this paper, we assume that the EAC would be charged with overseeing the new program, and we make a number of recommendations for strengthening the agency so that it could take on these additional responsibilities. Whichever agency takes on this role must be structured to be independent of partisan political manipulation, fully staffed with leaders who recognize the importance of vendor oversight, and supported by enough competent professionals and experts to do the job.
• Issuance of vendor best practices. Congress should reconstitute the EAC’s Technical Guidelines Development Committee (TGDC) to include members with more cybersecurity expertise and empower it to issue best practices for election vendors. (The TGDC already recommends technical guidelines for voting systems.) At the very least, these best practices should encourage election vendors to attest that their conduct meets certain standards concerning cybersecurity, personnel, disclosure of ownership and foreign control, incident reporting, and supply chain integrity. Given the EAC’s past failures to act on the TGDC’s recommendations in a timely manner, we recommend providing a deadline for action. If the EAC does not meet that deadline, the guidelines should automatically go into effect.
• Vendor certification. To provide vendors a sufficient incentive to comply with best practices, Congress should expand the EAC’s existing voluntary certification and registration power to include election vendors and their various products. This expanded authority would complement, and not replace, the current voluntary federal certification of voting systems, on which ballots are cast and counted. Certification should be administered by the EAC’s existing Testing and Certification Division, which would require additional personnel.
• Ongoing review. In its expanded oversight role, the EAC should task its Testing and Certification Division with assessing vendors’ ongoing compliance with certification standards. The division should continually monitor vendors’ quality and configuration management practices, manufacturing and software development processes, and security postures through site visits, penetration testing, and cybersecurity audits performed by certified independent third parties. All certified vendors should be required to report any changes to the information provided during initial certification, as well as any cybersecurity incidents, to the EAC and all other relevant agencies.
• Enforcement of guidelines. There must be a clear protocol for addressing violations of federal guidelines by election vendors.

Congressional authorization is needed for some but not all elements of our proposal. The EAC does not currently have the statutory authority to certify most election vendors, including those that sell and service some of the most critical infrastructure, such as voter registration databases, electronic pollbooks, and election night reporting systems. For this reason, Congress must act in order for the EAC or other federal agency to adopt the full set of recommendations in this report. ² Regardless, the EAC could, without any additional legislation, issue voluntary guidance for election vendors and take many of the steps recommended in this paper as they relate to voting system vendors. Specifically, it is our legal judgment that the EAC may require, through its registration process, that voting system vendors provide key information relevant to cybersecurity best practices, personnel policies, and foreign control. Furthermore, the EAC may deny or suspend registration based on noncompliance with standards and criteria that it publishes.

Ultimately, the best course of action would be for Congress to create a uniform framework for election vendors that adopts each of the elements discussed in this paper. In the short run, however, we urge the EAC to take the steps it can now to more thoroughly assess voting system vendors.

The unprecedented attacks on America’s elections in 2016, and repeated warnings by the country’s intelligence agencies of future foreign interference, have raised the profile of election security in a way few could have imagined just a few years ago. The response has largely focused on improving the testing of voting machines before they are purchased and on training state and local election officials to institute best practices to prevent, detect, and recover from cyberattacks.

Yet private vendors, not election officials, build and maintain much of our election infrastructure. They create election websites that help voters determine how to register and where to vote; print and design ballots; configure voting machines; and build and maintain voter registration databases, voting machines, and electronic pollbooks. Not every jurisdiction outsources all of these functions, but all rely on vendors for some of this work and many for nearly all of it. Understandably, many local governments under fiscal pressure would rather contract out these functions than increase their election office staff, especially considering the cyclical nature of election-related work.

There is almost no federal regulation of the vendors that design and maintain the systems that allow us to determine who can vote, how they vote, or how their votes are counted and reported. While voting systems are subject to some functional requirements under a voluntary federal testing and certification regime, the vendors themselves are largely free from federal oversight.

This is not the case in other sectors that the federal government has designated as critical infrastructure. Vendors in the defense sector, for example, face substantial oversight and must comply with various requirements, including rules governing the handling of classified information and supply chain integrity. The federal government regulates colored pencils, which are subject to mandatory standards promulgated by the Consumer Product Safety Commission, more stringently than it does America’s election infrastructure. ¹

There is a growing bipartisan appreciation that federal action is needed to address the risks that vendors might introduce into election infrastructure. Rep. Zoe Lofgren (D–CA), who chairs the Committee on House Administration, has said that a significant election-related “vulnerability comes from election technology vendors . . . who have little financial incentive to prioritize election security and are not subject to regulations requiring them to use cyber security best practices.” ² Alabama’s Republican secretary of state, John Merrill, has called for the EAC to undertake “a centralized effort to evaluate the effectiveness of election equipment, whether it be for voter administration purposes, electronic poll books,” or the like. ³

While state and local governments retain primacy in running elections, only the federal government has the resources and constitutional responsibility to ensure that the more than 8,000 local election jurisdictions have access to information and expertise to safeguard federal elections from insecure vendor practices. ⁴ The ability of a foreign power to exploit the vulnerabilities of a vendor in a single county in Pennsylvania could have extraordinary repercussions for the country.

REVA/Noun Project, Pravin Unagar/Noun Project, Aisyah/

Given the lack of federal oversight, the relatively small number of vendors with significant market share, ⁵ and their “severe underinvestment in cybersecurity,” ⁶ the Brennan Center proposes that the federal government take on a more substantial oversight role. Under our proposal, the EAC would extend its existing certification regime from voting systems to include all vendors that manufacture or service key parts of the nation’s election infrastructure. The commission would also continuously monitor vendors, with the power to revoke certification. (The EAC currently has that power but only uses it to oversee the systems themselves.)

Definition of Election Vendor

This paper refers to “election vendors” when discussing those entities that provide election services to jurisdictions throughout the United States. A 2017 University of Pennsylvania report on the election technology industry described these entities as those “that design, manufacture, integrate, and support voting machines and the associated technological infrastructure.” ⁷ While the report focused largely on voting systems, quantifying the sector’s annual revenue at $300 million, ⁸ the election vendors referred to also include those that do not participate in the voting systems market but provide other election-related goods and services. For the purposes of this paper, “vendor” is defined to include any private individual or business that manufactures, sells, programs, or maintains machines that assist in the casting or tallying of votes, voter registration databases, electronic pollbooks, or election night reporting systems.

Vendors Present Points of Attack into Election Infrastructure

Private vendors’ central role in American elections makes them prime targets for adversaries. Yet it is impossible to assess the precise level of risk associated with vendors — or how that risk impacts election security. As a 2018 U.S. Senate Intelligence Committee report observed, “State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of [election] vendors.” ⁹

This limited visibility into vendors includes

• vendor cybersecurity practices (how vendors protect their own information technology infrastructure and data);
• foreign ownership of vendors (whether foreign nationals, or agents of foreign governments, own companies performing critical election functions);
• personnel policies and procedures (whether background checks and other procedures are in place to safeguard against inside attacks);
• cybersecurity incident response (how vendors alert relevant authorities of attacks); and
• supply chains (where parts, software patches, and installations come from; how are they transported; and how they are kept secure).

Revelations that Russian actors targeted an election vendor in the lead-up to the 2016 election provide a useful example of how little insight there is into vendor security.

Special Counsel Robert Mueller’s report to the attorney general and indictment of 12 Russian intelligence officers both included allegations that these officers hacked a private U.S. elections systems vendor. The vendor is believed to operate in at least eight states, including the battleground states of North Carolina, Virginia, and Florida. ¹⁰

According to the special counsel, hackers gained access to the vendor’s computers and used an email account designed to look like the vendor’s to send spearphishing emails to Florida election officials. ¹¹ Per the indictment, “the spearphishing emails contained malware that the Conspirators embedded into Word documents bearing [the vendor’s] logo.” ¹² According to Florida Governor Ron DeSantis, the hackers breached the election systems of two Florida counties. ¹³

We still don’t know all the facts. Even in the rare instance that the public learns of a vendor hack — as it did through the special counsel’s investigation — many questions remain unanswered. When and how did the vendor learn of these attacks? What preventive measures were in place? What steps did the vendor take after discovering it was targeted to ensure that it was not infiltrated? Did it immediately inform its customers? The public generally never learns the answers to these questions, and there are no federal laws or regulations requiring private vendors to take any action in the event of a cyberattack.

Similarly, Vice recently reported that election night reporting systems sold by Election Systems and Software (ES&S), the country’s leading election vendor, had been exposed to the public internet, potentially for years on end. (ES&S denied the substance and significance of the report.) Although ES&S voting machines are certified by the EAC, its transmission configuration is not. ¹⁴

The lack of visibility into vendors and their cybersecurity can also contribute to an inability to detect poor practices that might affect vendor performance until it is too late. In 2017, ES&S left the sensitive personal information of 1.8 million Chicago voters publicly exposed on an Amazon cloud server. ¹⁵ That information reportedly included “addresses, birth dates and partial Social Security numbers,” ¹⁶ information valuable to hackers.

Opaque supply chains further exacerbate the problem. Earlier this year, an IBM Security Services investigation on behalf of Los Angeles County found that compatibility issues between the voter list and an ES&S subsidiary’s software contributed to nearly 120,000 voters being left out of printed pollbooks and forced to request provisional ballots. ¹⁷

The ability of a foreign power to exploit the vulnerabilities of a vendor in a single county in Pennsylvania could have extraordinary repercussions.

Although the EAC can conduct manufacturing site visits through its Quality Monitoring Program, ¹⁸ this program extends only to voting systems that are submitted for voluntary certification and does not cover the full menu of vendor products and services. There is no federal scrutiny of supply chains for components sourced for noncertified products and services, for example, despite the finding of the Department of Homeland Security (DHS) that “contractors, sub-contractors, and suppliers at all tiers of the supply chain are under constant attack.” ¹⁹

The recent ban on certain technologies made by the Chinese company Huawei is a stark illustration of the growing recognition of supply chain risk. ²⁰ Vendors’ use of local or regional partners or subcontractors adds to the lack of visibility. For instance, Unisyn Voting Solution, a digital scan voting system manufacturer whose systems have been certified by the EAC, identifies a range of partners in several states on its website. ²¹ Neither Unisyn nor these partners are currently subject to the kind of oversight we recommend.

Election officials often depend on vendors whose practices are opaque. Yet these companies — unlike those in other critical infrastructure sectors, such as defense, nuclear, dams, and energy — face almost no federal oversight of their security systems. There are no requirements that vendors report breaches, screen employees’ backgrounds, patch security flaws, report foreign ownership or control, or ensure the physical security of sensitive software and hardware.

Independent Federal Oversight

This paper assumes that the Election Assistance Commission would be the agency charged with overseeing election vendors. There are many reasons why the EAC is the most logical choice for this role. One among them is that the EAC already certifies voting equipment and issues voluntary guidance. Because it is structured as an independent agency with bipartisan membership, it faces less risk of undue political meddling in the technical work of overseeing election vendors than a traditional executive agency would. Its structure could also help avoid dramatic shifts in oversight approaches with a change of presidential administrations. ²²

Unfortunately, the EAC has been plagued by controversy for years. Its leaders have waded into contentious issues, such as voter identification and proof of citizenship, that have little relation to the agency’s core responsibilities. ²³ It has missed deadlines for completing critical functions, such as adopting voting system guidelines. ²⁴ And there are concerns that it has not taken election security seriously enough, ²⁵ as well as “complaints of infighting, high [staff] turnover and cratering morale.” ²⁶

If the EAC were chosen for this role, Congress would need to take a number of actions to make its success more likely. First, it would need to increase the agency’s budget. The new role would constitute a major expansion of the EAC’s regulatory mandate. In recent years, despite the increased threat of cyberattacks against our nation’s election infrastructure, funding for the EAC has dropped sharply. The agency’s budget in fiscal year 2019 was just $9.2 million, down from $18 million in fiscal year 2010. ²⁷

With expanded oversight authority, the EAC would need to dramatically increase its cybersecurity competency and knowledge. To facilitate this increased technical focus, we outline below how the existing Technical Guidelines Development Committee would need to be modified to emphasize technical proficiency and, specifically, cybersecurity expertise. We also recommend greater deference to this modified technical committee, permitting its recommended voluntary guidelines to take effect absent overriding action by the EAC. These changes, too, would require congressional action.

On the personnel front, Congress would need to commit to keeping EAC seats filled by leaders who are dedicated to working with each other and with career staff to ensure the security of our election infrastructure. Congress’s failure to replace commissioners left the EAC without a quorum between December 2010 and December 2014 and then again between March 2018 and February 2019.

Finally, given the breadth and scope of this new mandate, Congress would need to subject the agency to more scrutiny and oversight than it has in the past. ²⁸

If Congress is unable or unwilling to take these steps, it should find a different agency to oversee election vendor certification. Any agency placed in that role must be structured so as to remain independent of partisan control. It will need experienced, effective staff and leadership who are committed to election security, cybersecurity, technical competency, and good and effective election administration.

Under the Brennan Center’s proposal, the Election Assistance Commission’s oversight role would be substantially expanded. Oversight would extend beyond voting equipment ¹ to election vendors themselves. The current voting system testing is intentionally quite limited: it occurs at the end of the design, development, and manufacture of voting system equipment. It does not ensure that the vendors have engaged in best supply chain or cybersecurity practices when developing equipment or when servicing or programming it once it is certified. ² Nor does the system ensure that the vendor has conducted background checks on employees or set up controls limiting access to sensitive information.

Despite its limitations, the EAC’s Testing and Certification Program — a voluntary program that certifies and decertifies voting system hardware and software — provides a good template for a vendor oversight program. A variety of bills, including the Election Security Assistance Act proposed by Rep. Rodney Davis (R–IL) and the Democratic-sponsored SAFE Act and For the People Act, have called for electronic pollbooks, which are not currently considered voting systems and covered by the program, to be included in its hardware and software testing regime. ³

Currently, the Technical Guidelines Development Committee, a committee of experts appointed jointly by the National Institute of Standards and Technology (NIST) and the EAC, sets certification standards for voting systems. These guidelines, known as the Voluntary Voting System Guidelines (VVSG), can be adopted, with modifications, by a majority of EAC commissioners. Once approved, they become the standards against which voting machines are tested for federal certification. The VVSG ensures that voting systems have the basic functionality, accessibility, and security capabilities required by the Help America Vote Act (HAVA). ⁴

Future iterations of the VVSG and certification process may change slightly: commissioners have suggested that they may support a new version of the VVSG that adopts high-level principles and guidelines for the commission to approve, along with a more granular set of certification requirements, which staff could adjust from time to time. ⁵

Once new voting system guidelines are adopted, the EAC’s Testing and Certification Division tests the systems (per the VVSG), certifies them, monitors them, and, if critical problems are later discovered, decertifies them. The EAC conducts field tests of voting machines only if invited or given permission by a state election official. It does not do this on a routine basis. ⁶ Rather, election officials using the certified voting machines have the option to report system anomalies to the EAC. If the EAC deems a report credible, it may begin a formal investigation and work with the vendor to address the problem. If the vendor fails to fix the anomaly, the EAC is obligated to decertify the voting system. ⁷

With some important modifications, we recommend a similar regime for certifying election system vendors. The commissioners should adopt a set of principles and guidelines for vendors recommended by a Technical Guidelines Development Committee, as well as a more detailed set of requirements that could be adjusted as needed by EAC staff. We recommend that the EAC routinely monitor certified vendors to ensure ongoing compliance and establish a process for addressing violations of federal standards, including through decertification.

A Voluntary Regime

Federal certification will only be meaningful if state and local governments that contract with election system vendors rely on it when making purchasing decisions.

For this reason, some have recommended that state and local governments be required to use only vendors that have been federally certified. For instance, the Election Vendor Security Act proposes that state and local election administrators be banned from using any vendor for federal elections that does not meet some minimum standards. ⁸

There are obvious benefits to a mandatory regime. Most important, it would ensure that all jurisdictions throughout the country use vendors that have met minimum security standards. But there are drawbacks as well. Not least of these is that some states and localities might view a federal mandate to use certain vendors as a usurpation of their power to oversee their own elections, making the creation of a federal program politically challenging.

Moreover, since private vendors are so deeply entwined in the running of our elections, requiring towns, counties, and states to use only certified vendors could present problems. If a vendor failed the certification process (or decided not to apply for certification), some counties would not be able to run their elections. Others might be forced to spend tens of millions of dollars to purchase new equipment and services before they could run elections again, even if they had determined that they could have run their elections securely.

A voluntary approach — leaving it to the states and local jurisdictions to decide whether to contract with non–federally certified vendors — could draw states into the voting system certification process. It may also be more politically feasible. A voluntary approach would give state and local jurisdictions the flexibility to take additional security measures if their current vendors did not obtain federal certification. In selecting new vendors, most states and local election officials would likely rely on federal certification in making purchases, as they do with voting machines. Democrats in Congress opted for this approach in the For the People Act and the SAFE Act. Both measures would incentivize participation by providing grants to states that acquire goods and services from qualified election infrastructure vendors or implement other voting system security improvements. ⁹

The drawback of a voluntary program is that states and vendors may ignore it. But there is reason to believe that there would be wide participation in a voluntary federal program. Even though the current voting machine certification program is voluntary, 47 of 50 states rely on the EAC’s certification process for voting machines in some way. ¹⁰ Another voluntary program, DHS’s Election Infrastructure Sector Coordinating Council, was founded in 2018 to share information among election system vendors. Numerous major election vendors have supported it as organizing members. ¹¹

Guidelines Developed by an Empowered, More Technical Committee

A new Technical Guidelines Development Committee, with additional cybersecurity experts, should be charged with crafting vendor certification guidelines for use by the Election Assistance Commission, incorporating best practices that election vendors must meet. These guidelines should go into effect unless the EAC overrides the recommendation within a specified period of time. This deference to the technically expert TGDC in the absence of an override by policymakers is necessary to avoid the kinds of lengthy delays that have stood in the way of prior attempts to update the VVSG. ¹² The NIST cybersecurity framework should be the starting point for these best practices, and the TGDC need only apply election-specific refinements to this existing framework.

The TGDC is chaired by the director of the NIST. Its 14 other members are appointed jointly by the director and the EAC. ¹³ We recommend that Congress authorize NIST to expand TGDC’s membership to include the wider range of expertise necessary to fulfill its role in defining vendor best practices. These new members should explicitly be required to have cybersecurity expertise. Congress should also mandate that a representative from the new DHS Cybersecurity and Infrastructure Security Agency (CISA), a leading voice in cybersecurity defense, including in the elections sector, join the TGDC. The Vendor System Cyber Security Act of 2019, introduced by Sen. Gary Peters (D–MI), would require this step. ¹⁴ Similarly, Congress should mandate the inclusion of a representative from the National Association of State Chief Information Officers (NACIO) with expertise in cybersecurity. ¹⁵

Reconstituting the TGDC in this manner would not only ensure that it has the relevant expertise to set guidelines for vendors but also that there are more members with technical backgrounds.

As noted above, we recommend permitting the guidelines developed by the TGDC to take effect in the event that the EAC fails to act on them within a specified time period. We also recommend that vendors seeking certification must always meet the most recent set of guidelines. This, along with the expanded membership of the TGDC, will provide the necessary assurance that best practices are updated in a timely fashion and that vendors seeking certification meet the most up-to-date standards. ¹⁶

The new TGDC will be responsible for developing federal certification guidelines that vendors must satisfy to sell key election infrastructure and services for use in federal elections. Areas that should be covered in such guidelines include

• cybersecurity best practices,
• background checks and other security measures for personnel,
• transparent ownership,
• processes for reporting cyber incidents, and
• supply chain integrity.

Below, we discuss the importance of each of these items, what guidelines in each of these areas could look like, and how to ensure compliance.

Cybersecurity Best Practices

The lead-up to the 2016 presidential election provided numerous examples of the devastating consequences of failing to heed cybersecurity best practices. Through a series of attacks that included spearphishing emails, Russian hackers gained access to internal communications of the Democratic National Committee (DNC). ¹⁷ The DNC reportedly did not install a “robust set of monitoring tools” to identify and isolate spearphishing emails on its network until April 2016, which, in retrospect, was far too late. ¹⁸ The chairman of Hillary Clinton’s campaign, John Podesta, fell prey to a similar attack. ¹⁹ These threats did not end in 2016; in the run-up to the 2018 elections, hackers targeted congressional candidates including Sen. Claire McCaskill (D–MO) and Hans Keirstead, who ran in a Democratic Party primary in California. ²⁰

Guarding against spearphishing emails is Cybersecurity 101. Yet the numerous reports of successful spearphishing attacks suggest that many individuals and organizations fail to meet even that low bar of cyber readiness. Are vendors guarding against these (and other) attacks? ²¹ Special Counsel Robert Mueller’s report on 2016 election interference indicates that an employee at an election vendor fell victim to a spearphishing attack, enabling malware to be installed on that vendor’s network. The vendor, which many assume is VR Systems, has denied that that the attackers were able to breach its system. ²² Under the current regime, which lacks any meaningful visibility into vendors’ cybersecurity practices, we simply do not, and cannot, know.

The new Technical Guidelines Development Committee should craft cybersecurity best practices that include not only equipment- and service-related offerings but also internal information technology practices, cyber hygiene, data access controls, and the like. Various bills have proposed that the TGDC take on this role, including the SAFE Act, the Election Security Act, and the For the People Act. ²³

Vulnerability to attacks by insiders is a threat separate and apart from a hack over the internet.

The NIST Cybersecurity Framework ²⁴ should be the starting point and be supplemented by election-specific refinements. NIST advises that “the Framework should not be implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations. . . . [It] should be customized by different sectors and individual organizations to best suit their risks, situations, and needs.” ²⁵

When seeking Election Assistance Commission certification, vendors should have to demonstrate that they meet the TGDC’s cybersecurity best practices. The EAC should consider providing a self-assessment handbook or other form of guidance to facilitate vendor compliance with this requirement.

Such a self-assessment handbook exists in the defense sector for contractors that handle certain sensitive information. Department of Defense contractors “that process, store or transmit Controlled Unclassified Information must meet the Defense Federal Acquisition Regulation Supplement minimum security standards” and certify that they comply with published requirements. ²⁶ An EAC resource along these lines would provide vendors with clarity about how to assess compliance and agreed-upon metrics.

Similarly, DHS has published resources associated with its Cyber Resilience Review program, which “align[s] closely with the Cybersecurity Framework . . . developed by the National Institute of Standards and Technology.” ²⁷ They include a self-assessment package and a “Question Set with Guidance,” ²⁸ which could prove useful in developing analogous resources for the EAC.

Background Checks And Other Security Measures For Personnel

Much of the conversation about election cybersecurity has imagined attackers in distant lands reaching our election infrastructure through the internet. But some of the most effective cyberattacks of recent years have involved insiders. To mitigate these risks, vendors should demonstrate during certification that they have sound personnel policies and practices in place.

At a minimum, vendors should describe how they screen prospective employees for security risks, including background checks, and how they assess employees for suitability on an ongoing basis, including substance-abuse screening. The Election Assistance Commission should also require vendor disclosure of controls governing staff access to sensitive election-related information. Since the bulk of such sensitive information would presumably not constitute classified information, which is subject to its own set of robust controls, the EAC’s scrutiny of vendor personnel risk management will be critical.

Vulnerability to attacks by insiders is a threat separate and apart from a hack over the internet, demanding entirely different controls and defensive measures. Without adequate personnel screening and other safeguards, vendors that provide critical election services could be exposed to malfeasance from within. The FBI’s thorough background checks for Justice Department attorneys and other law enforcement personnel provide a good model for aggressively vetting personnel. In the event election vendors require access to formally classified information, examples abound in the defense, nuclear, and other sectors of how to handle security clearances.

The Nuclear Regulatory Commission (NRC) regulates personnel in ways potentially relevant to election vendors. ²⁹ Its fitness-for-duty program requires that individuals licensed to operate a nuclear reactor ³⁰ meet several performance objectives, including “reasonable assurance” that they

• “are trustworthy and reliable as demonstrated by the avoidance of substance abuse,” and
• “are not under the influence of any substance, legal or illegal, or mentally or physically impaired from any cause, which in any way adversely affects their ability to safely and competently perform their duties.” ³¹

These programs also include “reasonable measures for the early detection of individuals who are not fit to perform the duties.” ³² The regulations include training requirements ³³ and penalties for violations, ³⁴ as well as robust substance-abuse testing protocols. ³⁵ The NRC also regulates access to national security information ³⁶ and nuclear-related restricted data ³⁷ by individuals working for entities regulated by the commission. ³⁸

The defense sector also tightly circumscribes processes on personnel clearances and the handling of sensitive classified information. For example, the National Industrial Security Program Operating Manual (Department of Defense guidance on the regulation of contractors in the industrial security sector) addresses contractors’ protection of such information and the processes for contractor personnel to obtain clearances. ³⁹

Failure to have robust and adequate personnel safeguards can lead to significant harm inflicted by those on the inside. The Swiss financial institution UBS provides a telling example. A systems administrator who worked for UBS in New Jersey, Robert Duronio, wreaked havoc on company systems after reportedly expressing dissatisfaction with his salary and bonuses. Duronio planted a “logic bomb” in UBS’s systems that activated after his departure and brought down roughly 2,000 UBS computers. The attack cost the company more than $3 million in repairs, in addition to lost revenue stemming from crippled trading capability. ⁴⁰ (Duronio was sentenced to 97 months in prison.) ⁴¹

We should assume that determined foreign adversaries are capable of hiring programmers who can damage American elections. We have certainly seen foreign governments engage in similar actions against private companies. In 2006, Dongfan “Greg” Chung, a former engineer at Boeing, was arrested for hoarding trade secrets about the U.S. space shuttle program with the intent to pass this information to the Chinese government. Federal agents found sensitive documents in his home, along with journals detailing his communications with Chinese officials. Chung was convicted in 2009 of economic espionage and acting as an agent of China, ⁴² and sentenced to 15 years in prison. ⁴³

Transparent Ownership

Lack of transparency into ownership and control of election vendors can mask foreign influence over an election vendor and corruption in local certification and contracting. We recommend mandated disclosure of significant — more than 5 percent — ownership interests and a prohibition on significant foreign ownership or control (with the option to request a waiver, if certain conditions are met). The purpose is not only to deter malfeasance and corruption but also to reassure voters that the motives of election vendors are aligned with the public’s interest in free and fair elections.

The threats posed by foreign influence over a U.S. election vendor — including the heightened potential for foreign infiltration of the vendor’s supply chain or knowledge of client election officials’ capabilities and systems — should be obvious. A federal framework for securing elections should limit significant foreign ownership of election system vendors.

Over the last several years, the topic of foreign ownership of election vendors has occasionally made headlines. ⁴⁴ In 2018, the FBI informed Maryland officials that a vendor servicing the state, ByteGrid LLC, had been under the control of a Russian oligarch with close ties to President Vladimir Putin. ⁴⁵ In 2019, ByteGrid sold all of its facilities and customer agreements to a company called Lincoln Rackhouse. ⁴⁶

At the same time, lack of insight into election vendor ownership presents a serious risk that vendor-led influence campaigns and public officials’ conflicts of interest will escape public scrutiny. Officials might award vendor contracts in exchange for gifts or special treatment rather than to those that would best facilitate free and fair elections. Transparency into ownership and control is required for the public to assess whether officials engaged in procurement and regulation have been improperly influenced.

There are a range of approaches to these problems of improper foreign and domestic influence. We recommend a stringent yet flexible standard: a requirement to disclose all entities or persons with a greater than 5 percent ownership or control interest, along with a ban on foreign ownership in that same amount, ⁴⁷ with an option for the EAC to grant a waiver after consultation with DHS. While this proposal would address instances of foreign control over election vendors, such as ByteGrid, it could also impact companies such as Dominion Voting Systems, the second-largest voting machine vendor in the United States, whose voting machines are used by more than one-third of American voters and whose headquarters are in Toronto. Similarly, Scytl Secure Electronic Voting, which offers election night reporting and other election technologies to hundreds of election jurisdictions around the United States, is based in Barcelona. ⁴⁸ A waiver would provide a means for these and other vendors with foreign ties to disclose those relationships and put in place safeguards to prevent foreign influence and alleviate security concerns, thus offering a reasonable path for a wide range of vendors to participate in the election technology market. Beyond this initial disclosure requirement, vendors should have an ongoing obligation to notify their customers and the EAC of any subsequent changes in their ownership or control.

The EAC can look to other sectors for examples of vendor disclosure of ownership or control agreements. The Department of Defense’s National Industrial Security Program Operating Manual is instructive. It requires companies to “complete a Certificate Pertaining to Foreign Interests when . . . significant changes occur to information previously submitted,” ⁴⁹ and it requires vendors to submit reports when there is “any material change concerning the information previously reported by the contractor concerning foreign ownership control or influence.” ⁵⁰

Lawmakers have already introduced legislation to improve transparency in ownership or control of election system vendors, with mechanisms ranging from disclosure requirements to strict bans on foreign ownership or control. One approach recently adopted in North Carolina requires disclosure of all owners with a stake of 5 percent or more in a vendor’s company, subsidiary, or parent, so that the state’s Board of Elections can consider this information before certifying a voting system. ⁵¹

On the other end of the spectrum, the For the People Act and the SAFE Act would require that vendors in states receiving federal grants be owned and controlled by U.S. citizens or permanent residents, with no option for a waiver. ⁵² Similarly, the Election Vendor Security Act would have required each vendor to certify that “it is owned and controlled by a citizen, national, or permanent resident of the United States, and that none of its activities are directed, supervised, controlled, subsidized, or financed, and none of its policies are determined by, any foreign principal” or agent. ⁵³

Other proposals would prohibit foreign control but provide for a waiver, as we suggest. For instance, the Protect Election Systems from Foreign Control Act would require vendors to be “solely owned and controlled by a citizen or citizens of the United States” absent a waiver. ⁵⁴ Such waivers could be granted if the vendor “has implemented a foreign ownership, control, or influence mitigation plan that has been approved by the [DHS] Secretary . . . ensur[ing] that the parent company cannot control, influence, or direct the subsidiary in any manner that would compromise or influence, or give the appearance of compromising or influencing, the independence and integrity of an election.” ⁵⁵

With respect to defining an ownership or control interest of greater than 5 percent, the EAC could borrow from the approach used by the Federal Communications Commission (FCC). The FCC typically defines foreign ownership, including indirect ownership, by multiplying the percentage of shares an owner has in one company by the percentage of shares that company owns in a regulated broadcast or common carrier licensee. For instance, if a foreign person owned 30 percent of company A, and company A owned 25 percent of company B, the foreign person would be deemed to own 7.5 percent of company B. For purposes of voting shares, the FCC treats a majority stake as 100 percent, whereas for equity shares, the actual percentages are used. ⁵⁶

Processes For Reporting Cyber Incidents

Both the public and local and state governments are often kept in the dark about security breaches that affect election vendors. This state of affairs can undermine faith in the vote and leave election officials unsure about vendor vulnerabilities. To address these concerns, vendors should face robust incident reporting requirements and a mandate to work with affected election authorities.

Federal oversight should require vendors to agree to report security incidents as a condition of certification. The Election Assistance Commission should require that vendors report to it and to all potentially impacted jurisdictions within days of discovering an incident. The EAC’s existing Quality Monitoring Program requires only that vendors with certified voting equipment “submit reports of any voting system irregularities.” ⁵⁷ At present, the reporting requirement extends only to vendors of voting systems and does not encompass any other facets of those vendors’ services, equipment, or operations. Election officials have long complained that vendors do not always share reports of problems with their systems. ⁵⁸ Compounding the problem, a single vendor often serves many jurisdictions. ⁵⁹

Some legislation has already sought to mandate more fulsome incident reporting by vendors. The Secure Elections Act, which had bipartisan support before losing momentum in 2018, included a mandatory reporting provision. Under the bill, if a so-called election service provider has “reason to believe that an election cybersecurity incident may have occurred, or that an information security incident related to the role of the provider as an election service provider may have occurred,” then it must “notify the relevant election agencies in the most expedient time possible and without unreasonable delay (in no event longer than 3 calendar days after discovery of the possible incident)” and “cooperate with the election agencies in providing [their own required notifications].” ⁶⁰

Absent robust incident reporting, election officials and the public can be left unaware of potential threats that vendors might introduce into elections. As previously discussed, there is still considerable uncertainty concerning the alleged spearphishing attack and hack of a vendor involved in the 2016 elections. Much of what is known stems from the leak of a classified intelligence report obtained by the Intercept, ⁶¹ which identified the hacking victim as a Florida-based vendor, coupled with Special Counsel Robert Mueller’s report to the attorney general and indictment of 12 Russian intelligence officers. ⁶² Further complicating the picture of what happened, the Florida-based vendor, VR Systems, responded to an inquiry from Sen. Ron Wyden (D–OR) via letter, claiming that “based on our internal review, a private sector cyber security expert forensic review, and the DHS review, we are confident that there was never an intrusion in our EViD servers or network.” ⁶³ This uncertainty offers little for the vendor’s clients to rely on in assessing the vendor’s ongoing cyber readiness and whether to continue to contract with the vendor in future elections.

With mandated incident reporting, the EAC could provide the necessary assurance to election officials regarding the security of vendors by sharing information with election officials who need it, as well as by requiring appropriate remedial action, up to and including decertification.

Supply Chain Integrity

Federal regulators should require vendors to follow best practices for managing supply chain risks to election security. The new Technical Guidelines and Development Committee should define categories of subcontractors or products that pose serious risks, such as servers and server hosting, software development, transportation of sensitive equipment such as voting machines, and information storage. For instance, Liberty Systems, one of Unisyn Voting Solutions’ regional partners, would likely be covered, given that it “provides election and vital statistics, software, and support throughout counties in the State of Illinois.” ⁶⁴ The TGDC’s guidelines could then require that vendors have a framework to ensure that high-risk subcontractors and manufacturers also follow best practices on cybersecurity, background checks, and foreign ownership and control, as well as reporting cyber incidents to the vendor.

This approach is being used in other areas of government, where a growing recognition of supply chain risk to national security exists. The Department of Defense has recently stepped up its enforcement of supply chain integrity and security standards, requiring review of prime contractors’ purchasing systems to ensure that Department of Defense contractual requirements pertaining to covered defense information and cyber incident reporting “flow down appropriately to . . . Tier 1 level suppliers” and that prime contractors have procedures in place for assessing suppliers’ compliance with those requirements. ⁶⁵

The Department of Defense now requires that contractors handling controlled unclassified information (CUI) “flow down” contractual clauses to subcontractors whose “performance will [also] involve [the department’s] CUI.” The TGDC should develop an analogous category of subcontractors and manufacturers for which the same cybersecurity, background check requirements, and foreign ownership concerns that apply to election vendors would apply, based on the subcontractor’s role and the opportunity for election security risk to be introduced.

Monitoring Vendor Compliance

To make its oversight most effective, the Election Assistance Commission must have the ability to confirm that federally certified vendors continue to meet their obligations. The fact that a vendor was, at some point in time, certified as meeting relevant federal standards is no guarantee that circumstances have not changed. Failure to stay in compliance should lead to appropriate remedial action by the EAC, up to and including decertification.

The EAC’s Quality Monitoring Program for voting systems provides a starting point for how this might work. The EAC offers a mechanism for election officials on the ground to provide information about any voting system anomalies present in certified voting machines. If an election worker submits a credible report of an anomaly, the EAC distributes it to state and local election jurisdictions with similar systems, the manufacturer of the voting system, and the testing lab that certified the voting system. ⁶⁶ According to the EAC’s certification manual, “the Quality Monitoring Program is not designed to be punitive but to be focused on improving the process.” ⁶⁷ The program, then, is focused more on compliance than certification or decertification, although decertification can result in cases of persistent noncompliance.

The SAFE Act and the For the People Act call for the testing of voting systems nine months before each federal general election, as well as for the decertification of systems that do not meet current standards. ⁶⁸

A critical difference between the ability to monitor voting equipment and the practices of an election system vendor is that thousands of election officials and poll workers, and hundreds of millions of voters, interact with voting equipment on a regular basis. They can report anomalies when they see them. By contrast, most of the work of election system vendors happens out of public view.

For this reason, vendors must be obligated on an ongoing basis to remedy known security flaws or risk losing federal certification. Congress should provide the EAC with a mandate to ensure that vendors contract with independent security firms to conduct regular audits, penetration testing, and physical inspections and site visits, and to provide the results of those assessments to the EAC. One legislative proposal — the Protect Election Systems from Foreign Control Act — sought to do something similar by subjecting vendors to an annual evaluation to assess compliance with cybersecurity best practices. ⁶⁹ The EAC’s effectiveness in its new oversight role would be diminished absent some power to monitor vendors’ efforts on this front — a power Congress ought to provide.

The EAC could require regular penetration testing by third parties to assess vendors’ cyber readiness in real time. Such testing would give the EAC (and vendors) an opportunity to identify and remediate security flaws, hopefully before adversaries take advantage of them. The EAC should also consider using bug bounty programs, which have become a common tool deployed by private industry and government entities, including the Department of Defense. ⁷⁰ Under bug bounty programs, friendly so-called white-hat hackers earn compensation for reporting vulnerabilities and risks to program sponsors. The For the People Act calls for such a program, ⁷¹ as does the Department of Justice’s Framework for a Vulnerability Disclosure Program for Online Systems. ⁷²

Certified vendors should be required to submit to extensive inspection of their facilities. To assess compliance with cybersecurity best practices, personnel policies, incident reporting and physical security requirements, and the like, the EAC must be granted wide latitude to demand independent auditors’ access to vendor systems and facilities. This should include unannounced, random inspections of vendors. The element of surprise could serve as a powerful motivator for vendors to stay in compliance with EAC guidance.

The Defense Contract Management Agency (DCMA) performs an analogous, if broader, role for military contractors. Serving as the Defense Department’s “information brokers and in-plant representatives for military, Federal, and allied government buying agencies,” DCMA’s duties extend to both “the initial stages of the acquisition cycle and throughout the life of the resulting contracts.” ⁷³ In that latter stage of a contract, DCMA monitors “contractors’ performance and management systems to ensure that cost, product performance, and delivery schedules are in compliance with the terms and conditions of the contracts.” ⁷⁴ This function includes having personnel in contractor facilities assess performance and compliance. ⁷⁵ Although our proposal does not envision the EAC performing an ongoing contract compliance role, the EAC’s enhanced oversight role could take some cues from DCMA’s inspection protocols and ability to closely scrutinize vendors.

The NRC similarly holds inspection rights over those subject to its regulations, including companies that handle nuclear material and those holding licenses to operate power plants. ⁷⁶ The NRC regulation requiring that those regulated “afford to the Commission at all reasonable times opportunity to inspect materials, activities, facilities, premises, and records under the regulations in this chapter” is of particular relevance to potential EAC oversight. ⁷⁷ The NRC also has an extensive set of regulations concerning physical security at nuclear sites and of nuclear material. ⁷⁸ Although these requirements are probably more onerous than those needed in the election sector (especially since nuclear material poses unique physical security risks), they could nonetheless prove instructive in crafting physical security requirements for vendors. Such requirements should go hand in hand with the cybersecurity best practices discussed above.

Enforcing Guidelines

It is critical to have a clear protocol for addressing election system vendor violations of federal guidelines. If states require their election offices to use only federally certified vendors, revocation of federal certification could have a potentially devastating impact on the ability of jurisdictions to run elections and ensure that every voter is able to cast a ballot.

Again, the Election Assistance Commission’s process for addressing anomalies in voting equipment through its Quality Monitoring Program is instructive. If it finds that a system is no longer in compliance with the VVSG, the manufacturer is sent a notice of noncompliance. This is not a decertification of the machine but rather a notification to the manufacturer of its noncompliance and its procedural rights before decertification. The manufacturer has the right to present information, access the information that will serve as the basis of the decertification decision, and cure system defects prior to decertification. The right to cure system defects is limited; it must be done before any individual jurisdiction that uses the system next holds a federal election. ⁷⁹

If decertification moves forward after attempts to cure or opportunities to submit additional information, the manufacturer may appeal the decision. If the appeal is denied, then the decertified voting system will be treated as any other uncertified system. The EAC will also notify state and local election officials of the decertification. ⁸⁰ A decertified system may be resubmitted for certification and will be treated as any other system seeking certification.

The EAC’s application of this process to the ES&S voting system Unity 3.2.0.0 provides an example of how this can happen. Certification of this system was granted in 2009. ⁸¹ In 2011, the EAC’s Quality Monitoring Program received information about an anomaly in the system and began a formal investigation. ⁸² A notice of noncompliance was then sent to ES&S in 2012, listing the specific anomalies found in the voting system and informing ES&S that if these anomalies were not remedied, the EAC would be obligated to decertify the voting system. ⁸³ ES&S attempted to cure the defects, as was its right, and produced a new, certified version of the Unity system. ⁸⁴ The vendor then requested that its old system be withdrawn from the list of EAC certified systems. ⁸⁵

Decertification of a vendor would need to be handled thoughtfully, so that local election officials are not left scrambling to contract new election services close to an election. In this sense, close coordination among federal and local officials and relevant vendors to proactively identify and fix issues would be necessary for any scheme to succeed. The EAC would also have to be left with the flexibility to decide what, if any, equipment and services could no longer be used or sold as federally certified. To that end, decertification should incorporate these key elements:

• A voting system decertification should not necessarily result in a vendor decertification and vice versa. For instance, a voting machine vendor might be found to be out of compliance with federal requirements for background checks on employees. If the EAC determines this noncompliance did not impact the security of voting machines already in the field, it could leave the voting system certified but ban the vendor from selling additional machines (or certain employees from servicing existing machines) until the failure is remedied. Alternatively, it could allow the vendor’s voting machines to continue to be used for a limited time, subject to additional security measures, such as extra preelection testing and postelection audits.
• There should be a clear process ahead of a formal decertification, with notification to affected state and local officials and plenty of opportunities for the relevant vendor to address issues before the EAC takes more drastic action. Only the most urgent and grave cybersecurity lapses should truncate this decertification process.
• Any decertification order should include specific guidance to state and local officials on how existing vendor products or services are affected, assistance to those officials with replacing those goods or services (if necessary), and a road map for the vendor to regain certification.

Private election vendors play a crucial role in securing the nation’s elections against malicious actors who have already taken steps toward compromising elections and the public’s confidence in our democracy. Yet these vendors are currently subject to little oversight to ensure that they remain secure against these threats and that many of the products and services they provide, such as electronic pollbooks, are secure. Currently, only voting systems — the systems used to cast and tabulate ballots — are subject to robust federal oversight, and then only via a voluntary certification program. We recommend that Congress empower the Election Assistance Commission to certify election vendors more broadly as compliant with voluntary guidelines relating to cybersecurity, personnel, transparent ownership and control, reporting of cyber incidents, and supply chain integrity. In the meantime, the EAC should employ its registration and certification processes to ensure that vendors of certified voting systems keep up with these practices.

Lawrence Norden is director of the Election Reform Program at the Brennan Center for Justice, where he leads efforts to bring balance to campaign funding and break down barriers that keep Americans from participating in politics, ensure that U.S. election infrastructure is secure and accessible to every voter, and protect elections from foreign interference. He has authored several nationally recognized reports and articles related to voting rights and voting technology, including Securing Elections From Foreign Interference (2017), America’s Voting Machines at Risk (2015), and How to Fix Long Lines (2013). His work has been featured in media outlets across the country, including the New York Times, the Wall Street Journal, Fox News, CNN, MSNBC, and National Public Radio. He has testified before Congress and several state legislatures on numerous occasions. Norden is a member of the Election Assistance Commission’s Board of Advisors. This report is not affiliated with his role as an EAC advisor. He is a graduate of the University of Chicago and NYU School of Law.

Christopher R. Deluzio is the policy director of the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security. He was previously counsel in the Democracy Program at the Brennan Center for Justice, where his writing included nationally recognized work on voter purges, a procurement guide to assist in the selection and management of election vendors, and legal analysis of speech restrictions in polling places. Prior to joining the Brennan Center, he was a litigation associate in private practice with Wachtell, Lipton, Rosen & Katz and, before that, law clerk to Judge Richard J. Sullivan of the U.S. District Court for the Southern District of New York. He graduated magna cum laude from Georgetown Law, where he was elected to the Order of the Coif, served as an executive articles editor of the Georgetown Law Journal, and was selected as the top oralist in the Robert J. Beaudry Moot Court Competition and the Thurgood A. Marshall Memorial Moot Court Competition. He received a bachelor’s degree from the U.S. Naval Academy and, following graduation, served as an active-duty naval officer.

Gowri Ramachandran is senior counsel in the Brennan Center for Justice’s Democracy Program. She comes to the Brennan Center from Southwestern Law School in Los Angeles, California, where she is on leave from her position as professor of law. At Southwestern, she taught courses in constitutional law, employment discrimination, and critical race theory, as well as the Ninth Circuit Appellate Litigation Clinic, which received the Ninth Circuit’s 2018 Distinguished Pro Bono Service Award. She received her undergraduate degree in mathematics from Yale College and a master’s degree in statistics and JD from Harvard University. While in law school, she served as editor in chief of the Yale Law Journal. After graduating from law school in 2003, Ramachandran served as law clerk to Judge Sidney R. Thomas of the U.S. Court of Appeals for the Ninth Circuit in Billings, Montana. After a fellowship at Georgetown Law, she joined the Southwestern faculty in 2006.

The Brennan Center gratefully acknowledges BLT Charitable Trust, Carnegie Corporation of New York, Craig Newmark Philanthropies, Ford Foundation, Lee Halprin and Abby Rockefeller, The JPB Foundation, Leon Levy Foundation, Open Society Foundations, Barbara B. Simons, Wallace Global Fund, and Leslie Williams for their generous support of our election security work.

The authors would like to thank the numerous Brennan Center colleagues who collaborated in preparing this report. Brennan Center Fellow Derek Tisler and Legal Intern Cara Ortiz contributed crucial research and editorial support. Edgardo Cortés, Elizabeth Howard, and Daniel I. Weiner provided helpful revisions. Jeanne Park and Matthew Harwood of the Brennan Center’s communications team lent valuable review and editing assistance. The authors are grateful to Research and Program Associate Andrea Córdova McCadney for assistance in citation-checking and editing. The editorial and design assistance of Alexandra Ringe, Alden Wallace, Rebecca Autrey, and Zachary Laub allowed this report to reach publication.

This report also benefited from the many people willing to share their valuable expertise and provide insight in the review process. We gratefully acknowledge the following individuals for their helpful feedback: Marian Schneider, president, Verified Voting; Ryan Macias, election technology and security expert; Susan Greenhalgh, vice president for programs, National Election Defense Coalition; Bruce Schneier, security technologist and adjunct lecturer in public policy, Harvard Kennedy School; Gregory A. Miller, cofounder and chief operating officer, OSET Institute; E. John Sebes, cofounder and chief technology officer, OSET Institute; and Eddie Perez, global director of technology R&D, OSET Institute.