Voting security guidelines: Too little too late?
- By Derek B. Johnson
- Feb 28, 2019
States waiting for Election Assistance Commission to issue Voluntary Voting System Guidelines may be not have time to test their systems against the new standards before the 2020 election.
The Voluntary Voting System Guidelines are meant to guide election tech purchasing decisions by state and local election officials. The standards, last updated in 2015, are developed by the EAC in conjunction with the National Institute of Standards and Technology.
New guidelines with a focus on cybersecurity were developed last year, but the EAC was unable to move the process forward due to the lack of a quorum. When two new members were sworn in as commissioners, EAC quickly moved to open up thto public comment, a process that will take another three months.
After the public comment period ends for the principles and guidelines, EAC and NIST must still finalize the actual technical guidelines that certification laboratories will use to test machines. That will be followed by another round of public comment and EAC hearings before the commission votes for final approval.
"Right now, we're still waiting for [the Voluntary Voting System Guidelines] to be promulgated by the EAC, then voting machine manufacturers need to test their systems to those standards," Illinois State Board of Elections Executive Director Steven Sandvoss told House appropriators on Feb 27. "It's going to take a long time and I can't guarantee it will be done by 2020."
Since the commission doesn't know what feedback it will receive during that process, it's difficult to project how much the documents might need to be modified or how long it will take before the commission votes to approve final versions, an EAC employee explained. However, given the numerous procedural and testing hurdles, the employee said it was "probably accurate" that states won't be able to test their systems against the new standards before the 2020 election.
Alex Haldeman, a University of Michigan professor and election security expert, told lawmakers the updated standards were "relatively weak in their scope" and do not include guidance around post-election audits and other holistic components of a secure election system.
Haldeman noted that the voluntary nature of the guidelines limits their impact, and he asked lawmakers to require minimum viable security regulations for states and voting machine vendors to follow as a condition of federal funding.
"I think we do need stronger minimum standards for election technology and auditing just so we can make sure that we can bring up the states that are most weakly protected to a reasonable level, but at the same time we have to acknowledge … that there are important differences between states and being overly prescriptive just isn't going to work," said Haldeman.
Joshua Franklin, who helped develop the initial draft of the guidelines for NIST before leaving government in 2018, noted in a Feb. 22 blog post that the standards only cover technical aspects of a voting system and not procedural practices that could also have an impact on cybersecurity. Further, the standards do not cover other common forms of election technology, such as voter registration systems or electronic poll books that are known to have been probed and attacked by Russian hackers in 2016.
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.