Keeping voting security standards from bureaucracy
- By Derek B. Johnson
- May 23, 2019
Although the security updates to the Election Assistance Commission's new Voluntary Voting System Guidelines 2.0 are sorely needed, its approval and updating process can't keep up with the technological changes.
Later this year, the full commission is expected to vote to approve a five-page document outlining principles that will guide the development of VVSG 2.0, including a new emphasis on security. At a May 21 hearing, however, a number of stakeholders advised the agency to refrain from requiring a full vote to approve the technical portions of the guidelines, saying it could keep the latest technology from being incorporated into voting machine standards.
"We cannot wait weeks or months for a decision on a federal level when there's a need to act immediately," Iowa Secretary of State Paul Pate said. "I'm asking all of you to have a dialogue about what happens if we run into that situation again when there is not a full quorum on the EAC. How will decisions be made, and will that make it more difficult for state election officials to protect the security and integrity of the vote?"
Specifically, Pate and others worry that if the EAC finds itself without a quorum again -- as it has multiple times in the past 10 years -- it would leave the commission paralyzed and unable to approve technical updates to the VVSG. The potential delays caused by the commission voting on every technical change is also considered problematic by some election security advocates.
"The most critical aspect of developing and adopting the VVSG 2.0 is the need to design it to be flexible and agile, even when a quorum doesn't exist," Joseph Hall, chief technologist at the Center for Democracy and Technology, said in his testimony. "If past voting system standard efforts are any indication, the number of requirements are going to be large … any flexibility and adaptability of this new system will be lost if commissioners have to vote on more than just a handful of requirements."
Allowing smaller technical updates to the standards by EAC staff could help make them more adaptable to technological innovation and prevent a situation where gridlock at the federal level prevents efforts to keep the standards current with the latest technological developments.
The National Association of State Election Directors (NASED) has recommended that the EAC allow technical updates without a vote, saying that the agency has been without a quorum for more than a third of its existence and that it structured the VVSG process to make the principles and technical requirements separate for this very reason before changing course in May 2018.
The current structure of the EAC, the group argues, makes it susceptible to future shortages as well as political disputes, and NASED believes the technical requirements process should have built-in resilience against that kind of uncertainty in the future.
"It is critical that there be a mechanism for updating the technical requirements and test assertions for voting systems that does not require EAC commissioner approval," the leadership wrote in a May 2019 letter. "The integrity of American voting systems cannot be held hostage by lack of a quorum or philosophical differences among the commissioners."
Those same concerns were echoed in a Senate Rules Committee hearing with EAC commissioners last week, when presidential hopeful Sen. Amy Klobuchar (D-Minn.) asked where the commissioners stood on allowing some technical updates to the VVSG 2.0 to take effect without a vote. Klobuchar said she was "worried about a scenario where the guidelines don't keep up with advancements with technologies and cybersecurity best practices."
EAC Chairwoman Christy McCormick was noncommittal, saying she viewed the commission voting to approve technical standards as part of its oversight role.
"I would have to take a look at that, I don't know at this point," McCormick said.
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.