Election infrastructure needs greater oversight, report says
- By Derek B. Johnson
- Nov 12, 2019
A lack of federal regulatory pressure on the private-sector companies responsible for election infrastructure has created dangerous security vulnerabilities in the nation's election system, according to a new report from the Brennan Center for Justice.
More federal oversight is needed to ensure that election vendors, particularly the three companies that provide 80% of the voting systems used in the United States -- ES&S, Dominion and Hart InterCivic-- are doing all they can to ensure their technology is safe and secure, according to the Nov. 12 report.
Election security specialists have long criticized the outsized role that a handful of companies have played in the way U.S. election technology is managed and administered. These firms have historically spurned calls to conduct independent testing of their equipment and threatened legal action against security researchers who point out vulnerabilities.
The report authors argued that voting machine companies and other election vendors operate with near-complete autonomy outside of voluntary standards, unlike other heavily regulated critical infrastructure sectors.
"There is almost no federal regulation of the vendors that design and maintain the systems that allow us to determine who can vote, how they vote, or how their votes are counted and reported," Lawrence Norden, Christopher Deluzio and Gowri Ramachandran wrote. "While voting systems are subject to some functional requirements under a voluntary federal testing and certification regime, the vendors themselves are largely free from federal oversight."
The report called for a new federal certification program to issue standards and enforce vendor compliance, the reconstitution of a technical guidelines committee stocked with cybersecurity experts, the expansion of vendor certification activities to include other election systems beyond voting machines and more robust enforcement from bodies like the Election Assistance Commission (EAC) when it comes to compliance.
While federal scrutiny of voting machine vendors is viewed by many experts as insufficient, bodies like the EAC aren't even allowed to subject that same level of oversight to vendors who provide other critical components of election infrastructure, like voter registration systems, e-pollbooks and election night reporting systems.
While expanding the testing and certification to encompass election infrastructure beyond voting machines would require an act of Congress, the Brennan Center believes EAC commissioners already have the authority to institute other changes, like enforcing stricter certification standards and compelling more transparency from voting machine vendors about their products. Norden also said that Congress must give the agency more money and do a better job selecting commissioners who will focus on the core mission.
Eddie Perez, a former director of product management at voting machine vendor Hart InterCivic who has since joined the nonprofit OSET Institute dedicated to improving voting security and integrity, said in an email that while he was not in favor of "excessive regulation," he does support state and federal regulations that would increase transparency from voting machine vendors who have "gotten a pass for too long."
"Everyone intuitively understands that it's right and reasonable for the government to regulate providers of critical infrastructure -- for example, energy, aviation, telecommunications, dams, defense industries, and emergency services," he said. "Voting technology is also critical infrastructure, and it requires oversight, just like the other critical infrastructure sectors."
"The threat against our election systems up until recently has not been treated in the same breadth as the threat against the energy sector or the nuclear sector or defense, and so there's probably some catching up that we need to do," Norden said.
A longer version of this article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at email@example.com, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.