Security news that informs and inspires

Senators Want Independent Security Testing of Voting Machines

While a proposed measure that would have given state officials more tools to help secure elections has bogged down in the Senate, four members of that body’s Intelligence Committee are pressuring a major manufacturer of electronic voting machines to allow independent tests of their products by election agencies and to work with researchers to assess the security of the machines.

In a letter sent to the president and CEO of Election Systems & Software, a maker of voting machines used in many states, a bipartisan group of senators expressed concerns about the company’s reaction to the Voting Village hacking contest at the DEF CON security conference earlier this month. The Voting Village gave participants the opportunity to get their hands on various electronic voting machines, look for vulnerabilities, and see whether they could find ways around the defenses on the machines. Before DEF CON, ES&S officials sent a FAQ to customers, informing them of the contest and somewhat downplaying any negative results that might come from it.

There were plenty of successes against various machines and voting sites during the Voting Village exercise, including some by kids as young as eight years old. The exercise takes place in a controlled environment, but the machines involved are the same ones used in actual elections around the country. In their letter to ES&S President and CEO Tom Burt, the senators said they are “concerned that ES&S and other election system providers may not be prepared for the growing threats to our elections.”

The letter came from Sens. Kamala Harris (D-Calif.), Mark Warner (D-Va.), Susan Collins (R-Maine), and James Lankford (R-Okla.), all members of the Senate Select Committee on Intelligence. The lawmakers asked Burt to take the issues raised during DEF CON seriously and to commit to independent security testing of the company’s machines.

“The reality of these unprecedented security risks was on full display at the DEF CON cybersecurity conference, where researchers at the ‘Voting Village’ successfully probed a variety of electronic equipment used to administer elections. We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing. We believe that independent testing is one of the most effective ways to understand and address potential cybersecurity risks,” the letter, sent Aug. 22, says.

“Currently, there are significant barriers that prevent states from working with independent, qualified, good faith researchers."

The history of the relationship between security researchers and voting-machine manufacturers is long and often contentious. In 2004 a team of researchers from several universities found significant security weaknesses in the software of a Diebold electronic voting machine, and many other researchers have had similar success against other manufacturers’ machines over the years. A number of security experts have been advocating for a return to paper ballots, which are considered more secure and more difficult to tamper with than electronic voting records. In June, Sen. Ron Wyden (D-Ore.) introduced a bill that would require paper ballots for all federal elections.

In their letter to Burt of ES&S, the senators ask that the company make it easier for both election agencies and security researchers to get access to voting machines for testing, and to allow researchers to share their results publicly without fear of reprisal. Electronic voting machines are expensive and can be difficult for researchers to obtain.

“Currently, there are significant barriers that prevent states from working with independent, qualified, good faith researchers to conduct cybersecurity testing on election systems. States are often unable to procure systems at a reasonable cost before entering long-term contracts with vendors,” the letter says.

“Most researchers are unable to procure systems from vendors for testing, no matter how trustworthy and well-resourced they are. In addition, legal ambiguities about contracts and software licensing chill this valuable practice. Furthermore, we believe that urging the Copyright Office to limit good faith cybersecurity testing on election systems under the Digital Millennium Copyright Act is harmful to this effort.”

Also this week, a Senate bill that would allow state election officials to get access to threat intelligence stalled without any real explanation. The bill was sponsored by Lankford and also would allow state officials to share information with each other about election threats.