Election Security

States might miss new voting system specs for 2020

people voting (Gino Santa Maria/Shutterstock.com) 

As Congress debates whether to allocate more funding to states to replace voting machines and upgrade cybersecurity of their election systems, Republicans have made it a sticking point to request more data around how those states are spending $380 million in federal funds approved last year.

"Right now, we're still waiting for [the Voluntary Voting System Guidelines] to be promulgated by the EAC, then voting machine manufacturers need to test their systems to those standards,"Illinois State Board of ElectionsExecutive Director Steven Sandvosstold House appropriators on Feb 27. "It's going to take a long time and I can't guarantee it will be done by 2020."

The Voluntary Voting System Guidelines are meant to guide election tech purchasing decisions by state and local election officials. The standards, last updated in 2015, are developed by the EACin conjunction with the National Institute of Standards and Technology. New guidelineswith a focus on cybersecurity were developed last year, but the EAC was unable to move the process forward due to the lack of a quorum after then-Speaker Paul Ryan declined to re-nominate Chair Matthew Masterson to the commission last year.

That status quo held until this month, when two new members, Benjamin Hovland and Donald Palmer, were sworn in as commissioners. The commission quickly moved to open up to public comment, a process that will take another three months.

Still, it will be some time before states are using the new standards for purchasing decisions. After the public comment period ends for the principles and guidelines, EAC and NIST must still finalize the actual technical guidelines that certification laboratories will use to test machines. That will be followed by another round of public comment and EAC hearings before the commission votes for final approval. After that, voting machine vendors must submit their machines for testing and certification against the new standards.

Since the commission doesn't know what feedback it will receive during that process, it's difficult to project how much the documents might need to be modified or how long it will take before the commission votes to approve final versions, an EAC employee explained. However, given the numerous procedural and testing hurdles, theemployeesaid it was "probably accurate" that states won't be able to test their systems against the new standards before the 2020 election.

Alex Haldeman, a University of Michigan professor and election security expert,told lawmakers the updated standards were "relatively weak in their scope" and do not include guidance around post-election audits and other holistic components of a secure election system.

Haldeman noted that the voluntary nature of the guidelineslimits theirimpact, and asked lawmakers to requireminimum viable securityregulations for states and voting machine vendors to follow as a condition of federal funding.

"I think we do need stronger minimum standards for election technology and auditing just so we can make sure that we can bring up the states that are most weakly protected to a reasonable level, but at the same time we have to acknowledge…that there are important differences between states and being overly prescriptive just isn't going to work," said Haldeman.

Joshua Franklin, who helped develop the initial draft of the guidelines for NIST before leaving government in 2018, noted in a Feb. 22 blogpost that the standards only cover technical aspects of a voting system and not procedural practicesthat could also have an impact on cybersecurity. Further, the standards do not cover other common forms of election technology, such as voter registration systems or electronic pollbooks, that are known to have been probed and attacked by Russian hackers in 2016.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.