Congress

Voting machine vendors say they’re open to new mandates

secure voting machines 

Representatives from three of the largest U.S. voting system manufacturers expressed openness to new federal regulations to bolster confidence about the security of their products. Whether any of them will come to fruition and what effect they would have is less clear.

The three companies, Election Systems and Software, Dominion Voting Systems and Hart InterCivic, have a history of resisting outside scrutiny of their products. Under a battery of questioning from lawmakers at a Jan. 9 House Administration Committee hearing, they said they would support a range of new regulatory and reporting requirements for their companies and the election industry as a whole.

Those potential requirements include a congressional mandate that states purchase voting machines with paper records and conduct post-election audits for every vote cast, new public reporting on security risks associated with their equipment and new federally crafted guidelines for how to best set up their supply chains.

"I think we would support any requirements that [apply] to all vendors in our industry that would help educate users of our system and anyone who interacts with them," said Tom Burt, CEO of ES&S.

Committee Chair Zoe Lofgren (D-Calif.) floated five new potential reporting mandates that would require the companies to detail their policies and practices on cybersecurity and incident response, information on any cyberattacks they've faced, whether their staff undergo background checks, information on corporate ownership and foreign investment in their companies and how and where their supply chains are set up.

All three CEOs said they would support such requirements. Lofgren, who introduced similar requirements in the SAFE Act passed in the House last year, said their commitment was "very helpful."

"As you know we have passed a pretty robust bill in the House, it's pending in the Senate and perhaps your testimony will move that forward," she said.

The openness to new mandates indicate a shift from the industry, but some longstanding concerns about industry practices endured.

While the major vendors said they were in favor of auditable paper trails for all their systems, that would include the use of Ballot Marking Devices. Such systems allow users to use an electronic touchscreen or user interface to mark a paper ballot that is then scanned or counted manually and are designed to increase accessibility for voters with physical disabilities. However, some election jurisdictions are purchasing BMDs for all their voters, and some experts have warned the machines are not conducive to effective voter verification and post-election auditing procedures.

Concerns also exist about the companies' software and hardware supply chains. A report released last month by Interos found that at least one major voting system vendor sourced parts and components out of China, where U.S. officials have raised general concerns about supply chain compromise from state intelligence agencies. The report did not identify the vendor, but witnesses from all three of the major manufacturers acknowledged they relied on Chinese-made gear. Lawmakers expressed concerns that it could open the door to compromise or sabotage of software and hardware by bad actors.

Burt said his company had a "limited" number of components that come from China, claiming many amounted to plastic or metals that make up the device, not IT. However, he acknowledged that for at least one of their machines, the DS200, one of its nine programmable logic devices are sourced from a California company that produces the part in China.

Dominion Voting Systems CEO John Poulos and Hart InterCivic President Julie Mathis said their companies use Chinese-made LCD screen components, chip capacitors and resistors, and argued that in some cases there's no option for manufacturing them in the United States.

"We would welcome guidelines and best practices from the committee and from the federal government…this is not a problem that's unique to the election industry," Poulos said.

The hearing represents an about face for an industry that has often largely downplayed their vulnerabilities and rejected calls for increased regulation. Still, some election specialists were unimpressed.

Eddie Perez, Global Director of Technology Research and Development at the OSET Institute, told FCW in a phone interview that while it's important to get industry on record supporting things like increased reporting requirements, he's skeptical whether the companies plan to follow through absent federal enforcement.

He argued many of the other proposed changes discussed in the hearing would not meaningfully address the fundamental, systemic problems that plague the industry and inhibit better security practices, namely the consolidation of voting machine production across just three vendors and a plodding system for testing and certifying machines.

"I would have preferred to have heard more questions that press upon the status quo, because the fundamentals of the market today, supported by current policies of the [Election Assistance Commission] and in particular implementation of its certification program, those are big part of the reason why voting infrastructure is suffering," he said.

While many new voting machines have come on the market over the past two decades, virtually all of them were designed to system standards developed by the EAC in 2005. The agency is working on updated standards, but they will almost certainly not be in place this year as states look to spend hundreds of millions of dollars in new federal grant funding to update their voting machines.

Perez said he was worried states would end up simply repeating the mistakes of the past.

"The real danger is that in the absence of any more significant change, Congress and EAC and the vendors are just going to hit the reset button on 10 more years of dysfunction in continuance of the last decade's problems," he said.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    DOD photo by Senior Airman Perry Aston  11th Wing Public Affairs

    How DOD's executive exodus could affect tech modernization

    Back-to-back resignations raise concerns about how things will be run without permanent leadership in key areas from policy to tech development.

  • Budget
    cybersecurity (vs148/Shutterstock.com)

    House's DHS funding bill would create public-private cyber center

    The legislation would give $2.25 billion to DHS' cyber wing and set up an integrated cybersecurity center with other agencies, state and local governments and private industry.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.