Cybersecurity

States blast EAC for slow-walking voting standards

voting security 

Officials at the Election Assistance Commission say they are eager to approve updated federal standards for the nation's voting machines that will introduce new technical and security requirements, but the agency faced harsh criticism from several state election officials at a May 6 public meeting for its sluggish pace.

The federal government's voting system standards are voluntary, but most states require the machines they buy to comply with them.

Virginia Elections Commissioner Christopher Piper called the current federal certification process "an obstacle to a more secure system" and griped that election officials have been waiting years for the newest version of the standards to work its way through the EAC approval process.

"The process is not fast enough to adapt to the changing security environment or to address the accessibility needs of many voters," Piper said, later adding "The fact is the delay has proven to be a convenient excuse in all sectors not to update our voting systems."

Paul Lux, Elections Supervisor in Florida's Okaloosa Country complained that by the time EAC's standards work their way through the approval process, they will already be obsolete by today's security standards. Further, the rigidity for updating those standards once they're approved make even small patches and updates impractical.

"I get a security alert…about router software but I can't go update the router software on my election management system because that patch has to come through the state after having gone through testing and verification…so I am anywhere from eight to 12 months behind on those types of security patches which for all the rest of the equipment in my office can be done right away," Lux said.

Commission Chair Ben Hovland claimed the process for approving voting standards is largely dictated by the 2002 Help America Vote Act, while Commissioner Thomas Hicks suggested the commission should be praised for meeting at all during the COVID-19 outbreak.

"I think that one point that's been lost in our discussion here is that with the global pandemic, the EAC could have easily been sitting around and not moving forward at all with the [Voluntary Voting System Guidelines]," Hicks said.

However, Piper and others made clear their frustrations were related to the approval and certification process more generally, which has gone on for years. The commission's Technical Guidelines Development Committee approved high-level principles for the new standards in 2017, it has not received a vote by commissioners, nor have they finalized a corresponding document that outlines more specific technical requirements. The agency's board of advisors and standards board must also weigh in during the process, but neither body has convened for a meeting this year.

While some of the delay can be attributed to the EAC operating without a working quorum for 10 months, the commissioners said at an annual conference for election officials in January they had also delayed a vote to deal with grammatical and spelling errors in the five-page document.

"At my first national meeting with my colleagues at a standards board meeting in 2018, one memory that stands out above all was a discussion about VVSG 2.0, and that's why it's unfortunate that we are still having this critical conversation," Piper said in his opening statement.

He went on to point out that the commission had backtracked on an initial plan to approve the more general principles as the formal standards document and treat the far more detailed technical specifications as a separate document.

"States are desperate for flexible, agile requirements for our voting equipment. The federal stamp of approval is an asset for us, but only when it's current and right now," Piper said.

Earlier this year former Hart InterCivic executive Eddie Perez told FCW that despite EAC issuing updated standards in 2015, most voting machines in use today are designed to technical specifications developed and approved in 2005.

Lux confirmed that practice, telling commissioners that vendors "are not going to spend a lot of research and development capital creating voting machines to a standard that is going to change soon, so instead they develop 'new' machines to the old standards."

Following the meeting, Perez, now Global Director of Technology Research and Development at the non-profit OSET Institute, told FCW in an interview that state and local officials have been "increasingly vocal about their displeasure with the slow pace of the standard setting process" and that the comments from Piper and Lux at the meeting are "a strong indication of how dysfunctional things have gotten."

While commissioners have argued their hands are mostly tied, Perez and others have long-argued that the agency can keep up with the changing pace of technology by allowing EAC staff to approve small, "de minimis" security updates that would allow states and vendors to patch their systems without falling out of compliance. In December 2019, Perez co-authored a position paper that lays out a number of ideas for structural reform at the agency to deal with the problems articulated by Lux, Piper and other state officials.

"Bottom line, I think it's a reasonable question to ask whether the EAC is not being too conservative in its conception of its own authority to act," he said.

The EAC did move in November 2019 to allow expedited updates for de minimis software changes. However, commissioners have expressed reluctance about ceding too much decision-making to staff. Commissioner Donald Palmer called it "a sensitive issue," asking if state election bodies would be comfortable doing the same thing.

"Do you want us to be a leader in the community by adopting this sort of format…I don't know of any state that allows their staff members to adopt requirements to match principles and guidelines," he said.

Piper said the State Board of Elections in Virginia had in fact recently given officials the flexibility to bypass the re-testing and re-certification process to allow for small security updates.

CORRECTION: This article was updated May 7 to reflect that the EAC did approve changes in November 2019 that allow for de minimis software updates.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Federal 100 Awards
    Federal 100 logo

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

Stay Connected