What are voting machine companies doing about cyber?

In October 2017, Sen. Ron Wyden (D-Ore.) sent letters to five of the top voting machine companies in America asking how their organizations were structured and what steps they have taken to ensure their machines are protected from cyber threats.

"As our election systems have come under unprecedented scrutiny, public faith in the security of our electoral process at every level is more important than ever before," Wyden said. "Ensuring that Americans can trust that election systems and infrastructure are secure is necessary to protecting confidence in our electoral process and democratic government."

The questions touched on a wide range of topics related to cybersecurity, such as whether the companies had experienced a recent data breach, whether they employ a chief information security officer and how frequently their products have been audited by third-party evaluators.

FCW obtained the responses sent by those five companies (Five Cedars Group, Hart Intercivic, Election Systems and Software, Unisyn and Dominion Voting). All reported no evidence of a breach or successful cyber intrusion, but three -- Five Cedars Group, Unisyn and Dominion Voting -- said they did not have a CISO.

Hart Intercivic provides optical scan and DRE voting machine services to jurisdictions across at least 14 states. The company did not directly respond to Wyden's questions but insisted its machines "are required to meet strict certification requirements" from federal, state and local authorities.

Phillip Braithwaite, Hart's president and CEO, pointed to the decentralized, fragmented nature of elections across thousands of counties in the United States as a core element that helps protect the overall voting system.

"Note that more centralized systems (e.g. state voter registration databases which are required by federal law to be centralized and managed at a state level) have reportedly become targets of cyber-saboteurs," Braithwaite wrote.

According to its website, Election Systems and Software provides both voting machine products and voter registration management services to 42 states. Wyden's office has characterized the company as the country's largest voting machine manufacturer.

ES&S did not directly answer Wyden's questions, but Kathy Rogers, senior vice president of governmental relations, wrote that the company has "multiple safeguards in place to protect against known and unknown threats" and invited the senator to visit the company's headquarters in Omaha, Neb.

In a statement provided to FCW, Wyden indicated he was not impressed with the company's response.

"These responses suggest the voting machine industry has severely underinvested in cybersecurity. It's cause for alarm that [ES&S] refused to answer a single question about whether it is securing its systems," Wyden said. "Given what happened during the 2016 election, voting technology companies must move aggressively to secure their products."

Unisyn provided detailed responses to Wyden's questions. The company's voting systems "have been subject to [third-party] penetration testing four times as part of the certification of new software releases," and the company said it has made several updates over the past year to bring its  systems and procedures in line with National Institute of Standards and Technology best practices for cybersecurity. The company also said it is in regular contact with the Department of Homeland Security, which provides updates on threats to critical infrastructure.

"Our voting systems are inherently and intentionally designed to function disconnected from any external network, both wired and wireless," wrote company President Jeff Johnson. "We believe this minimizes the avenues that an external party would have to disrupt or influence the voting process."

The responses track with the belief among some observers that voting machines are relatively hard targets for hackers to penetrate in the nation's election infrastructure. For example, Braithwaite highlighted the segregation that exists between elements of the election system that deal with vote tabulation and the infrastructure and procedures surrounding voter registration. These two separate and distinct processes are often "erroneously blended" in news media reports, "creating confusion among readers about where the problems actually lie," he wrote.

"Most of the recent stories about election security and 'hacking' surrounding the 2016 general election are related to the upstream process of securing and managing voter registration data," Braithwaite wrote.

Doug Robinson, executive director for the National Association of State Chief Information Officers, said that local jurisdictions and state secretaries have a great deal of authority around election infrastructure security and that state CIOs often support that process. Robinson told FCW that separating fact from fiction is a constant struggle around election cybersecurity. He too highlighted the risk faced by voter registration databases.

"There's greater concern around voter registration rolls, and there's already evidence that there's been, obviously, breaches and security incidents," Robinson said.

He said he also worries about the potential of distributed denial of service attacks to disrupt government systems and services around election time. He said that during past high-profile state and local incidents -- like the Flint, Mich., water crisis and the Ferguson, Mo., protests and riots -- those localities were hit with DDOS attacks that shut down government websites and systems at a time when residents needed to access them the most.

A similar attack during election week, he posited, could disrupt the ability of a local government to communicate and coordinate election activities and impact voter turnout.

"There's the folks who are ignoring [election security] as an issue, and there are folks who are hysterical about it," Robinson said. "I'd say the truth, as always … is in the middle."