House panel mulls new election tech specs

The House Science, Space and Technology Committee will mark up new legislation on Nov. 14 that would mandate new research into voting machine cybersecurity vulnerabilities and update the way the government certifies such equipment.

The bill would direct the National Institute of Standards and Technology and the National Science Foundation to conduct research on voting systems. To do this, NIST would select and partner with a higher education institution or nonprofit to create a new Center of Excellence in Election Systems that would include academics, researchers, private companies and state and local election officials.

The center would be responsible for testing and evaluation of the security, usability and accessibility of voting systems and conducting research and analysis that would underpin new election technology standards. It would also research new testing methods for voting system certification, educate and train STEM students on voting machine research and increase cooperation between researchers, voting system vendors and state and local officials.

The NSF would establish a new grant program that would fund up to 10 years of research into the issue, including the cybersecurity of different components and systems that make up voting systems, end-to-end verifiable systems, internet-enabled voting, accessibility, post-election audits, system interoperability, voter verification and authentication and any other areas the agencies deem relevant. Those grants would be doled out at the discretion of NIST, NSF and the Department of Homeland Security.

The legislation comes at a time when lawmakers and experts are increasingly questioning whether the Election Assistance Commission, the primary federal agency charged with overseeing the security and integrity of voting systems, is up to the task.

Following the 2016 U.S. presidential election, when interest in voting system security became heightened, the commission operated for almost a year without a quorum. That delayed the approval of pending cybersecurity updates to the voluntary certification standards that most states use to purchase voting systems. Those standards were last amended in 2015, but election security experts say most of the voting machines in use today are actually pegged to standards established in 2005. Security researchers have found such machines to be riddled with vulnerabilities.

Some have accused the commission of becoming politicized, with some commissioners expressing deep skepticism about the U.S. intelligence community's assessment blaming Russia for 2016 election interference and the need for greater voting system security.

Experts have also criticized the EAC-overseen certification process for being too slow, inefficient and inflexible to provide states and vendors with the ability to quickly update their equipment in response to emerging threats.

Under the proposed legislation, the EAC would collaborate with NIST to update that certification process but NIST would be in charge of providing technical assistance to states regarding "implementation of cybersecurity standards, privacy standards, risk assessments, risk-limiting audits, and technologies" of EAC certification standards.