For latest election security moves, the devil is in the details

Last week it looked like a logjam was cleared on election security. The Senate approved $250 million in funding to states to secure election infrastructure ahead of 2020. Microsoft announced it would continue supporting Windows 7, the soon-to-be-obsolete operating system used on voting machines in thousands of jurisdictions, throughout the 2020 election cycle. Additionally, the Election Assistance Commission met to discuss its latest security standards for voting machines.

While new federal dollars for election security are welcome, experts caution that more money might be required and more direction is needed on how to spend the money in the form of new legislation to put smart policy behind congressional outlays.

The Brennan Center for Justice estimates the cost of replacing all paperless voting machines in the country at $734 million over five years. When added to the costs estimated to tackle other problems like protecting voter registration data, implementing post-election audits and extending cybersecurity assistance to state and local governments, the total price comes out to more than $2.1 billion.

According to research from the OSET Institute, software licenses, maintenance fees and other costs to support voting machines past their first year are hard to quantify and can end up costing more than the initial equipment purchase. Contract language tends to leave the timing, nature and additional costs of such updates at the discretion of voting machine manufacturers.

For now, the funds allocated by the Senate come without security-specific mandates. States can use the money on non-security related products and services or buy the same type of voting machines that Congress, security experts and the Department of Homeland Security say are obsolete.

Susan Greenhalgh of the Election Defense Coalition told FCW her organization was "pleased" with the development but emphasized "this is not a problem that can solved by throwing money at it alone."

"We have an industry that is unregulated, with little to no accountability for the voting system vendors," Greenhalgh said in an email. "It's imperative that Congress include minimum security requirements that states must meet, attached to the federal funds."

Lawrence Norden of the Brennan Center for Justice said research by his organization indicates that about 90% of the $380 million in leftover Help America Vote Act funding allocated by Congress last year was spent on or planned for "core election security services" at the state level. Norden is concerned that that new dollars will be used by Senate Majority Leader Mitch McConnell (R-Ky.) as a justification for not considering numerous pending standalone bills designed to improve the security posture of future elections.

"You're not going to be able to ban [paperless machines] through the appropriations process," he told FCW. "To set up minimum standards around cybersecurity and post-election audits … that's something that you need legislation for."

Senate Minority Leader Chuck Schumer (D-N.Y) sounded a similar note in remarks last week. "We're getting the money through appropriations, but we need legislation to refine where the dollars go," Schumer said Sept. 19 on the Senate floor.

Patching bureaucratic inertia

Heading into 2020, one of the biggest unanswered security questions has been how thousands of jurisdictions still using Windows 7 for their voting machines would cope past January 2020, when Microsoft originally planned to stop supporting the outdated operating system. The company's extended support was met with sighs of relief, but a complex re-certification process could significantly impede its impact.

Until 2015, the Election Assistance Commission required all software updates to voting machines, even minor ones, to undergo a lengthy recertification process. Today, certain updates can be treated as "de minimis," or small enough to sidestep a more thorough recertification. However, that power has been seldom used by the commission, according to Eddie Perez, global director of technology development at the OSET Institute and a former executive at voting system vendor Hart InterCivic.

A full recertification could mean the difference between a security update taking two weeks or three months to implement, Perez told FCW. That could lead to states foregoing such updates in order to stay in compliance or seeking state waivers to patch their machines absent EAC recertification.

"[The EAC] has had an increasing number of opportunities to evolve from a testing certification organization versus becoming a more thoughtful institution that says … it's our job to be assisting election administrations and bolstering national security," Perez told FCW. "To me, it's clear that if EAC wanted to … be more mindful of its duties, the commissioners make policy and then from the policy, you can then generate functional requirements at the level of staff and testing and certification program."

An EAC spokesperson did not respond to FCW's request for comment.

Let's (not) connect

At a recent meeting, EAC Testing and Certification Director Jerome Lovato said 93% of the more than 2,800 comments EAC received earlier this year on a principles document for the new standards were from individuals and groups asking for new requirements for hand-marked paper ballots and a ban on wireless modems in voting machines.

Experts have long recommended that voting machines and other critical election systems not be configured to connect to the internet, something that could open them up to numerous attack vectors. Lovato told the commission that "not a lot" was changed in response to the feedback, citing a one-word switch in language as the most significant alteration to come out of the process. Comments requesting a ban on wireless modems in voting machines, he said, were more appropriate for the technical requirements portion of the standards.

"I think there was truly a sincere misunderstanding of the principles and guidelines being just that, and so that's the impression I got from the comments I received," said Lovato. "When we had our in-depth discussions with [the National Institute of Standards and Technology], it was just like, 'Well, is this enough to really alter the principles and guidelines?' And at the end of the day, it just wasn't."

After Lovato's comments, EAC General Counsel Cliff Tatum clarified that commissioners will still have the final say on whether to accept staff recommendations or further alter language.

Greenhalgh said the EAC's inability to aggressively push those provisions for new voting system standards is a sign they are "fully ignoring the public uproar."

"This illustrates the need for Congress to include simple, commonsense, baseline security provisions attached to any federal funding that is offered to the States," she said.