For latest election security moves, the devil is in the details

While new federal dollars for election security are welcome, experts caution that more money might be required and more direction is needed on how to spend the money in the form of new legislation to put smart policy behind congressional outlays.

voting (vchal/Shutterstock.com)

Last week it looked like a logjam was cleared on election security. The Senate approved $250 million in funding to states to secure election infrastructure ahead of 2020. Microsoft announced it would continue supporting Windows 7, the soon-to-be-obsolete operating system used on voting machines in thousands of jurisdictions, throughout the 2020 election cycle. Additionally, the Election Assistance Commission met to discuss its latest security standards for voting machines.

While new federal dollars for election security are welcome, experts caution that more money might be required and more direction is needed on how to spend the money in the form of new legislation to put smart policy behind congressional outlays.

The Brennan Center for Justice estimates the cost of replacing all paperless voting machines in the country at $734 million over five years. When added to the costs estimated to tackle other problems like protecting voter registration data, implementing post-election audits and extending cybersecurity assistance to state and local governments, the total price comes out to more than $2.1 billion.

According to research from the OSET Institute, software licenses, maintenance fees and other costs to support voting machines past their first year are hard to quantify and can end up costing more than the initial equipment purchase. Contract language tends to leave the timing, nature and additional costs of such updates at the discretion of voting machine manufacturers.

For now, the funds allocated by the Senate come without security-specific mandates. States can use the money on non-security related products and services or buy the same type of voting machines that Congress, security experts and the Department of Homeland Security say are obsolete.

Susan Greenhalgh of the Election Defense Coalition told FCW her organization was "pleased" with the development but emphasized "this is not a problem that can solved by throwing money at it alone."

"We have an industry that is unregulated, with little to no accountability for the voting system vendors," Greenhalgh said in an email. "It's imperative that Congress include minimum security requirements that states must meet, attached to the federal funds."

Lawrence Norden of the Brennan Center for Justice said research by his organization indicates that about 90% of the $380 million in leftover Help America Vote Act funding allocated by Congress last year was spent on or planned for "core election security services" at the state level. Norden is concerned that that new dollars will be used by Senate Majority Leader Mitch McConnell (R-Ky.) as a justification for not considering numerous pending standalone bills designed to improve the security posture of future elections.

"You're not going to be able to ban [paperless machines] through the appropriations process," he told FCW. "To set up minimum standards around cybersecurity and post-election audits … that's something that you need legislation for."

Senate Minority Leader Chuck Schumer (D-N.Y) sounded a similar note in remarks last week. "We're getting the money through appropriations, but we need legislation to refine where the dollars go," Schumer said Sept. 19 on the Senate floor.

Patching bureaucratic inertia

Heading into 2020, one of the biggest unanswered security questions has been how thousands of jurisdictions still using Windows 7 for their voting machines would cope past January 2020, when Microsoft originally planned to stop supporting the outdated operating system. The company's extended support was met with sighs of relief, but a complex re-certification process could significantly impede its impact.

Until 2015, the Election Assistance Commission required all software updates to voting machines, even minor ones, to undergo a lengthy recertification process. Today, certain updates can be treated as "de minimis," or small enough to sidestep a more thorough recertification. However, that power has been seldom used by the commission, according to Eddie Perez, global director of technology development at the OSET Institute and a former executive at voting system vendor Hart InterCivic.

A full recertification could mean the difference between a security update taking two weeks or three months to implement, Perez told FCW. That could lead to states foregoing such updates in order to stay in compliance or seeking state waivers to patch their machines absent EAC recertification.

"[The EAC] has had an increasing number of opportunities to evolve from a testing certification organization versus becoming a more thoughtful institution that says … it's our job to be assisting election administrations and bolstering national security," Perez told FCW. "To me, it's clear that if EAC wanted to … be more mindful of its duties, the commissioners make policy and then from the policy, you can then generate functional requirements at the level of staff and testing and certification program."

An EAC spokesperson did not respond to FCW's request for comment.

Let's (not) connect

At a recent meeting, EAC Testing and Certification Director Jerome Lovato said 93% of the more than 2,800 comments EAC received earlier this year on a principles document for the new standards were from individuals and groups asking for new requirements for hand-marked paper ballots and a ban on wireless modems in voting machines.

Experts have long recommended that voting machines and other critical election systems not be configured to connect to the internet, something that could open them up to numerous attack vectors. Lovato told the commission that "not a lot" was changed in response to the feedback, citing a one-word switch in language as the most significant alteration to come out of the process. Comments requesting a ban on wireless modems in voting machines, he said, were more appropriate for the technical requirements portion of the standards.

"I think there was truly a sincere misunderstanding of the principles and guidelines being just that, and so that's the impression I got from the comments I received," said Lovato. "When we had our in-depth discussions with [the National Institute of Standards and Technology], it was just like, 'Well, is this enough to really alter the principles and guidelines?' And at the end of the day, it just wasn't."

After Lovato's comments, EAC General Counsel Cliff Tatum clarified that commissioners will still have the final say on whether to accept staff recommendations or further alter language.

Greenhalgh said the EAC's inability to aggressively push those provisions for new voting system standards is a sign they are "fully ignoring the public uproar."

"This illustrates the need for Congress to include simple, commonsense, baseline security provisions attached to any federal funding that is offered to the States," she said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.