Lawmakers of both parties want more scrutiny of the companies whose equipment and software does everything from store voter data to record the vote.
The furor over fake news and Russian bots is overshadowing another weak link in the security of U.S. elections — the computer equipment and software that do everything from store voters’ data to record the votes themselves.
Now the voting vendor industry is receiving increased attention from Congress and facing the prospect of new regulations, after more than a decade of warnings from cybersecurity researchers and recent revelations about the extent of Russian intrusions in 2016.
Moscow-linked hackers probed voter registration rolls and other election-related systems in at least 21 states during the 2016 election cycle, the Department of Homeland Security said last year — though investigators have not reported any evidence that the intruders deleted or changed any data. Security experts and some lawmakers have also complained since the early 2000s about the secrecy and lack of independent testing among companies that make election equipment, especially electronic touchscreen machines that leave no paper record of how people voted.
Researchers who study election systems say they cannot tell the public about all the weaknesses they find, for fear of being sued if they violate non-disclosure agreements the companies have imposed. Election officials in states like Virginia say some vendors have refused to comply with their requests for cooperation in locating vulnerabilities.
Meanwhile, security agencies are warning that the Russians are likely to meddle again in this year’s midterm elections — and key lawmakers believe time is running out to put up safeguards.
“This industry is basically laying out a path to trouble,” said Sen. Ron Wyden (D-Ore.), a leading congressional voice on cybersecurity who has tried — and largely failed — to get answers from voting technology vendors about their ability to secure their products.
“You’ve got several of the biggest companies [that] won’t answer questions — basic questions — about if and how they’re securing their own computers and the voting machines that they sell to states,” he told POLITICO.
Sen. James Lankford (R-Okla.), who chairs a Homeland Security subcommittee, is the lead sponsor on a bipartisan bill that would direct vendors operating election systems to report cyberattacks to the authorities. The measure would also offer rewards to researchers who uncover flaws in voting systems as part of a voluntary “Hack the Election” program.
Separately, House Democrats are pushing a bill that would allow states to spend federal grant money on voting technology only if the manufacturers agree to notify officials of hacks and adhere to security guidelines set by Washington.
Even some vendors say they expect to face tighter requirements down the road. “I really think that there’s going to be some raising of the bar,” said Ed Smith, vice president of product at Clear Ballot, which sells software that helps state and local governments scan and tally votes.
But vendors dispute that the idea that they are ignoring warnings from security experts or that they represent a weak link in the system. Some vendors say they’ve yet to get real offers of help from the hacking researchers, some of whom have staged demos at hacker conferences where they required just a few minutes to compromise an older-model voting machine.
“I have yet to have a researcher ... reach out directly, saying, ‘Hey, we would like to partner with you and find a way to improve your products or address vulnerabilities or help you find vulnerabilities,’” said James Simmons, vice president of technology and operations at Everyone Counts, which makes voter registration software.
Several other vendors refused to speak with POLITICO after learning that the interview would deal with potential flaws in equipment or software.
At the heart of this election security standoff is an acrimonious relationship between the researchers who analyze voting systems for digital flaws and the vendors trying to preserve their profits and reputations in a small, difficult market. It's a battle that goes back at least to the early 2000s, when counties and states were replacing their antiquated punch-card voting machines after Florida’s Bush v. Gore debacle.
Many states ended up adopting paperless, touchscreen machines, which are still used in some states such as Pennsylvania.
In 2006, a team of security researchers published a report saying that touchscreen voting machines made by the notably litigious vendor Diebold were vulnerable to “extremely serious attacks.” The researchers were so afraid of being sued by Diebold — now a subsidiary of the voting technology behemoth Dominion — that they broke with longstanding practice and didn’t tell the company about their findings before publishing.
The team was “afraid that [Diebold] would try to stop us from speaking publicly about the problems,” said J. Alex Halderman, a University of Michigan computer science professor who was one of the report’s authors.
When California and Ohio ordered voting technology vendors to comply with independent reviews in 2007, getting access to important data was “like pulling teeth,” said Matthew Blaze, a computer science professor at the University of Pennsylvania who worked on both reports and has since analyzed many voting systems.
In the end, researchers found “laughable” flaws in the machines, said Joe Hall, the chief technologist with the digital privacy advocate Center for Democracy & Technology, who participated in the Ohio review. “They made us jump through all these hoops for stuff that was just fundamentally insecure and fundamentally low-quality design.”
That story rings true to all the researchers POLITICO interviewed who have worked with voting technology companies. For instance, strict non-disclosure agreements are common.
“We can’t agree to conditions that would preclude us from talking to the public about issues we found, since our work is in the interest of the public,” Halderman said.
Critics also accuse these companies of denying security issues and even refusing to help their customers. The 2007 reports listed “hundreds” of flaws, but Blaze said that “the reaction was universally to say: ‘Oh well, these aren't really important. They couldn’t be exploited in practice. Don’t worry about them.’”
Last year, the voting machine manufacturer Hart refused to give Virginia officials a test unit of one of its machines when the state was considering removing electronic voting machines that researchers consider insecure.
“They just didn’t want to give it to us,” said Edgardo Cortés, who was Virginia’s top election official from 2014 until last month. “They didn’t want us to do the testing.”
Virginia ultimately banned the electronic touchscreen devices because they do not produce a paper audit trail.
Vendors of paperless touchscreen devices are particularly sensitive to security criticisms of these machines, which experts say are the most susceptible to digital tampering. POLITICO set up an interview with MicroVote, which makes touchscreen machines used in Indiana and Tennessee. But after learning that the conversation would cover the risks of using paperless devices, Bernie Hirsch, MicroVote’s top security officer, canceled the interview.
“It appears from the subjective nature of your questions that this is more of an opinion piece and so I won’t be able to assist you further at this time,” Hirsch said in an email.
Such reticence has “done a significant amount of damage in slowing down the transition to more secure infrastructures,” Blaze said. “There’s been a lot of denial and foot-dragging in getting these problems not just fixed but even acknowledged.”
To gauge industry reaction to these criticisms, POLITICO requested individual interviews with all the major voting technology vendors, including the massive firms Dominion, Election Systems & Software and Smartmatic, as well as the smaller companies Hart, MicroVote, Unisyn, Everyone Counts, Clear Ballot and Scytl. In response, ES&S sent POLITICO a statement that was co-signed by Dominion and three other vendors.
“To say the public vetting and governmental regulation, testing and certification processes that our products face lacks rigor or transparency, is simply untrue,” the companies said. “We are fully-committed to working with our government partners to find consensus on a realistic and workable framework for continued security.”
But the statement didn’t address the specific criticisms leveled by the researchers and lawmakers POLITICO interviewed.
Hart, which signed the statement, canceled a previously scheduled interview after ES&S sent POLITICO the document. Unisyn, which also signed the statement, also declined interview requests and pointed to the document.
But those who agreed to interviews painted a vastly different picture than the frustrated researchers, officials and policymakers. They said they take cybersecurity seriously through rigorous testing and denied placing onerous restrictions on independent testers. Some said they sent employees to security conferences to compare notes with researchers.
Scytl, which makes voter registration software, was born out of a university research project on cryptography. As a result, said Jonathan Brill, vice president of U.S. operations, security is in “our DNA.”
“Whatever we can do to support that and continue to make that a priority, we're in favor of it,” he added. “And if that means ensuring that only the companies that are most secure are the ones in our industry, then that should be the case.”
Cyber researchers argue that because election offices don’t buy new voting technology regularly — many haven’t replaced their machines in a decade — vendors must focus on high-margin products like electronic systems using software that must be licensed through annual fees.
In that environment, vendors have little incentive to “spend a lot more upfront to make [products] secure versus [making them] good enough to pass muster,” said Cortés, the former Virginia election official.
Vendors conceded that the market is difficult. “There's just not a lot of money at the end of the day,” said Simmons, of Everyone Counts, while disputing that tight margins meant ignoring security. “How companies can operate and be profitable is pretty constrained.”
And after years of mistrust, some vendors are deeply suspicious of cyber experts’ intentions.
Antonio Mugica, the CEO of Smartmatic, which makes voting machines and poll worker software, said some researchers are “self-appointed experts” who have spent years over-hyping voting security threats. “When we have engaged with those types,” he said, “it has been of no use, because they already made the conclusion and nothing you say is going to change their mind.”
But the two sides might be forced to come together as Congress, federal regulators and state officials contemplate new laws, regulations and guidelines.
In addition to forcing voting system vendors to report cyberattacks, Lankford’s bill would create an independent panel of cybersecurity experts and offer federal funds to states if they implement the group’s recommendations.
The measure has significant bipartisan sponsorship from across the ideological spectrum, from Democrats like Minnesota Sen. Amy Klobuchar and California Sen. Kamala Harris to Republicans like Maine Sen. Susan Collins and South Carolina hawk Lindsey Graham.
The House Democrats’ bill would also create a $1 billion election technology grant program that would be overseen by the Election Assistance Commission, the small agency that Congress created to help states and local governments manage technology upgrades funds after the 2000 election.
The commission now works with industry and academia to develop voluntary guidelines, including security recommendations, for voting systems. Most states require voting technology vendors to meet these standards, but the high-level guidelines do not explicitly require the rigorous testing and design practices that experts say are needed.
The commission also collects well-written local purchasing contracts that include clear language about security expectations, Chairman Matthew Masterson said. Numerous experts told POLITICO that strong, security-focused contracts were an essential tool, noting that the 2007 California and Ohio tests were possible only because of pressure from officials there.
Digital security specialists say contracts should require vendors to use industry-standard design practices, avoid proprietary code and provide test units to researchers with as few restrictions as possible. The commission has offered contract-writing advice when tech-illiterate local officials ask for it, but experts suggested that Congress codify this responsibility.
“I think this is an area where the federal government can really play an effective and targeted role,” Wyden said.
Vendors think the Department of Homeland Security’s election security work with states might also create new expectations for their industry. The agency has been offering voluntary digital security screenings to states, which can opt in to remote weekly scans as well as request a more thorough, in-person review.
Ed Smith, of Clear Ballot, said he expected DHS to bring the voting technology industry more in line with the electricity and health care sectors.
“I sense an undercurrent of that from the DHS folks,” he said.
In January 2017, the department classified election systems as “critical infrastructure,” putting them in the same category as power grids and hospitals. But officials have insisted the designation brings with it no new regulations. Still, given the rise of sophisticated cyber threats, Smith said it isn't surprising that the government is “looking to take a little firmer hand [with vendors] and maybe close that hole in the process of setting up our nation's elections infrastructure.”
But for researchers like Blaze, it’s a matter of how quickly these changes arrive.
“The question,” he said, “is how catastrophic a failure are we going to need before that happens?”