ATLANTA — The private companies that make voting equipment and build and maintain voter registration databases lack any meaningful federal oversight despite the crucial role they play in U.S. elections, leaving the nation’s electoral process vulnerable to attack, according to a new report.
The Brennan Center for Justice on Tuesday issued the report, which calls on Congress to establish a framework for federal certification of election vendors. The authors say this could be established as a voluntary program similar to how voting machines are certified, with incentives for state and local election officials to use vendors that have completed the process. It would include the establishment of federal standards and the ability for federal officials to monitor compliance and address any violations.
The report’s co-author Lawrence Norden acknowledged it was too late for any of this to happen in time for the 2020 presidential election.
“Even if (Congress) had the will, it couldn’t be passed in time,” said Norden, director of the Election Reform Program at the Brennan Center. “This is another security vulnerability that Congress hasn’t addressed.”
Norden said congressional inaction has increased the pressure on state and local election officials to secure their voting systems and have measures in place should something go wrong. Although Congress sent $380 million to states last year for election security, Norden said it was a “drop in the bucket” of what is needed as state and local election officials look to fund the replacement of outdated and insecure voting systems, increase cybersecurity personnel and add security upgrades.
The Brennan Center, which is based at New York University School of Law, said the most logical agency to handle federal oversight of election vendors would be the U.S. Election Assistance Commission. But that agency has been hobbled in recent years by reduced federal funding and leadership vacancies.
Although two commissioners were added this year, the agency is searching for a new executive director and general counsel.
The report acknowledges the commission does not have the authority that would allow it to certify election vendors. But the commission could take steps through its existing certification program for voting systems to ask vendors to provide details on cybersecurity practices and ownership information, according to the report. There have been concerns about foreign ownership of election companies operating in the United States.
“Private vendors’ central role in American elections makes them prime targets for adversaries,” the report said. “Yet it is impossible to assess the precise level of risk associated with vendors or how that risk impacts election security.”
The report notes that just three companies provide more than 80% of voting systems in the U.S. and that other systems like voter registration databases and electronic pollbooks are also supplied and, in some case, maintained by vendors.
A report by The Associated Press last year found the leading voting-related companies had long skimped on security in favor of convenience and operate under a shroud of financial and operational secrecy despite their critical role in elections.
Federal officials have sought to boost communications and information sharing through the formation of a group that brings together representatives of the Department of Homeland Security and election vendors. This includes the major firms of Election Systems and Software, Dominion Voting Systems and Hart InterCivic.
There are also efforts to develop a program that would allow authorized security researchers access to election equipment so vulnerabilities within election systems can be identified and addressed. The industry, historically opposed to such outside reviews, has signaled a willingness to explore this. All the major firms have sought to reassure the public and election officials that it takes security seriously, but experts say it’s difficult to confirm given the limited visibility into their operations.
A spokeswoman for Election Systems and Software said the company “fully supports” additional oversight and increased security testing of elections equipment, adding the company has submitted its equipment to testing by independent security researchers.
“ES&S agrees that all vendors should be held accountable for following best practices for all aspects of security, as ES&S does, and agrees that vendors should be American owned and operated, as ES&S is,” said spokeswoman Katina Granger.
The report noted that other industries also viewed as critical to national security, such as defense contractors, face substantial oversight and must comply with various requirements.
Norden said much of the focus within election security has been on the machines and how best to secure them but critical questions remain about how secure the vendors themselves are. He noted that former special counsel Robert Mueller described in his report how Russian agents in 2016 targeted employees of a voting technology company and installed malware on the company’s network. Details on the extent of the breach have not been made public.
“Vendors are responsible for election security in a way that folks probably don’t understand,” Norden said. “When we talk about election security, we talk about what election officials are doing, but we’ve left this big part of the puzzle out of the discussion.”