Wyden asks election commission to issue fresh cybersecurity guidance

Another day, another letter from Sen. Ron Wyden questioning the federal government's tech priorities.
Ron Wyden
Ron Wyden during a hearing.

Sen. Ron Wyden, D-Ore., has asked the Election Assistance Commission to issue updated cybersecurity guidance to states to protect their voting infrastructure ahead of the 2018 midterm elections.

Congress allotted $380 million to states through a March spending bill to help secure their voting systems, a move that analysts welcomed as necessary, but insufficient to replace paperless voting machines that could fall prey to digital manipulation. “Absent guidance from the EAC, some states may opt to spend these new funds on insecure voting technology,” Wyden wrote in a letter obtained by CyberScoop.

“Election security experts have worked tirelessly to understand and articulate the vulnerabilities certain types of machines can introduce into elections,” Wyden wrote, adding that new EAC guidance must incorporate those findings.

The senator also wants the EAC to answer a series of questions by July 15, including whether the commission has any fulltime cybersecurity experts on staff and if it has ever revoked a voting system’s certification because of cybersecurity concerns.


In addition, Wyden asks what processes the EAC has in place to make sure states’ voting systems adhere to cybersecurity best practices. The senator also wants to know if EAC supports things like penetration testing and red-teaming of systems, and if so, what it has done to spread those practices.

The Department of Homeland Security has been offering states vulnerability assessments and classified briefings to prepare them for the midterm elections. A top DHS official told Wyden in April, however, that the department had not assessed whether individual election-system vendors had followed good cybersecurity practices.

CyberScoop has asked the EAC for comment on the letter from Wyden and will update this story if any is provided. The EAC approved updated voting security guidelines in 2015, and again in April 2018, according to the commission’s website.

Nonetheless, Wyden says, “the guidelines still encourage states to adopt policies – including certifying machines that make auditing difficult and permitting voting systems to be connected to the internet – that are wildly inconsistent with modern cybersecurity best practices.”

You can read the full letter below.


[documentcloud url=”” responsive=true]

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts