Lawmakers are concerned about a major blind spot in the government’s ongoing effort to protect U.S. elections from hackers.
Agencies like the Homeland Security Department have little insight into the cybersecurity practices of election technology vendors. This lack of visibility opens the door to supply chain attacks, according to the Senate Intelligence Committee, which could be otherwise potentially detected or stopped by government cybersecurity experts.
The Senate committee’s first installment of a larger report on Russian targeting of the 2016 presidential election was released late Tuesday night. It focuses on assessing the federal government’s response to security threats and provides recommendations for future elections.
Most of the infrastructure used to process votes today is comprised of equipment and software sold by private vendors. Government agencies are not allowed to enter and defend private computer networks unless they’re given direct consent, which in turn limits the defensive support options immediately available to the election technology industry.
Reporting by The Intercept previously showed that Russian hackers attempted to breach Florida-based VR Systems in 2016, months before the election.
DHS did launch a working group in December with representatives from vendors to provide some level of coordination between the government and private sector on security strategies and information sharing.
“Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target or malicious cyber actors,” the report notes. “State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors.”
Historically, election technology vendors have not been open to discussing their cybersecurity practices although they insist that they’re following rigid standards.
Security researchers have lobbied for easier access to election equipment and software in order to probe them for vulnerabilities in the way of bug bounty and vulnerability disclosure programs. But vendors remain largely resistant to facing additional scrutiny in the public domain.
The lack of information is concerning because election technology vendors aren’t subject to any mandatory national requirement for cybersecurity best practices.
The Election Assistance Commission (EAC) does in fact provide security guidelines for the testing of voting systems, but abiding by them is currently voluntary. Standards are usually instituted at the state or local level where elections are managed. Homeland Security has also been sharing voluntary recommendations for state election officials to consider when purchasing new equipment.
Because of the distributed nature of voting in America, the country has a patchwork of different types of voting equipment used across different jurisdictions. The committee report describes this situation as a double-edged sword.
“Because of the variety of systems and equipment, changing votes on a large scale would require an extensive, complex, and state or country-level campaign,” the report states.
But the committee also acknowledged that an adversary could widen its impact by simply focusing on several key states or jurisdictions that have more weight in the electoral process, as experts have pointed out.
States are now starting to receive their individual pieces of a $380 million federal fund for improving the administration of federal elections.
While the states are technically allowed to use the funds for any purpose when it comes to federal elections, lawmakers, the EAC and other observers have pushed for that money to go to improving election security. That includes replacing voting machines used in many states and jurisdictions that don’t produce a paper record.
Experts have long pointed to paperless voting machines as a major vulnerability. Currently, five states continue to use such machines exclusively and many other have counties individually rely on them. In just the last year, however, some states have taken steps to replace the machines.
“At a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability,” the committee said in its recommendations.
A separate, classified report on election infrastructure threats has also been completed but is not yet public. Lawmakers plan to release that secondary report after a declassification review is completed.