Election Insecurity Vendor Vulnerability

In this July 14, 2018, photo, Election Systems & Software (ES&S) VP's of Sales, Bryan Hoffman, right, and Mac Beeson look at some of the company's election equipment in the vendor display area at a National Association of Secretaries of State convention in Philadelphia. Experts say top election vendors have long skimped on security in favor of convenience and use proprietary systems, making it more difficult to detect election meddling.

WASHINGTON — A major voting-machine vendor reversed course Friday and urged Congress to pass legislation mandating paper trails for all votes as an anti-hacking protection.

The company, Election Systems & Software, also pledged to no longer sell paperless voting machines as the primary voting device in an election jurisdiction and urged Congress to mandate security testing of voting equipment by outside researchers. That promise was made in an op-ed from chief executive Tom Burt published in Roll Call.

Burt called such a move “essential to the future of America” and vital for restoring “the general public’s faith in the process of casting a ballot” after the 2016 election was marred by Russian attempts to hack into election systems.

The call marks a major about face for ES&S, which, as recently as September, lashed out at researchers who publicly tested its voting machines for hackable vulnerabilities at the annual Def Con hackers conference.

The move also comes, however, as chances look extremely slim for any election security legislation to make it out of Congress this year because of fierce opposition from Senate Majority Leader Mitch McConnell, R-Ky.

Even a popular bipartisan bill, the Secure Elections Act — prepared by Sens. James Lankford, R-Okla., and Amy Klobuchar, D-Minn., among others — has almost no chance of getting an up-or-down vote at this point, Sen. Roy Blunt, R-Mo., who chairs the Senate Rules and Administration Committee, which oversees most election security legislation, told the New York Times on Friday.

“No, I don’t think there is any likelihood that we are going to move a bill that federalizes more of the election process,” Blunt told the Times. “Our focus will be on being sure that we are supporting the state and local governments that have run and will be the best people to run elections.”

The ES&S declaration is the latest in a string of voluntary actions taken by states, localities and election technology vendors in the absence of congressional action.

States and jurisdictions that have paperless voting machines are generally moving to systems with paper trails -- which security professionals say are essential to ensuring the security of elections, both so voters can verify their own votes were correctly recorded and so officials can audit that paper trail later.

And between 2016 and 2018 the Department of Homeland Security tested the cybersecurity of voting systems in numerous states and localities.

ES&S also submitted some of its voting technology for security testing by Idaho National Laboratory in April, and the company told Cyberscoop that it’s working with some congressional staffers on an industry-wide program to allow independent researchers to alert them to hackable vulnerabilities in their systems.

But those voluntary actions won’t be sufficient to ensure the highest security against hackers from Russia and elsewhere, according to election security experts and Democratic politicians.

Sen. Mark Warner, D-Va., hammered Republicans for failing to support election security legislation in Democrats’ weekly address on Friday.

“The truth is [if] the Secure Elections Act that was introduced last session were brought to the floor today for a vote, it would pass overwhelmingly. But the White House and Senate Republican leaders have been blocking a vote,” Warner said, calling it “part of a pattern with a White House and a president that has shown no interest in tackling this problem.”

And because ES&S’s commitment to third-party testing is entirely voluntary, it also gets to say who those third-party testers are, Georgetown University cybersecurity professor Matt Blaze pointed out on Twitter.

Blaze was a co-author of the 2018 Def Con report, which found numerous hackable bugs in voting systems — including one that was more than a decade old. As the researchers prepared to test the company’s systems, ES&S asserted they were breaking the law by using the company’s software without a license and later told lawmakers that the Def Con work could provide a dangerous roadmap for Russian hackers looking to penetrate their systems.

“I see this op ed as a positive first step. I think the voting system vendor community, which has long automatically denied even the most glaring security weaknesses, is starting to see the handwriting on the wall on demand for more secure voting system architecture,” Blaze wrote. “But if you’re serious about wanting security testing, please stop threatening security experts who examine and comment on your products.”

Get today’s top stories right in your inbox. Sign up for our daily newsletter.

Recommended for you