A number of election security bills and discussion drafts are currently before the House and Senate. If passed, could they really lead to secure elections?
The original version of this post was published in Forbes.
If the security of voting systems in the next election will be a function of the amount of legislation on the topic now pending in Congress, we’ve got nothing to worry about in November 2020.
There is a growing pile of bills in both the House and Senate, most featuring several to dozens of cosponsors—sometimes even from both parties—accompanied by press releases with made-to-order endorsements from congressional leaders, advocacy groups and cybersecurity experts. They all call for securing U.S. elections and “protecting our democracy.”
But, of course, the number of bills doesn’t matter. It’s about quality, not quantity. The things that do matter are what gets enacted into law and whether its mandates get done or get watered down.
And that, as the predictable cliché goes, remains to be seen.
The bills, or “discussion drafts” of them, are coming from both parties. They include:
While the various bills have different emphases, they collectively have provisions that have been recommended by cybersecurity experts for years. Among them:
Those provisions are getting generally, but not unanimously, good reviews from the security and privacy community. Common Cause issued a press release before the House passed the SAFE Act, urging members to support it.
The group is also on record, along with Democracy 21, End Citizens United, Protect Democracy, and the Brennan Center for Justice, in support of Klobuchar’s Election Security Act.
Matt Blaze, an election security expert and professor of computer science and law at Georgetown University, issued an endorsement of the PAVE Act, saying “these sensible standards and practices would greatly reduce the risk that errors or malicious hacking—even by well-resourced nation states—would lead to incorrect election outcomes.”
And Bruce Schneier, author, blogger and cryptography expert, who has written extensively on election security, said the collective goals of the various bills amount to “a really good wish list.”
But, of course, a wish list is not—at least not yet—a reality list.
Schneier, like others, said “the devil is in the details. ‘Establish cybersecurity standards….’ is great, unless the standards are written by the lobbyists and suck. ‘Fund post-election audits’ is good, unless the funding is insufficient. And so on.”
Jason Healey, founding director and senior fellow at the Atlantic Council’s Cyber Statecraft Initiative and senior research scholar and professor at Columbia University’s School of International and Public Affairs, also called the provisions of the pending bills “a good list in general.”
But he said it is incomplete.
“What isn’t here is more on basic security features and processes,” he said. “’No wireless’ is a fine rule, but there’s so much else that goes into secure machines that might be missing. And the made-in-USA provision probably doesn’t buy a lot of security—what about the design and software?—and might create quite a bit of havoc.”
Opponents of the various bills—especially provisions that would ban internet connections and the provision to mandate paper ballots—say they could make things worse. Rep. Rodney Davis, R-Ill., said it would “create longer lines at polling places and [the ballots] can be lost, destroyed or manipulated far easier than electronic voting machines with a paper trail backup.”
Thomas Richards, principal consultant at Synopsys, agreed. “Whenever a person is responsible for handling a physical thing, that physical thing could be lost, destroyed or manipulated,” he said. “I prefer electronic voting machines with paper trail backup so that the results can be audited if needed.”
He added that properly designed electronic voting machines and systems “will enable more people to vote and votes to be tallied faster. Having them internet-connected allows for the votes to be recorded quicker so results can be shared minutes after polling sites have closed.”
But “properly designed” is not yet the reality. The reality, as the AP reported last October (which was referenced in a post on this site), is that the top three vendors of electronic voting systems—ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver; Hart InterCivic of Austin, Texas, which collectively control more than 80% of the market—tenaciously resist transparency. They won’t allow open-ended vulnerability testing by independent, white-hat hackers, and won’t make public the results of any testing they have commissioned themselves. Two of the three won’t even say who’s doing the testing.
But a few freelance experts, along with participants in The Voting Village at the past couple of DEF CON conferences in Las Vegas, have had little trouble breaking into current electronic voting systems.
Would these bills change that? Would they force vendors to allow the kinds of independent testing, with results made public, that would give voters confidence that future election results are credible?
Schneier is beyond skeptical. “Of course not,” he said. “And that’s the problem. Our voting system is run as a for-profit industry.”
The language of the bills, at least in their present form, would seem to address some of that skepticism. The SAVE Act would require (with some exceptions) that the software code in any voting system used in a federal election be open source. That means it would be “publicly available online under a license that grants a worldwide, royalty-free, non-exclusive, perpetual, sub-licensable license to all intellectual property rights in such source code …”
Which also means it would be accessible for independent testing for any vulnerabilities.
Keith Chu, a press spokesman for Wyden, said the PAVE Act calls for the director of cybersecurity and infrastructure security (within the Department of Homeland Security) to set standards for testing and certifying election equipment within six months of the bill’s passage.
Wyden repeated that call in response to the AP’s reporting in July of yet another problem—that “the vast majority of 10,000 election jurisdictions nationwide use Windows 7 or an older operating system to create ballots, program voting machines, tally votes and report counts.”
That could lead to catastrophic insecurity of those systems, since Microsoft will stop supporting Windows 7 on January 14, 2020, which means no more technical support or patches to fix software vulnerabilities.
The software giant did tell the AP that it would continue to offer security updates for Windows 7 through 2023—for a fee.
That prompted Wyden to issue a statement to the AP saying, “Congress must pass legislation giving the federal government the authority to mandate basic cybersecurity for election infrastructure.”
Which, of course, hasn’t happened yet.
And it again “remains to be seen” whether the final version of any bill that does pass will have enough teeth to force both security and transparency on voting system vendors.
“Not only should they [vendors] be required to submit to vulnerability testing,” Richards said, “but vulnerability testing reports and information should be made public.
“These systems are responsible for one of the most critical aspects of our functioning democracy. They should not be able to hide code or information behind copyright or other techniques used to prevent independent testing of their devices.”
Schneier said he would have to see the final language of any bill to know whether it will do what it promises. “I would have to see the detailed wording and spend all the time the lobbyists have sneaking in their loopholes to find and close them,” he said.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.