Beyond that, as the Associated Press noted earlier this week, the top three vendors of electronic voting systems—ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver, Colorado; and Hart InterCivic of Austin, Texas, which collectively control more than 80% of the market—tenaciously resist transparency. They won’t allow open-ended vulnerability testing by independent, white hat hackers, and won’t make public the results of any testing they have commissioned themselves. Two of the three won’t even say who’s doing the testing.
But various “freelance” testing has revealed ominous vulnerabilities. Brian Varner, a security researcher with Symantec, wrote just this past week that he bought a couple of voting machines used in the 2016 election, and found that “tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped.”
“The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted,” he wrote.
In most parts of the public and private sector, it would be unthinkable that such a sensitive process would be so insecure.
—Brian Varner, security researcher, Symantec
Varner said an attacker would need physical access to a machine to exploit it, and noted that there are now internal policies to inspect machines for evidence of tampering. Still, he said his team had been able to compromise a machine’s smart chip card, allowing them to vote multiple times.
“In most parts of the public and private sector, it would be unthinkable that such a sensitive process would be so insecure,” he wrote.
And government, at least so far, hasn’t forced the matter.
The Election Assistance Commission, a 30-employee agency within the Department of Homeland Security that certifies voting equipment, has multiple lists of recommended best practices, but compliance is voluntary, not mandatory. It has no oversight power and can’t sanction manufacturers for any failures.
This in spite of the fact that election systems were declared in January 2017 to be part of the nation’s critical infrastructure.
Add to that the reality that the U.S. election system is not a single entity—there are more than 10,000 voting jurisdictions. Conducting rigorous oversight of all of them calls to mind herding cats.