Election securityPrivate Vendors Critical to Election Security Inadequately Supervised

Published 14 November 2019

Private vendors build and maintain much of the election infrastructure in the United States with minimal oversight by the federal government. A new report presents the risks this poses to the security of our elections and offers a solution.

Private vendors build and maintain much of the election infrastructure in the United States with minimal oversight by the federal government. A report released today by the Brennan Center for Justice at NYU Law presents the risks this poses to the security of our elections and offers a solution.

Private vendors build and maintain much of the election infrastructure in the United States with minimal oversight by the federal government. A report released today by the Brennan Center for Justice at NYU Law presents the risks this poses to the security of our elections and offers a solution.

“Vendors manufacture and maintain much of America’s election infrastructure, yet they’re subject to fewer federal government regulations than the companies that make colored pencils,” said Lawrence Norden, one of the authors of A Framework for Election Vendor Oversight and director of the Brennan Center’s electoral reform program. “After the 2016 election, we have no doubt that our voting systems are a target of foreign adversaries. Congress must do more to protect our elections from attack.” 

Because the election vendors are allowed to keep their security practices secret, election officials have little of the information they need to protect their voting systems. The report’s authors — Norden, Christopher Deluzio, and Gowri Ramachandran — propose a federal oversight structure to improve transparency and security. For the short term, they recommend contingency plans to compensate for attacks on election systems in 2020.

The Brennan Center says that as the report details, the private companies that manufacture and maintain election systems are not required under federal law to disclose to their customers if their networks have been hacked, disclose who owns or controls them (including whether those owners have ties to foreign governments), share their cybersecurity practices, or provide their screening procedures for employees in critical positions.

The authors note that most of the voting system industry is controlled by a few companies, creating fewer and larger targets for adversaries. In addition, private vendors are involved in all aspects of elections, producing, servicing and programming registration databases, electronic pollbooks, voting machines, and election night reporting systems.

“Private vendors dominate every stage of the voting process, supplying and servicing part or all of the election systems across the nation. Their involvement is soup to nuts, from voter registration to vote counting,” said Norden. “Congress must establish a robust oversight system for this industry. We have to do a better job at protecting the vote.”

The nation’s election systems were designated as “critical infrastructure” by the Department of Homeland Security in 2016. A Framework for Election Vendor Oversight compares the oversight and regulation of election systems to that of the defense, energy, and nuclear industries and other sectors whose products have been deemed critical infrastructure. The authors found that election vendors are subject to significantly less federal scrutiny than the companies in these other sectors.

To provide election officials and the public with more information about the vendors who play such a critical role in the integrity and security of our nation’s elections, and to set new federal standards for these vendors, the report proposes:

·  Establishing a voluntary federal vendor certification program

·  Overhauling the Election Assistance Commission’s Technical Guidelines Development Committee with more cybersecurity expertise so it can issue a set of best practices

·  Ensuring that certified vendors comply with best practices related to cybersecurity, personnel, transparent ownership, reporting cyber incidents, and supply chain integrity, and developing a protocol for addressing violations of those practices

The report’s authors call on Congress to enact those reforms and also to fund state and local efforts to identify and recover quickly from interference during the 2020 election. They recommend that all jurisdictions:

·  Stock paper backups for voting machines that don’t produce paper records

·  Create backups for electronic poll books and for registration databases

·  Conduct post-election audits

·  Hire cybersecurity experts to spot and fix problems