It’s been fifteen years since the federal best practices standard for voting machines was last amended. During the intervening time we’ve seen Russian interference in the 2016 elections and allegations of fraud in the 2020 contest. Clearly, strong standards are needed to bolster both the integrity of voting machines as well as the public’s confidence in their security. A new draft of the Voluntary Voting Systems Guidelines – the most used benchmark for voting equipment in the United States – is intended to address those needs. But, according to several articles (e.g., posted by the Bloomberg and the AP news services) that appeared in the week before the new Guidelines were to be adopted, a crucial change was made to the document that threatened to undermine both of these important goals.
There’s just one problem: according to the Election Assistance Commission (EAC), the body charged by Congress since 2002 with creating and maintaining strong voter security guidelines, there hadn’t been any change at all to the proposed amendments previously posted for public comment – only a clarification. After the articles appeared, the EAC issued a detailed rebuttal supporting their case. That response, however, received less attention in the press.
Leaving aside the kerfuffle over timing, the question remains whether the revised Guidelines has a crucial flaw. The back story goes as follows.
The EAC has been overseeing a long and broad-based process of review and redrafting, followed by public hearings, aimed at updating the Guidelines, together with a related certification and testing program and manual. The results of that process were widely praised and a ratification vote for the final draft was planned for February 10. A few days before that vote, however, a group of cybersecurity experts and advocates went public with a claim that the Commission’s leadership had made a significant change to the draft, presumably at the request of the small number (three) of voting machine companies that dominate this small but important industry niche.
The clarification relates to text that allows voting machines to include wireless hardware kit so long as no wireless software is included in the machine. But why would the Guidelines allow wireless hardware to be included at all if it must be critically disabled? The critics alleged, and the EAC’s rebuttal confirms, that the reason for such a counterintuitive restriction is to allow vendors to use more off the shelf rather than custom designed (and therefore more expensive) components in voting machines.
To the critics, that reason does not, well, compute, since wireless capabilities that have been disabled can be brought back to life by installing new software after a machine has been certified and deployed to a polling station. Including wireless hardware at all, the group of computer experts and voting integrity advocates assert, “profoundly weakens voting system security and will introduce very real opportunities to remotely attack election systems.”
There’s one problem with that argument, however, which is that the Guidelines also require voting machines to be “air gapped,” meaning that a certified voting machine can’t have a hard-wired connection to the Internet. In order to hack such a machine, a bad actor would therefore need to have physical access to a previously certified voting machine in order to install wireless software. And once they have physical access, they could as easily install their own miniature wireless device instead, something that hackers do on a daily basis when they exploit gas pumps or point of sale devices to steal payment card data or install keystroke loggers on computers to eavesdrop on what is being typed.
Those points aside, it’s important to stress that the basis for concern is real rather than theoretical. Vulnerabilities in voting machine wireless configurations have been successfully exploited in many major cyberattacks, including major thefts of consumer payment card data from the Hannaford supermarket chain and retailer TJ Max. More to the point, wireless capabilities in the WINVote machines previously used by several states were deemed to be so poorly designed that any reasonably tech-savvy teenager with a laptop could gain access and steal, or change, the voting data collected. Or, as one expert concluded, the only reason these machines might not have been hacked would be if nobody had ever tried. The embarrassing exposure of wireless vulnerabilities in these machines, now retired, was a major factor for banning wireless capabilities in the new Guidelines draft.
Making sure that future elections will be safe is complicated by the fact that elections are managed locally rather than nationally, with each state writing its own rules. Four states (California, Colorado, New York, and Texas) already ban wireless functionality in voting machines used within their borders. Twelve others base their rules entirely on the current version of the Guidelines, while a further thirty-eight either refer to them as a benchmark or incorporate portions of the Guidelines into their own rules. In the absence national rules, the quality of the Guidelines therefore becomes doubly important.
Ensuring the integrity of voting machines is of particular urgency in the case of U.S. presidential elections, where the Electoral College voting system can allow very small voter swings in a few voting districts to have a very large impact. Where there is no reason to expect that fraud has occurred (and therefore no call for an audit of actual votes), the possibility of a stolen election becomes real, especially in a closely contested election. Adopting and maintaining stringent security standards for voting machines is therefore essential in light of the very real possibility that in some future election a sufficiently skilled and motivated fraudster could successfully alter the result. In that regard, it is worth noting that making hundreds of millions of dollars in campaign contributions cannot guarantee that your candidate will win. But spending a few thousand dollars on a sufficiently skilled hacker could assure a win in a close election if the exploit goes undetected. You can find a technically accurate fictional example of just such an exploit in one of my thrillers, titled The Lafayette Campaign.
So where do things stand today? Despite the flurry of press activity, the EAC commissioners unanimously approved the Guidelines. That story didn’t receive much mainstream media attention, either. Which is a shame, because the press release summarizes all of the truly important new security features the EAC, through its hard work, had developed through a long, thorough, and transparent process. For your convenience, I’ve cut and pasted that summary in below.
* * *
The major updates included in the VVSG 2.0 are the following:
- Improved cybersecurity requirements to secure voting and election management systems associated with the administration of elections.
- Software independence
- Requires systems to be air-gapped from other networks and disallows the use of wireless technologies
- Physical security
- Multi-factor authentication
- System integrity
- Data protection
- Interoperability
- Ensures devices are capable of importing and exporting data in common data formats
- Requires manufacturers to provide complete specifications of how the format is implemented
- Requires that encoded data uses a publicly available method
- Improved accessibility requirements to enhance the voting experience for voters with disabilities:
- VVSG 2.0 allows for systems where all voters can vote privately and independently throughout the voting process:
- Marking
- Verifying
- Casting
- Language access throughout the process
- Improved documentation requirements for accessibility testing
- Voter privacy features
- Accessibility requirements derived from federal laws
- VVSG 2.0 allows for systems where all voters can vote privately and independently throughout the voting process:
- Other Changes
- Ballot secrecy
- Improved auditability
- User-centered design
- Reorganized to simplify usage and focus on functional requirements
- Manuals
- Penetration testing
- Component testing pilot program