The furor over fake news and Russian bots is overshadowing another weak link in the security of U.S. elections — the computer equipment and software that do everything from store voters’ data to record the votes themselves.
Now the voting vendor industry is receiving increased attention from Congress and facing the prospect of new regulations, after more than a decade of warnings from cybersecurity researchers and recent revelations about the extent of Russian intrusions in 2016.
Moscow-linked hackers probed voter registration rolls and other election-related systems in at least 21 statesduring the 2016 election cycle, the Department of Homeland Security said last year — though investigators have not reported any evidence that the intruders deleted or changed any data. Security experts and some lawmakers have also complained since the early 2000s about the secrecy and lack of independent testing among companies that make election equipment, especially electronic touchscreen machines that leave no paper record of how people voted.
Researchers who study election systems say they cannot tell the public about all the weaknesses they find, for fear of being sued if they violate non-disclosure agreements the companies have imposed. Election officials in states like Virginia say some vendors have refused to comply with their requests for cooperation in locating vulnerabilities.
Meanwhile, security agencies are warning that the Russians are likely to meddle again in this year’s midterm elections — and key lawmakers believe time is running out to put up safeguards.
“This industry is basically laying out a path to trouble,” said Sen. Ron Wyden (D-Ore.), a leading congressional voice on cybersecurity who has tried — and largely failed — to get answers from voting technology vendors about their ability to secure their products.
“You’ve got several of the biggest companies [that] won’t answer questions — basic questions — about if and how they’re securing their own computers and the voting machines that they sell to states,” he told POLITICO.
Even some vendors say they expect to face tighter requirements down the road. “I really think that there’s going to be some raising of the bar,” said Ed Smith, vice president of product at Clear Ballot, which sells software that helps state and local governments scan and tally votes.
But vendors dispute that the idea that they are ignoring warnings from security experts or that they represent a weak link in the system. Some vendors say they’ve yet to get real offers of help from the hacking researchers, some of whom have staged demos at hacker conferences where they required just a few minutes to compromise an older-model voting machine.
“I have yet to have a researcher … reach out directly, saying, ‘Hey, we would like to partner with you and find a way to improve your products or address vulnerabilities or help you find vulnerabilities,’” said James Simmons, vice president of technology and operations at Everyone Counts, which makes voter registration software.
Several other vendors refused to speak with POLITICO after learning that the interview would deal with potential flaws in equipment or software.
At the heart of this election security standoff is an acrimonious relationship between the researchers who analyze voting systems for digital flaws and the vendors trying to preserve their profits and reputations in a small, difficult market. It’s a battle that goes back at least to the early 2000s, when counties and states were replacing their antiquated punch-card voting machines after Florida’s Bush v. Gore debacle.
Many states ended up adopting paperless, touchscreen machines, which are still used in some states such as Pennsylvania.
In 2006, a team of security researchers published a report saying that touchscreen voting machines made by the notably litigious vendor Diebold were vulnerable to “extremely serious attacks.” The researchers were so afraid of being sued by Diebold — now a subsidiary of the voting technology behemoth Dominion — that they broke with longstanding practice and didn’t tell the company about their findings before publishing.
The team was “afraid that [Diebold] would try to stop us from speaking publicly about the problems,” said J. Alex Halderman, a University of Michigan computer science professor who was one of the report’s authors.
When California and Ohio ordered voting technology vendors to comply with independent reviews in 2007, getting access to important data was “like pulling teeth,” said Matthew Blaze, a computer science professor at the University of Pennsylvania who worked on both reports and has since analyzed many voting systems.
In the end, researchers found “laughable” flaws in the machines, said Joe Hall, the chief technologist with the digital privacy advocate Center for Democracy & Technology, who participated in the Ohio review. “They made us jump through all these hoops for stuff that was just fundamentally insecure and fundamentally low-quality design.”
That story rings true to all the researchers POLITICO interviewed who have worked with voting technology companies. For instance, strict non-disclosure agreements are common.
“We can’t agree to conditions that would preclude us from talking to the public about issues we found, since our work is in the interest of the public,” Halderman said.
Critics also accuse these companies of denying security issues and even refusing to help their customers. The 2007 reports listed “hundreds” of flaws, but Blaze said that “the reaction was universally to say: ‘Oh well, these aren’t really important. They couldn’t be exploited in practice. Don’t worry about them.’”
Last year, the voting machine manufacturer Hart refused to give Virginia officials a test unit of one of its machines when the state was considering removing electronic voting machines that researchers consider insecure.