As the House and Senate continue to examine the wave of disinformation around the 2016 presidential election, concerns around the security of voting systems examine something even more germane to the U.S. democratic system.
In early October, Senate Intel Committee member and Oregon Senator Ron Wyden issued a letter to the nation’s six major voting machine makers calling on them to issue details on their security practices and assurances that they were taking voting integrity seriously moving forward.
Abiding by the October 31 deadline, voting machine makers Dominion Voting, Election Systems & Software (ES&S) , Five Cedars Group, Hart InterCivic and Unisyn Voting Solutions have responded, though some of the details are far from reassuring.
Dominion Voting reports that it “is not aware of any incidents in which an attacker has gained unauthorized access to our internal systems, corporate data or customer data” nor has it been informed by the FBI or Homeland Security of any such intrusion.
Unisyn stated that it has undergone penetration testing by a third-party four times in the last five years, and dealt with “a majority of the findings” since, but has not suffered any breaches during that time.
ES&S said that it had “zero knowledge” of any kind of intrusion pertaining to its voter registration software or tabulation equipment, a finding that it corroborated with DHS in a meeting following the critical infrastructure designation for election systems. “Senator, we also understand that your inquiry seeks to ascertain if our company was the target of known cyber attacks during the 2016 election cycle. In response to that question we have no indication that our internal infrastructure was compromised in any way,” the company added.
Dominion stated that it does not have a Chief Information Security Officer as a designated security point person, noting that “our Director of IT, EVP of Engineering and others currently lead our cybersecurity and risk mitigation efforts.” The company did not specify how many employees work solely on information security beyond stating that it has “many employees who play a role.” Unisyn stated that “the company’s IT Director and System Architect cooperate to fulfill the roles and responsibilities equivalent to that of a [Chief Information Security Officer],” also declining to state how many employees are solely dedicated to information security.
Dominion dismissed a question around how the company handles unsolicited vulnerability reports, claiming that because that access is strictly limited that any unsolicited access would result in criminal prosecution. Unisyn indicated that it keeps up with security issues affecting external software it uses, like in the case of Heartbleed, but it did not specify any process through which outside security researchers could bring flaws to light.
In its letter, Hart InterCivic clarified that it does not provide voter registration systems as some of the other companies do, blaming the media for “creating confusion among readers” by conflating voter registration systems with voting machines. Hart InterCivic points to reports that only voter registration systems have been compromised, and in the process makes light of potential threats to voting machines themselves. The company ignores most of Sen. Wyden’s questions and goes on to make the dubious claim that because state laws vary, heterogeneity in voting machine systems is a feature, not a bug, and the lack of uniform federal standards for these systems makes them safer.
In its letter, Oregon-based Five Cedars Group, a smaller company among industry giants, indicated that its technology doesn’t face many of the concerns that the original letter brings up. “Because of the way the Oregon Secretary of State office designed the process back in 2007, at no time are ballots posted on a Five Cedars server,” the company writes. “We also never receive any voter registration data, marked ballots or any other document that would be of interest to a hacker.”
Oregon is unique in that the state uses a vote-by-mail system and Five Cedars make remote accessible vote by mail ballots for state residents with disabilities. Senator Wyden has been a vocal proponent of extending an Oregon-style vote by mail system nationwide, calling for legislation around vote by mail in 2016 and again with the Vote by Mail Act in 2017. Vote by mail systems are understood to both increase voter turnout significantly and to eliminate risks associated with decentralized polling stations, though at this time broad bipartisan support for such a bill looks unlikely due to a partisan divide over issues like voter suppression and largely unsubstantiated claims around voter fraud.
Sen. Wyden’s original questions appear below:
1. Does your company employ a Chief Information Security Officer? If yes, to whom do they directly report? If not, why not?
2. How many employees work solely on corporate or product information security?
3. In the last five years, how many times has your company utilized an outside cybersecurity firm to audit the security of your products and conduct penetration tests of your corporate information technology infrastructure?
4. Has your company addressed all of the issues discovered by these cybersecurity experts and implemented all of their recommendations? If not, why not?
5. Do you have a process in place to receive and respond to unsolicited vulnerability reports from cybersecurity researchers and other third parties? How many times in the past five years has your company received such reports?
6. Are you aware of any data breaches or other cybersecurity incidents in which an attacker gained unauthorized access to your internal systems, corporate data or customer data? If your company has suffered one or more data breaches or other cybersecurity incidents, have you reported these incidents to federal, state and local authorities? If not, why not?
7. Has your company implemented the best practices described in the National Institute of Standards and Technology (NIST) 2015 Voluntary Voting Systems Guidelines 1.1? If not, why not?
8. Has your firm implemented the best practices described in the NIST Cybersecurity Framework 1.0? If not, why not?