Voting Machine Makers Pledge Transparency, Supply Chain Vetting in Congressional Hearing
The heads of three companies that make 80 percent of the country’s voting machines agreed to provide Congress with information regarding their cybersecurity procedures, company ownership and supply chain vetting in a hearing before the House Administration Committee on Thursday, January 9, 2020.
It’s a notable concession, marking the first time the chief executives and presidents of privately-held Election Systems & Software (ES&S), Dominion Voting Systems and Hart InterCivic have testified together as part of a bipartisan effort to secure U.S. voting hardware and software. The industry, which has operated behind the scenes for decades, is largely unregulated and not much is known about them.
In a published opening statement, Tom Burt, ES&S chief executive, spoke about the need for visibility into the company’s operations and procedures. “The process of what makes elections work — including ballot design, voting, tabulating and certifying election results — is not always well understood by those who, unlike you and all of us on the panels today, live it every day,” he said. “That’s why I’m so pleased you’re holding this hearing and giving us all an opportunity to share what we do and how we do it.”
John Poulos, Dominion’s chief executive and co-founder, defended the accuracy of his company’s systems in a prepared statement. “The voting systems that we produce provide high assurance that election outcomes are accurately and reliably tallied,” he said. “All Dominion systems fully-support independent, third-party audits, and reviews of election data.”
In their testimony, each supplier supported vetting third-party providers and operating more openly. With the 2020 presidential election clearly in sight, bipartisan Congressional lawmakers are pushing for transparency into voting machine technology. “Despite their outsized role in the mechanics of our democracy, some have accused these companies with obfuscating, and in some cases misleading election administrators and the American public,” said Zoe Lofgren (D-CA), who chairs the congressional subcommittee that oversees federal elections, in her opening remarks. “There is much work to do, and much for Congress to learn about this industry.”
All the vendors confirmed that some of their voting machines use wireless technology to communicate unofficial results — making up-to-date cybersecurity bulwarks vitally important to wall off hackers — and two acknowledged that some parts in their systems come from China. One of ES&S’ programmable logic devices is sourced from a U.S. company that works with a Chinese factory, Burt said, while Hart chief executive Julie Mathis said certain components in its machines came from China. All of Dominion’s components are made in the U.S., Poulos said.
A lack of consensus among lawmakers on how best to secure voting machines and verify results has stalled in the Senate a number of bills passed by the House aimed at shoring up election security. Similarly, disagreements over the role of the federal government to secure election technology has stymied budget allocations and proposed improvements. Last July, the House passed the Securing America’s Federal Elections Act (SAFE Act) to again try to address foreign meddling into U.S. elections. One of the bill’s directives is a paper trail for ballots. It has yet to come up for a Senate floor vote.
But there has been some recent upward movement:
- Last month, Congress approved and President Trump signed into law, allocating $425 million in election grants to states to improve cybersecurity as part of a new $1.4 trillion federal appropriations package. States are required to match 20 percent of the federal funds and ultimately, state election officials will end up with about $500 million to improve their cybersecurity profile.
- Earlier in December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said it is working with a non-partisan, non-profit group to customize an open source, post-election auditing tool to verify votes in the upcoming 2020 elections via risk-limited audits. Election officials in Pennsylvania, Michigan, Virginia, Ohio and Georgia are currently piloting the software and others are expected to join. Colorado became the first state to implement RLAs when in 2017 it audited one race in each of 50 of its 64 counties.
However, voting machines are still woefully susceptible to hacking:
- In tests conducted by a group of white-hat security experts participating in the Def Con Voting Village event, the results: Voting machines used by dozens of states can be easily and repeatedly hacked, potentially corrupting millions of votes in the 2020 election. Many of the voting systems’ vulnerabilities date to machines still in play from a decade ago.