For the first time ever, executives from America’s biggest voting technology companies testified in front of Congress about election security concerns. And the verdict from executives, politicians, and independent experts? Real progress has been made since the fraught 2016 election—but much more work remains to be done. 

The CEOs of Election Systems & Software, Hart InterCivic, and Dominion Voting Systems—which, between them, supply more than 80% of all US voting technology—spoke to lawmakers in a committee hearing on Thursday. All three agreed that they would support new transparency requirements that would force them to reveal more on crucial security issues including manufacturing supply chains, insider threats, ownership structure, foreign investment, personnel policies, and cybersecurity practices. 

It’s a big deal to get the CEOs under oath and on the record supporting new mandatory federal reporting requirements. Currently, the election tech companies have to report information about their products but expose far less about their companies and operations, said Eddie Perez, formerly an election industry executive with Hart InterCivic.

Changing reporting requirements, however, is not so simple.

“If you’re going to require people to disclose information on that level, you need to have consequences if someone does not,” Perez said, adding that the Election Assistance Commission—the independent federal agency meant to be the connection between individual states and the national government on elections— has “no enforcement powers.”

“Federal standards are voluntary. Vendors can use or ignore them; states can decide on compliance,” he said.

Even with support of leading companies, however, new requirements would require new laws, something that has proved excruciating for Congress since 2016. 

Transparency, maybe

Liz Howard, who now works for the Brennan Center for Justice in Washington, DC, was previously the deputy commissioner for elections in Virginia. She testified about the pressing need for comprehensive federal oversight before the 2020 elections.

“The absence of federal oversight negatively impacts election officials’ ability to further strengthen our election infrastructure and is felt most acutely in times of crisis, as I know from my own experience,” Howard testified on Thursday.

In 2017, three months before an election, paperless voting machines used across Virginia were quickly and easily hacked at the DEFCON cybersecurity conference. The password for one of those machines was made public. Despite being a senior election official, Howard was in the dark about what actions had been taken.

“I didn’t know if the vendors knew about the vulnerabilities exploited by the hackers, if the vendors had taken any steps to address the vulnerabilities, who owned or controlled the vendors, or if they would promptly and fully respond to my questions, as they were not then and are not now subject to comprehensive federal oversight,” Howard said. “In no other subsector designated as critical infrastructure are private vendors allowed to serve critical functions without common-sense oversight.”

Audits or bust

Virtually everyone at the hearing unanimously agreed that verifiable audits are necessary to prove the integrity and accuracy of US elections. Audits aren’t simple or easy, as demonstrated by research released yesterday, but experts say they are the only way to verify election results in an era when government-sponsored hackers could conceivably wreak havoc.

“It’s a widely recognized and really indisputable fact that every piece of computer equipment in use at polling places today can be easily compromised in ways that have potential to disrupt election operations, compromise firmware and software, and potentially alter vote tallies,” said Matt Blaze, an election technology expert and professor at Georgetown University Law Center.

Conducting reliable elections requires keeping a paper record of votes, Blaze argued, as well as performing regular audits after every election.

The technology for this already exists—the simplest example would be the scanning and auditing of paper ballots—and now it’s a matter of mandating these standards beyond just a handful of states and moving toward national adoption.

“There is no federal requirement for audits,” said Perez, who is now the global director for technology development at the Open Source Election Technology Institute.

“At the state level, by a long margin it is a relatively small group of states that require by law post-election audits. For the vast majority of states, they aren’t under a requirement to conduct post-election audits. There are many election administrators that have heard the term but haven’t learned how to do post-election audits. It is a really significant topic that is a meaningful and actionable way to increase integrity of elections, but it’s also fair to say the movement to educate election officials on audits and work on a legislation level to make them mandatory is only in its early stages.”

Beyond the voting booth

Although voting machines get the lion’s share of attention, there are other threats to consider.

Big points of risk that the committee heard about include voter registration databases and result reporting technology. All of those are typically controlled and protected by local election officials, who are subject to very few standards and face a cacophony of cyberthreats. The result is a set of targets that would give determined foreign adversaries “a frighteningly easy task,” Blaze said. He thinks that’s crazy.

“Just as we don’t expect the local sheriff to singlehandedly defend against military ground invasions, we shouldn’t expect the county IT manager to defend against cyberattacks by foreign intelligence services,” Blaze testified. “But that’s precisely what we’ve been asking them to do.”

The article was updated to accurately reflect Eddie Perez's comments about voting machine vendor transparency requirements about products, companies, and operations.