The top federal authority on elections is seeking to reassure a security-focused lawmaker that it is doing everything in its power to provide state election officials with all available resources in order to secure equipment and computer systems.
The heads of the Election Assistance Commission were responding to Sen. Ron Wyden, D-Ore., who wrote to the EAC in June asking how the agency is coordinating with them about security amid ongoing concerns over foreign election interference.
In the response letter obtained by CyberScoop, EAC commissioners Thomas Hicks and Christy McCormick lay out the many ways the commission works with states on election security, including developing testing requirements and voting machine standards, offering guidance for spending federal grants and informing states about services available from other agencies.
Earlier this year, Congress allocated $380 million to be split among the states for the sake of improving the administration of elections under the 2002 Help America Vote Act (HAVA).
In his June letter, Wyden sought to learn how major cybersecurity concerns would be communicated to states as they decide how to spend their piece of the HAVA funding. While much of the PR surrounding the $380 million has been related to cybersecurity, there is no statutory requirement that states use it for that; they could theoretically hire more staff, implement basic IT upgrades or even take actions that make their elections less secure.
The commissioners note in their letter to Wyden that the EAC has held live webinars, conference calls and an April public forum in Miami to share guidance on how to use the HAVA money, in hopes of keeping the focus on election security.
“The importance of election security and how the newly appropriated HAVA Funds will assist states with meeting these objectives are the Commission’s top priority and part of our primary focus,” the letter says.
Wyden also wanted to know the EAC’s position on allowing independent security experts to investigate voting systems’ security through penetration testing, red-teaming and vulnerability testing, which he said would a “common-sense requirement” before certification.
The commissioners deferred to DHS and state election officials. Homeland Security does make vulnerability assessments available to states, the commissioners said. Beyond that, it’s up to the states if they want to use their budgets to run additional tests.
At a recent Senate hearing, Wyden sparred with representatives of voting system vendors over transparency about their security.
“It is in my view inexcusable that our democracy depends on such hackable voting technology made by a handful of companies that have been able to evade oversight and in fact have actually been stonewalling Congress for years,” Wyden said at the hearing.
As it stands, voting equipment and software is procured by states and localities, which decide how to ensure the security of those products. In many cases, the jurisdictions require the products to be certified by the EAC and comply with the commission’s Voluntary Voting System Guidelines (VVSG). Access to machines by independent researchers, however, largely remains out of reach.
In response to a question about whether the EAC has staff dedicated to cybersecurity, the commissioners wrote that there are three full-time employees working in the Testing and Certification Program. Also, “a number of staff members” have FEDVTE cyber certifications from DHS.
Beyond that, the letter says that $1.5 million of the commission’s annual operating budget goes to the National Institute for Standards and Technology, as the government standards body provides the EAC with regular technical support.
“Although our budget is small by federal government standards, the EAC has a track record of nimbly carrying out the commission’s [Help America Vote Act] mandated mission, and the EAC has extended that support to provide leadership to the election industry related to cybersecurity,” the letter says.
You can read the EAC’s full response to Wyden below.