Sen. Ron Wyden, D-Ore., has asked the Election Assistance Commission to issue updated cybersecurity guidance to states to protect their voting infrastructure ahead of the 2018 midterm elections.
Congress allotted $380 million to states through a March spending bill to help secure their voting systems, a move that analysts welcomed as necessary, but insufficient to replace paperless voting machines that could fall prey to digital manipulation. “Absent guidance from the EAC, some states may opt to spend these new funds on insecure voting technology,” Wyden wrote in a letter obtained by CyberScoop.
“Election security experts have worked tirelessly to understand and articulate the vulnerabilities certain types of machines can introduce into elections,” Wyden wrote, adding that new EAC guidance must incorporate those findings.
The senator also wants the EAC to answer a series of questions by July 15, including whether the commission has any fulltime cybersecurity experts on staff and if it has ever revoked a voting system’s certification because of cybersecurity concerns.
In addition, Wyden asks what processes the EAC has in place to make sure states’ voting systems adhere to cybersecurity best practices. The senator also wants to know if EAC supports things like penetration testing and red-teaming of systems, and if so, what it has done to spread those practices.
The Department of Homeland Security has been offering states vulnerability assessments and classified briefings to prepare them for the midterm elections. A top DHS official told Wyden in April, however, that the department had not assessed whether individual election-system vendors had followed good cybersecurity practices.
CyberScoop has asked the EAC for comment on the letter from Wyden and will update this story if any is provided. The EAC approved updated voting security guidelines in 2015, and again in April 2018, according to the commission’s website.
Nonetheless, Wyden says, “the guidelines still encourage states to adopt policies – including certifying machines that make auditing difficult and permitting voting systems to be connected to the internet – that are wildly inconsistent with modern cybersecurity best practices.”
You can read the full letter below.