This page is not available in SpanishWould you like to continue on the Brennan Center home page in Spanish?to the Brennan Center in Englishto the Brennan Center in SpanishThis page is not available in SpanishWould you like to continue on the Brennan Center home page in Spanish?to the Brennan Center in Englishto the Brennan Center in SpanishKey Point: The federal government regulates colored pencils, which are subject to mandatory standards promulgated by the Consumer Product Safety Commission, more stringently than it does America's election infrastructure.More than 80 percent of voting systems in use today are under the purview of three vendors.footnote1_dnbyt8m 1 Kim Zetter, “The Crisis of Election Security,” New York Times Magazine, Sept.26, 2018, https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html.A successful cyberattack against any of these companies could have devastating consequences for elections in vast swaths of the country.Other systems that are essential for free and fair elections, such as voter registration databases and electronic pollbooks, are also supplied and serviced by private companies.Yet these vendors, unlike those in other sectors that the federal government has designated as critical infrastructure, receive little or no federal review.This leaves American elections vulnerable to attack.To address this, the Brennan Center for Justice proposes a new framework for oversight that includes the following:Congressional authorization is needed for some but not all elements of our proposal.The EAC does not currently have the statutory authority to certify most election vendors, including those that sell and service some of the most critical infrastructure, such as voter registration databases, electronic pollbooks, and election night reporting systems.For this reason, Congress must act in order for the EAC or other federal agency to adopt the full set of recommendations in this report.footnote2_0yxjoty 2 The For the People Act, HR 1, 116th Cong.(2019) and the Securing America's Federal Elections Act, the SAFE Act, HR 2722, 116th Cong.(2019) both would accomplish much, but not all, of this report's recommendations.Specifically, these bills provide for EAC oversight of a broader array of election system products and vendors in exchange for receipt and use of federal funds but do not provide for ongoing certification and monitoring of vendors.They also do not speak to best practices on personnel decisions or supply chain security.These bills also do not fully address how to define foreign ownership and control.Where this report's recommendations could be accomplished by adopting one of these bills, we have attempted to flag that for the reader.Regardless, the EAC could, without any additional legislation, issue voluntary guidance for election vendors and take many of the steps recommended in this paper as they relate to voting system vendors.Specifically, it is our legal judgment that the EAC may require, through its registration process, that voting system vendors provide key information relevant to cybersecurity best practices, personnel policies, and foreign control.Furthermore, the EAC may deny or suspend registration based on noncompliance with standards and criteria that it publishes.Ultimately, the best course of action would be for Congress to create a uniform framework for election vendors that adopts each of the elements discussed in this paper.In the short run, however, we urge the EAC to take the steps it can now to more thoroughly assess voting system vendors.The unprecedented attacks on America's elections in 2016, and repeated warnings by the country's intelligence agencies of future foreign interference, have raised the profile of election security in a way few could have imagined just a few years ago.The response has largely focused on improving the testing of voting machines before they are purchased and on training state and local election officials to institute best practices to prevent, detect, and recover from cyberattacks.Yet private vendors, not election officials, build and maintain much of our election infrastructure.They create election websites that help voters determine how to register and where to vote;print and design ballots;configure voting machines;and build and maintain voter registration databases, voting machines, and electronic pollbooks.Not every jurisdiction outsources all of these functions, but all rely on vendors for some of this work and many for nearly all of it.Understandably, many local governments under fiscal pressure would rather contract out these functions than increase their election office staff, especially considering the cyclical nature of election-related work.There is almost no federal regulation of the vendors that design and maintain the systems that allow us to determine who can vote, how they vote, or how their votes are counted and reported.While voting systems are subject to some functional requirements under a voluntary federal testing and certification regime, the vendors themselves are largely free from federal oversight.This is not the case in other sectors that the federal government has designated as critical infrastructure.Vendors in the defense sector, for example, face substantial oversight and must comply with various requirements, including rules governing the handling of classified information and supply chain integrity.The federal government regulates colored pencils, which are subject to mandatory standards promulgated by the Consumer Product Safety Commission, more stringently than it does America's election infrastructure.footnote1_mnbwfrt 1 Compare, for example, The Labeling of Hazardous Art Materials Act, 15 USC 1277, and 16 CFR §§ 1500.14, with 11 CFR §§ 9405.1 et seq.Indeed, Chapter II of Title 11 of the Code of Federal Regulations, the principal regulations applicable to the EAC, does not address the certification of voting systems or any potential oversight of election vendors more broadly.Nor does the legislation that established the EAC (the Help America Vote Act of 2002) — which sets some requirements for voting systems used in federal elections, see 52 USC § 21081 — require the EAC to issue any mandatory regulations on those topics.See, eg, 52 USC § 20971 (regarding the certification and testing of voting systems), § 20929 (“The Commission shall not have any authority to is- sue any rule, promulgate any regulation, or take any other action which imposes any requirement on any State or unit of local government . . .”), § 21101 (regarding the EAC's adoption of voluntary guidance).There is a growing bipartisan appreciation that federal action is needed to address the risks that vendors might introduce into election infrastructure.Rep. Zoe Lofgren (D–CA), who chairs the Committee on House Administration, has said that a significant election-related “vulnerability comes from election technology vendors ...who have little financial incentive to prioritize election security and are not subject to regulations requiring them to use cyber security best practices.”footnote2_ckz40pa 2 Hearing on Election Security, Before the Comm.on House Administration, 116th Cong.(May 8, 2019) (statement of Zoe Lofgren, chairperson).Alabama's Republican secretary of state, John Merrill, has called for the EAC to undertake “a centralized effort to evaluate the effectiveness of election equipment, whether it be for voter administration purposes, electronic poll books,” or the like.footnote3_x0twgqm 3 Hearing on Election Security, Before the Comm.on House Administration, 116th Cong.(May 8, 2019) (statement of John Merrill, Alabama secretary of state).While state and local governments retain primacy in running elections, only the federal government has the resources and constitutional responsibility to ensure that the more than 8,000 local election jurisdictions have access to information and expertise to safeguard federal elections from insecure vendor practices.footnote4_wuyfsb5 4 US Senate Select Committee on Intelligence, Report of the Select Committee on Intelligence, US Senate, on Russian Active Measures Campaigns and Interference in the 2016 US Election, Volume 1, July 5, 2019, https://www.intelligence.senate .gov/sites/default/files/documents/Report_Volume1.pdf (“State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor.”);USConst.art.I, § 4 (permitting Congress to regulate elections);USConst.art.IV, § 4 (requiring Congress to guarantee a republican form of government to the states and to protect them from invasion).The ability of a foreign power to exploit the vulnerabilities of a vendor in a single county in Pennsylvania could have extraordinary repercussions for the country.Given the lack of federal oversight, the relatively small number of vendors with significant market share, footnote5_7hegtww 5 Lorin Hitt et al., The Business of Voting: Market Structure and Innovation in the Election Technology Industry, University of Pennsylvania Wharton School, 2017, 15 , https://publicpolicy.wharton.upenn.edu/live/files/270-the-business-of-voting.and their “severe underinvestment in cybersecurity,” footnote6_0e0a2d5 6 Frank Bajak, “US Election Integrity Depends on Security-Challenged Firms,” Associated Press, Oct. 29, 2018, https://apnews.com/f6876669cb6b4e4c9850844f8e015b4c (quoting Sen. Ron Wyden ).the Brennan Center proposes that the federal government take on a more substantial oversight role.Under our proposal, the EAC would extend its existing certification regime from voting systems to include all vendors that manufacture or service key parts of the nation's election infrastructure.The commission would also continuously monitor vendors, with the power to revoke certification.(The EAC currently has that power but only uses it to oversee the systems themselves.)This paper refers to “election vendors” when discussing those entities that provide election services to jurisdictions throughout the United States.A 2017 University of Pennsylvania report on the election technology industry described these entities as those “that design, manufacture, integrate, and support voting machines and the associated technological infrastructure.”footnote7_c24l4fk 7 Hitt et al., The Business of Voting, 7. While the report focused largely on voting systems, quantifying the sector's annual revenue at $300 million, footnote8_3t6d3xl 8 Hitt et al., The Business of Voting, 8. the election vendors referred to also include those that do not participate in the voting systems market but provide other election-related goods and services.For the purposes of this paper, “vendor” is defined to include any private individual or business that manufactures, sells, programs, or maintains machines that assist in the casting or tallying of votes, voter registration databases, electronic pollbooks, or election night reporting. systems.Private vendors' central role in American elections makes them prime targets for adversaries.Yet it is impossible to assess the precise level of risk associated with vendors — or how that risk impacts election security.As a 2018 US Senate Intelligence Committee report observed, “State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of [election] vendors.”footnote9_r43x4d5 9 US Senate Select Committee on Intelligence, Russian Targeting of Election Infrastructure During the 2016 Election: Summary of Initial Findings and Recommendations, May 8, 2018, https://www.intelligence.senate.gov/publications/russia-inquiry.This limited visibility into vendors includesRevelations that Russian actors targeted an election vendor in the lead-up to the 2016 election provide a useful example of how little insight there is into vendor security.Special Counsel Robert Mueller's report to the attorney general and indictment of 12 Russian intelligence officers both included allegations that these officers hacked a private US election systems vendor.The vendor is believed to operate in at least eight states, including the battleground states of North Carolina, Virginia, and Florida.footnote10_7e5kr84 10 United States v.Netyksho et al., No. 1:18CR00215, 2018 WL 3407381, 26 (DDC Jul. 13, 2018);Robert S. Mueller III, Report on the Investigation into Russian Interference in the 2016 Presidential Election, US Department of Justice, 2019, 50, https://www.justice.gov/storage/report.pdf;Casey Tolan, “Humboldt County Shores Up Voting Systems after Russian Hack of Election Contractor,” Mercury News, June 6, 2017, https://www.mercurynews.com/2017/06/06/humboldt-county-moves-to- shore-up-voting-systems-after-election-contractor-hack/ (listing VR Systems' own website as the source for its list of states in which the company operates).According to the special counsel, hackers gained access to the vendor's computers and used an email account designed to look like the vendor's to send spearphishing emails to Florida election officials.footnote11_b0o12z1 11 Sam Biddle, “A Swing-State Election Vendor Repeatedly Denied Being Hacked by Russians.The New Mueller Indictment Says Otherwise,” Intercept, July 13, 2018, https://theintercept.com/2018/07/13/a-swing-state-election-vendor-repeatedly-denied-being-hacked-by-russians -new-mueller-indictment-says-otherwise/.Per the indication, “the spearphishing emails contained malware that the Conspirators embedded into Word documents bearing [the vendor's] logo.”footnote12_q2ig6tt 12 United States v.Netyksho et al., No. 1:18CR00215, 2018 WL 3407381, 26 (DDC Jul. 13, 2018).According to Florida Governor Ron DeSantis, the hackers breached the election systems of two Florida counties.footnote13_dz1us9a 13 Miles Parks, “Florida Governor Says Russian Hackers Breached Two Counties in 2016,” NPR, May 14, 2019, https://www.npr.org/2019/05/14/723215498/florida-governor-says-russian -hackers-breached-two-florida-counties-in-2016.We still don't know all the facts.Even in the rare instance that the public learns of a vendor hack — as it did through the special counsel's investigation — many questions remain unanswered.When and how did the vendor learn of these attacks?What preventive measures were in place?What steps did the vendor take after discovering it was targeted to ensure that it was not infiltrated?Did it immediately inform its customers?The public generally never learns the answers to these questions, and there are no federal laws or regulations requiring private vendors to take any action in the event of a cyberattack.Similarly, Vice recently reported that election night reporting systems sold by Election Systems and Software (ES&S), the country's leading election vendor, had been exposed to the public internet, potentially for years on end.(ES&S denied the substance and significance of the report.) Although ES&S voting machines are certified by the EAC, its transmission configuration is not.footnote14_x0h4d4w 14 Kim Zetter, “Exclusive: Critical US Election Systems Have Been Left Exposed Online Despite Official Denials,” Vice, Aug. 8, 2019, https://www.vice.com/en_us/article/3kxzk9/exclusive-critical- us-election-systems-have-been-left-exposed-online-despite-official-denials (quoting ES&S marketing literature).The lack of visibility into vendors and their cybersecurity can also contribute to an inability to detect poor practices that might affect vendor performance until it is too late.In 2017, ES&S left the sensitive personal information of 1.8 million Chicago voters publicly exposed on an Amazon cloud server.footnote15_zfrm91w 15 Dan O'Sullivan, “The Chicago Way: An Electronic Voting Firm Exposes 1.8M Chicagoans,” Upguard, Dec. 13, 2018, https://www.upguard.com/breaches/cloud-leak-chicago-voters.That information reportedly included “addresses, birth dates and partial Social Security numbers,” footnote16_9ia8531 16 Bajak, “US Election Integrity.”information valuable to hackers.Opaque supply chains further exacerbate the problem.Earlier this year, an IBM Security Services investigation on behalf of Los Angeles County found that compatibility issues between the voter list and an ES&S subsidiary's software contributed to nearly 120,000 voters being left out of printed pollbooks and forced to request provisional ballots.footnote17_rm9bq4i 17 “Report Blames Software Error for Los Angeles Voting Problem,” Associated Press, Aug. 1, 2018, https://www.apnews.com/95b056ab2eab47febaf721a1d285a045, IBM Security Services, Independent Investigation of Election System Anomalies in Los Angeles County on June 5, 2018, Aug. 1, 2018, http://file.lacounty.gov/SDSInter/lac/1042885_FINALExecutiveSummaryAugust12018.pdf;See also Board of Supervisors, Request for Approval: Amendment Number Eight to Agreement Number 76010 with Data Information Management Systems, LLC for Voter Information Management System Maintenance and Support Services, County of Los Angeles, 2015, https://www.lavote.net /documents/05052015.pdf (identifying ES&S subsidiary Data Information Management Systems, LLC as vendor responsible for maintaining and servicing Los Angeles County's voter information management system).The ability of a foreign power to exploit the vulnerabilities of a vendor in a single county in Pennsylvania could have extraordinary repercussions.Although the EAC can conduct manufacturing site visits through its Quality Monitoring Program, footnote18_3oyq38z 18 US Election Assistance Commission, “Quality Monitoring Program,” https://www.eac.gov/voting-equipment/quality-monitoring-program/.This program extends only to voting systems that are submitted for voluntary certification and does not cover the full menu of vendor products and services.There is no federal scrutiny of supply chains for components sourced for noncertified products and services, for example, despite the finding of the Department of Homeland Security (DHS) that “contractors, sub-contractors, and suppliers at all tiers of the supply chain are under constant attack.”footnote19_igw8cu3 19 National Protection and Programs Directorate, “DHS and Private Sector Partners Establish Information and Communications Technology Supply Chain Risk Management Task Force,” US Department of Homeland Security, Oct. 30, 2018, https://www.dhs.gov/news /2018/10/30/dhs-and-private-sector-partners-establish-information-and-communications-technology.The recent ban on certain technologies made by the Chinese company Huawei is a stark illustration of the growing recognition of supply chain risk.footnote20_5t9ileq 20 See, eg, Sean Keane, “Huawei Ban: Full Timeline on How and Why Its Phones Are Under Fire,” CNET, May 30, 2019, https://www.cnet.com/news/huawei-ban-full -timeline-on-how-and-why-its-phones-are-under-fire/.Vendors' use of local or regional partners or subcontractors adds to the lack of visibility.For instance, Unisyn Voting Solution, a digital scan voting system manufacturer whose systems have been certified by the EAC, identifies a range of partners in several states on its website.footnote21_p9zmnfd 21 Unisyn Voting Systems, “Partners,” https://unisynvoting.com/partners/.Neither Unisyn nor these partners are currently subject to the kind of oversight we recommend.Election officials often depend on vendors whose practices are opaque.Yet these companies — unlike those in other critical infrastructure sectors, such as defense, nuclear, dams, and energy — face almost no federal oversight of their security systems.There are no requirements that vendors report breaches, screen employees' backgrounds, patch security flaws, report foreign ownership or control, or ensure the physical security of sensitive software and hardware.This paper assumes that the Election Assistance Commission would be the agency charged with overseeing election vendors.There are many reasons why the EAC is the most logical choice for this role.One among them is that the EAC already certifies voting equipment and issues voluntary guidance.Because it is structured as an independent agency with bipartisan membership, it faces less risk of undue political meddling in the technical work of overseeing election vendors than a traditional executive agency would.Its structure could also help avoid dramatic shifts in oversight approaches with a change of presidential administrations.footnote22_rgyaxei 22 The EAC's bipartisan structure provides important checks and balances, but it also carries a risk of the sort of pervasive gridlock that has hamstrung the Federal Election Commission, leading the Brennan Center to advocate for a fundamental overhaul of that agency.See Daniel I. Weiner, Fixing the FEC: An Agenda for Reform, Brennan Center for Justice, 2019, https://www.brennancenter.org/sites/default/files/publications/2019_04_FECV_Final.pdf.But the EAC's mission is very different from that of the FEC, which oversees campaign finance.Because of the technical nature of much of its work, the EAC has not been paralyzed by the same partisan ideological divisions, leading us to conclude that its bipartisan structure remains viable, at least for now.Unfortunately, the EAC has been plagued by controversy for years.Its leaders have waded into contentious issues, such as voter identification and proof of citizenship, that have little relation to the agency's core responsibilities.footnote23_1n4bw2q 23 Ian Urbina, “Panel Said to Alter Finding on Voter Fraud,” New York Times, Apr. 11, 2007, https://www.nytimes.com/2007/04/11/washington/11voters.html.It has missed deadlines for completing critical functions, such as adopting voting system guidelines.footnote24_x89016z 24 Eric Geller, “Federal Election Official Accused of Undermining His Own Agency,” Politico, June 15, 2019, https://www.politico.com/story/2019/06/15/federal-election-brian-newby- 2020–1365841.And there are concerns that it has not taken election security seriously enough, footnote25_wj95ea8 25 Kim Zetter, “Experts: Elections Commission Downplaying Unseen Risks to 2020 Vote,” Politico, Mar. 15, 2019, https://www.politico.com/ story/2019/03/15/election-machine-security-2020-cybersecurity-1222803.as well as “complaints of infighting, high [staff] turnover and cratering morale.”footnote26_7lzyi2d 26 Geller, “Federal Election Leader Accused.”If the EAC were chosen for this role, Congress would need to take a number of actions to make its success more likely.First, it would need to increase the agency's budget.The new role would constitute a major expansion of the EAC's regulatory mandate.In recent years, despite the increased threat of cyberattacks against our nation's election infrastructure, funding for the EAC has dropped sharply.The agency's budget in fiscal year 2019 was just $9.2 million, down from $18 million in fiscal year 2010. footnote27_c9dxrqc 27 US Election Assistance Commission, Fiscal Year 2019 Congressional Budget Justification, Feb. 12, 2018, https://www.eac.gov /assets/1/6/fy_2019_cbj_feb_12_2018_final.pdf;Omnibus Appropriations Act, 2009, Pub. L. No. 111–8 (2009);Election Assistance Commission Termination Act, HR Rept.114–361 (2015).With expanded oversight authority, the EAC would need to dramatically increase its cybersecurity competence and knowledge.To facilitate this increased technical focus, we outline below how the existing Technical Guidelines Development Committee would need to be modified to emphasize technical proficiency and, specifically, cybersecurity expertise.We also recommend greater deference to this modified technical committee, permitting its recommended voluntary guidelines to take effect absent overriding action by the EAC.These changes, too, would require congressional action.On the personnel front, Congress would need to commit to keeping EAC seats filled by leaders who are dedicated to working with each other and with career staff to ensure the security of our election infrastructure.Congress's failure to replace commissioners left the EAC without a quorum between December 2010 and December 2014 and then again between March 2018 and February 2019.Finally, given the breadth and scope of this new mandate, Congress would need to subject the agency to more scrutiny and oversight than it has in the past.footnote28_jhyxgdn 28 Both the House and Senate held EAC oversight hearings this year, but they were the first oversight hearings in either chamber in over eight years.See Committee on House Administration, “Hearings,” https://cha.house.gov/committee-activity/hearings;“Congressional Hearings,” Govinfo, https://www.govinfo.gov/app/collection/chrg/116/house/Committee%20on%20House%20Administration;Senate Committee on Rules and Administration, “Hearings,” https://www.rules.senate.gov/hearings.If Congress is unable or unwilling to take these steps, it should find a different agency to oversee election vendor certification.Any agency placed in that role must be structured so as to remain independent of partisan control.It will need experienced, effective staff and leadership who are committed to election security, cybersecurity, technical competence, and good and effective election administration.Most of the policies suggested in this report will require congressional authorization.Not least of these is the ability of the Election Assistance Commission's regulatory authority to reach election system vendors for products and services other than voting machines — including voter registration databases, electronic pollbooks and election night reporting.However, the EAC can under its current authority institute a voluntary system of oversight of the security practices of vendors that supply voting systems, using a combination of its registration and certification schemes.In order to register, voting system vendors must already provide the EAC with critical information about their ownership, along with written policies regarding their quality assurance mechanisms.Vendors must agree to certain program requirements, and registrants can be suspended if they fail to continue to abide by the registration requirements.A system cannot be submitted for certification unless its manufacturer is currently registered with the EAC.i The need for this type of information is clear: in order to carry out its certification, decertification, and recertification authority, including the provision of a fair process to vendors who risk decertification or denial of certification, the EAC must be able to maintain communication with voting system vendors and ensure compliance with quality assurance mechanisms on an ongoing basis.To ensure that certified voting systems are secure, the EAC can adopt Voluntary Voting System Guidelines (VVSG) that outline best practices for vendors as they relate to cybersecurity, personnel, foreign control, and supply chain integrity.Voting system vendors can then be required, as part of registration, to provide information on their compliance with these standards.For instance, the current VVSG provide special guidelines for voting systems that use public telecommunications networks in order to ensure that they are protected against external threats, including monitoring requirements.Similarly, the guidelines require verification methods for both software setup and any software update packages.ii New guidelines could outline why background checks for personnel are necessary to ensure the ongoing security of voting systems, including upgrades and changes.IIIThe current registration process could also allow the EAC to ensure that various voting system vendor best practices remain in force over time.The process imposes a continuing responsibility on vendors to report any changes in the information supplied to the EAC and to “operate ...consistent with the procedural requirements” established by the EAC's testing and certification manual.Thus, if registration mandated, for example, the provision of cybersecurity information from vendors, they would be required to report cybersecurity changes or incidents pursuant to their responsibility to keep registration information up to date.Registration could be suspended if vendors failed to maintain policies consistent with the EAC's requirements.IVWhile expanding oversight of voting system vendors to ensure compliance with the basic security measures discussed in this paper would not be a substitute for a full certification system for all election system vendors, it would be a significant step toward providing greater accountability for voting system vendors.i US Election Assistance Commission, Testing and Certification Program Manual, Version 2.0, 12–19.ii Voluntary Voting Systems Guidelines, Vol.1, Version 1.1, §7.4.6, §7.5, §7.5.2, §7.5.3.iii The adoption of modern approaches such as agile software development and the provision of ongoing technical support makes information about a vendor's ongoing compliance with best practices critical for determining the level of risk posed by upgrades and changes, including some that might be deemed de minimis if vendor security practices are strong.See US Election Assistance Commission, Testing and Certification Program Manual, Version 2.0iv US Election Assistance Commission, Testing and Certification Program Manual, Version 2.0, 17. Suspension of an entire vendor, like decertification of a vendor, would similarly need to be handled thoughtfully.See Enforcing Guidelines section on this report.Under the Brennan Center's proposal, the Election Assistance Commission's oversight role would be substantially expanded.Oversight would extend beyond voting equipment footnote1_2asqmfd 1 Under the Help America Vote Act, Pub. L. No. 107–252 (2002), this includes all equipment that is used to “define ballots;...cast and count votes;...report or display election results;and ...maintain and product any audit trail information.”It does not include certification of other election systems, such as electronic pollbooks;such machines are now used widely and are critical to running elections around the country.See Andrea Cordova, “Want a Simple Way to Increase Election Security?Use Paper,” Brennan Center for Justice, Oct. 8, 2018, https://www.brennancenter.org/blog/want-simple-way-increase-election-security-use-paper.They, too, should be added to this system testing regime, as was recently proposed in the Election Security Assistance Act, HR 3412, 116th Cong.(2019), § 3(a).to election vendors themselves.(2018).(2018)........(2018).(2018)...(2018).......