The Brennan Center for Justice argued in a Nov. 12 report that the Federal government needs to hold election technology vendors to higher cybersecurity standards in order to receive Federal certification. To that end, the Center offered up a new framework for oversight.
“More than 80 percent of voting systems in use today are under the purview of three vendors,” the report explains. “Yet these vendors, unlike those in other sectors that the Federal government has designated as critical infrastructure, receive little or no Federal review. This leaves American elections vulnerable to attack.”
The Brennan Center’s proposed framework is centered around five priorities: independent oversight, issuance of vendor best practices, vendor certification, ongoing review, and enforcement of guidelines.
The report posits that a new Federal certification program must be “empowered to issue standards and enforce vendors’ compliance.” The Center argues that the Election Assistance Commission (EAC) should be tasked with this responsibility.
However the report acknowledges that historically the EAC has been viewed as controversial, and has failed to carry out its core mission. With that in mind, the Center offered detailed recommendations to strengthen the EAC’s ability to carry out its new role in setting and enforcing standards.
“Whichever agency takes on this role must be structured to be independent of partisan political manipulation, fully staffed with leaders who recognize the importance of vendor oversight, and supported by enough competent professionals and experts to do the job,” the report concludes.
Issuance of Vendor Best Practices
As part of its move to strengthen the EAC, the report says Congress needs to reconstitute the EAC’s Technical Guidelines Development Committee (TGDC) to include a heavier focus on members with cybersecurity experience, and empower the committee to use best practices for election vendors.
“At the very least, these best practices should encourage election vendors to attest that their conduct meets certain standards concerning cybersecurity, personnel, disclosure of ownership and foreign control, incident reporting, and supply chain integrity,” the report says. “Given the EAC’s past failures to act on the TGDC’s recommendations in a timely manner, we recommend providing a deadline for action. If the EAC does not meet that deadline, the guidelines should automatically go into effect.”
In its report, the Brennan Center urges Congress to expand the EAC’s current voluntary certification and registration power to include election vendors and their products. The report notes that the expanded authority would complement, rather than replace, the current voluntary Federal certification of voting systems. The Center says that the new certification program should be administered by the EAC’s existing Testing and Certification Division and notes that this move would require additional personnel.
As part of its expanded oversight role, the Brennan Center calls on the EAC to task its Testing and Certification Division with assessing vendors’ ongoing compliance with certification standards. The report says that the division should “continually monitor vendors’ quality and configuration management practices, manufacturing and software development processes, and security postures through site visits, penetration testing, and cybersecurity audits performed by certified independent third parties.” Additionally, certified vendors should be mandated to report any changes to the information they provided during their initial certification process and any cybersecurity incidents to the EAC and other relevant governmental agencies.
Enforcement of Guidelines
Quite simply, the Brennan Center said that for any of this to work there “must be a clear protocol for addressing violations of Federal guidelines by election vendors.”
In terms of implementing its proposed framework, the Brennan Center notes that the “EAC does not currently have the statutory authority to certify most election vendors, including those that sell and service some of the most critical infrastructure, such as voter registration databases, electronic pollbooks, and election night reporting systems.” To ensure the EAC can better protect election security, the report calls on Congress to pass legislation that enables the EAC or other Federal agencies to adopt the recommendations laid out in the report.
However, even without congressional action, the EAC could issue voluntary guidance for election vendors and “take many of the steps recommended in this paper as they relate to voting system vendors.” The Brennan Center noted that “it is our legal judgment that the EAC may require, through its registration process, that voting system vendors provide key information relevant to cybersecurity best practices, personnel policies, and foreign control. Furthermore, the EAC may deny or suspend registration based on noncompliance with standards and criteria that it publishes.”