The furor over fake news and Russian bots is overshadowing another weak link in the security of U.S. elections — the computer equipment and software that do everything from store voters’ data to record the votes themselves. Now the voting vendor industry is receiving increased attention from Congress and facing the prospect of new regulations, after more than a decade of warnings from cybersecurity researchers and recent revelations about the extent of Russian intrusions in 2016. … In 2006, a team of security researchers published a report saying that touchscreen voting machines made by the notably litigious vendor Diebold were vulnerable to “extremely serious attacks.” The researchers were so afraid of being sued by Diebold — now a subsidiary of the voting technology behemoth Dominion — that they broke with longstanding practice and didn’t tell the company about their findings before publishing. The team was “afraid that [Diebold] would try to stop us from speaking publicly about the problems,” said J. Alex Halderman, a University of Michigan computer science professor who was one of the report’s authors.
When California and Ohio ordered voting technology vendors to comply with independent reviews in 2007, getting access to important data was “like pulling teeth,” said Matthew Blaze, a computer science professor at the University of Pennsylvania who worked on both reports and has since analyzed many voting systems.
In the end, researchers found “laughable” flaws in the machines, said Joe Hall, the chief technologist with the digital privacy advocate Center for Democracy & Technology, who participated in the Ohio review. “They made us jump through all these hoops for stuff that was just fundamentally insecure and fundamentally low-quality design.”
That story rings true to all the researchers POLITICO interviewed who have worked with voting technology companies. For instance, strict non-disclosure agreements are common. “We can’t agree to conditions that would preclude us from talking to the public about issues we found, since our work is in the interest of the public,” Halderman said.
Critics also accuse these companies of denying security issues and even refusing to help their customers. The 2007 reports listed “hundreds” of flaws, but Blaze said that “the reaction was universally to say: ‘Oh well, these aren’t really important. They couldn’t be exploited in practice. Don’t worry about them.’”