A group of security researchers and voting technology vendors trying to hash out cybersecurity requirements for voting systems once again butted heads over whether to require vendors to let anyone test their products. The subject arose during a teleconference late last week of the Voluntary Voting System Guidelines cyber working group. When election security consultant Neal McBurnett suggested that the new guidelines require vendors to make products available for open-ended vulnerability testing, Joel Franklin of voting giant Election Systems & Software shot back with a question: “Is there other software tied to critical infrastructure software that’s open to public OEVT?” Franklin said he wasn’t dismissing the value of OEVT. “I’m just wondering if we’re putting an undue burden on voting systems when there are computers in nuclear security and every other critical infrastructure industry” that aren’t available for OEVT.
Other election security advocates chimed in to back McBurnett’s call for an OEVT requirement. Activist and documentary filmmaker Lulu Friesdat said the OEVT process must be open to the kinds of academics and experts who attended the DEF CON voting machine hackathon, “because that’s where we have historically been finding the most vulnerabilities.”
Susan Greenhalgh, policy director for the National Election Defense Coalition, went further, suggesting that the voluntary guidelines require voting systems to be tested by the U.S. national laboratories, like other pieces of critical infrastructure. “Vendors would be given reports of the vulnerabilities that are found and then be given a certain period of time to correct the vulnerabilities,” she said. “If they don’t correct the vulnerabilities, then they are made public.” To Franklin’s point, Greenhalgh stressed that this already existed for other critical infrastructure sectors.
Friesdat also argued that the working group should press the Election Assistance Commission to do something about vulnerable voting systems that stayed in use for years. “Otherwise we’re going to have the same situation we have now,” she said, “where decades go by and known vulnerabilities are just tolerated.” The EAC, she added, should consider decertifying those machines. “This is a really different product than a nuclear product,” she said, addressing Franklin’s earlier point. “This is a product that is about democracy and the foundation of our democracy. So it’s going to require transparency that other products might not require. I think that’s reasonable.”
Full Article: Security researchers, voting vendors clash anew – POLITICO.