Lawmakers are concerned about a major blind spot in the government’s ongoing effort to protect U.S. elections from hackers. Agencies like the Homeland Security Department have little insight into the cybersecurity practices of election technology vendors. This lack of visibility opens the door to supply chain attacks, according to the Senate Intelligence Committee, which could be otherwise potentially detected or stopped by government cybersecurity experts. The Senate committee’s first installment of a larger report on Russian targeting of the 2016 presidential election was released late Tuesday night. It focuses on assessing the federal government’s response to security threats and provides recommendations for future elections.
Most of the infrastructure used to process votes today is comprised of equipment and software sold by private vendors. Government agencies are not allowed to enter and defend private computer networks unless they’re given direct consent, which in turn limits the defensive support options immediately available to the election technology industry.
Reporting by The Intercept previously showed that Russian hackers attempted to breach Florida-based VR Systems in 2016, months before the election. DHS did launch a working group in December with representatives from vendors to provide some level of coordination between the government and private sector on security strategies and information sharing.
“Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target or malicious cyber actors,” the report notes. “State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors.”