While a proposed measure that would have given state officials more tools to help secure elections has bogged down in the Senate, four members of that body’s Intelligence Committee are pressuring a major manufacturer of electronic voting machines to allow independent tests of their products by election agencies and to work with researchers to assess the security of the machines. In a letter sent to the president and CEO of Election Systems & Software, a maker of voting machines used in many states, a bipartisan group of senators expressed concerns about the company’s reaction to the Voting Village hacking contest at the DEF CON security conference earlier this month. The Voting Village gave participants the opportunity to get their hands on various electronic voting machines, look for vulnerabilities, and see whether they could find ways around the defenses on the machines. Before DEF CON, ES&S officials sent a FAQ to customers, informing them of the contest and somewhat downplaying any negative results that might come from it.
There were plenty of successes against various machines and voting sites during the Voting Village exercise, including some by kids as young as eight years old. The exercise takes place in a controlled environment, but the machines involved are the same ones used in actual elections around the country. In their letter to ES&S President and CEO Tom Burt, the senators said they are “concerned that ES&S and other election system providers may not be prepared for the growing threats to our elections.”
The letter came from Sens. Kamala Harris (D-Calif.), Mark Warner (D-Va.), Susan Collins (R-Maine), and James Lankford (R-Okla.), all members of the Senate Select Committee on Intelligence. The lawmakers asked Burt to take the issues raised during DEF CON seriously and to commit to independent security testing of the company’s machines.
“The reality of these unprecedented security risks was on full display at the DEF CON cybersecurity conference, where researchers at the ‘Voting Village’ successfully probed a variety of electronic equipment used to administer elections. We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing. We believe that independent testing is one of the most effective ways to understand and address potential cybersecurity risks,” the letter, sent Aug. 22, says.