Congress is moving closer to putting U.S. election technology under a stricter cybersecurity microscope.
Embedded inside This year’s Intelligence Authorization Act, which funds intelligence agencies like the CIA, is the Strengthening Election Cybersecurity to Defend Respect for Elections Through Independent Testing (SECURE IT) Act, which would require penetration testing of federally certified voting machines and ballot scanners, and create a pilot program exploring the feasibility of allowing independent researchers to examine all types of election systems for flaws.
The SECURE IT Act—Originally introduced by U.S. Sens. Mark Warner, D-Va., and Susan Collins, R-Maine, could significantly improve the security of key election technology in an era when foreign adversaries remain bent on undermining American democracy.
“This legislation will empower our investigators to think like our adversaries do and expose hidden vulnerabilities by attempting to penetrate our systems with the same tools and methods used by bad actors,” said Warner, who chairs the Senate Intelligence Committee.
The new push for these programs highlights the fact that while concerns about election security have shifted to more visceral dangers, such as death threats against county clerks, violence at polling places, and artificial intelligence-driven misinformation, lawmakers remain concerned about the potential for hackers to infiltrate voting systems, which are considered critical infrastructure but are lightly regulated compared to other vital industries.
Russia’s interference in the 2016 election highlighted threats to voting machines, and despite significant improvements, Even modern machines can have faultsExperts have consistently pushed for stricter federal standards and more independent safety audits. The new bill attempts to address those concerns in two ways.
The first provision would codify the work of the U.S. Election Assistance Commission. Recent Addition penetration testing to its certification process. (The EAC Recently reviewed its certification standards, which cover voting machines and ballot scanners and which Many states require (your suppliers will meet.)
While previous tests simply checked whether machines contained particular defensive measures, such as antivirus software and data encryption,Penetration tests will simulate real-world attacks aimed at finding and exploiting weaknesses in machines, potentially gaining new insight into serious software flaws.
“People have been calling for mandatory[penetration]testing of election equipment for years,” said Edgardo Cortés, a former Virginia election commissioner and an adviser to the election security team at New York University’s Brennan Center for Justice.
The second provision of the bill would require the EAC to experiment with a vulnerability disclosure program for election technology, including systems not subject to federal testing, such as voter registration databases and election results websites.
Vulnerability Disclosure Programs Essentially, they are scavenger hunts for civic-minded cyber experts. Participants, who have been vetted and operate under clear rules about which of the organizer’s computer systems are legitimate targets, attempt to hack those systems by finding flaws in their design or configuration. They then report back to the organizer about any flaws they discover. Sometimes for a reward.
By allowing a diverse group of experts to look for errors in a wide range of electoral systems, the Warner-Collins bill could dramatically expand scrutiny of the machinery of American democracy.