Skip to main content

Last-Minute Tweaks to Voting Machine Standards Raise Cyber Fears

February 10, 2021

Last-minute changes to proposed federal standards for new voting machines could expose the equipment to cyber-attacks, according to some members of Congress and security professionals.

The Election Assistance Commission, slated to authorize new voting system guidelines on Feb. 10, amended key sections of a 328-page document less than two weeks before the decision. The amended language of the Voluntary Voting System Guidelines 2.0 would allow next generation voting machines to include components capable of wireless communications, as long as they're disabled. The changes were made even though the EAC's technical advisory committee recommended an outright wireless ban.

Cybersecurity experts, some of the EAC's own advisers and members of Congress are calling for the agency's four commissioners to vote on a version of the document finalized in July 2020 which included the prohibition on wireless capability. In a letter reviewed by Bloomberg, a bipartisan coalition of more than 20 members of Congress led by Representative Bill Foster told the EAC's Chairman Ben Hovland that the current version would "diminish confidence in both the federal voting system certification program and the security of our election systems."

"We cannot sanction the use of online networking capabilities when they carry the very real and increased risk of cyber-attacks, at scale, on our voting machines," reads the letter.

A four-member panel of commissioners will vote on whether to approve the new standards, which aim to create new guidelines for ease of use, accessibility and security of voting systems. The proposal includes amended standards to ensure all ballots types can be audited and counted both digitally and manually -- a system that was essential to verifying President Joe Biden's victory in Georgia in November.

The standards are only guidelines offered by the federal government to the nearly 8,000 state and local jurisdictions responsible for procuring voting machines and executing elections. The original rules, adopted in some capacity by 47 states since 2005, have been used to certify machines produced by almost every manufacturer in the U.S. since the era of iPods.

If a majority of commissioners approve the standards, they will offer a new blueprint for a generation of voting machines that could span the next 30 years, starting as soon as 2024.

The standards are coming up for a vote just a few months after a top U.S. cyber-official declared the November presidential election the safest in U.S. history. That marked a sharp contrast to the 2016 election, in which Russian hackers managed to infiltrate state and local election networks and pilfered emails from Democratic Party officials. That prompted the Senate Intelligence committee to recommend a ban on wireless systems in voting machines.

Hovland, the EAC chair and one of the four commissioners expected to vote on the matter, described the response to the EAC's latest draft as "a pretty intense misinformation cycle spinning out there" rooted in critics' failure to digest the full proposal. Hovland said some of the language that has raised concerns was simply pulled from one section of the proposal to another in hopes of streamlining the guidelines.

He said latest proposal does more to protect voter security than previous iterations by explicitly detailing how any wireless hardware should be disabled.

"Is this still a vulnerability? Sure," he said. But he said the new standard "takes all the mitigation steps necessary" including refusing to certify machines that fail to ensure that wireless systems are disabled.

Meanwhile, others are asking the EAC to explain why changes to a document 15 years in the making were made less than two weeks before the scheduled vote.

"The issue here is the EAC made changes to some of the most commented-on sections of the standard without clearly explaining who made the change, why the change was made and that's inviting a lot of questions," said Matt Masterson a former EAC commissioner, referring to some of the 50,000 public comments submitted to the EAC in 2020.

Masterson said there's no reason to believe the late amendments were born out of malfeasance. "There is an opportunity here for further transparency by the commission which I hope they provide," said Masterson, former election security lead at the Cybersecurity & Infrastructure Security Agency, part of the Department of Homeland Security.