One of the Senate's main cybersecurity proponents wants assurances that voting systems in the U.S. are ready for their next major threat and he's going straight to the hardware makers to get it. In a letter, Oregon Senator Ron Wyden — an outspoken member of the Senate Intelligence Committee — called on six of the main voting machine manufacturers in the U.S. to provide details about their cybersecurity efforts to date. The request comes on the heels of emerging details around Russia's successful attempts to hack election systems in many states.
Wyden's line of inquiry is grounded in the pursuit of details like if a company has been breached previously without reporting the incident and how often it has conducted penetration testing in cooperation with an external security firm.
Wyden's full list of questions are as follows:
1. Does your company employ a Chief Information Security Officer? If yes, to whom do they directly report? If not, why not?
2. How many employees work solely on corporate or product information security?
3. In the last five years, how many times has your company utilized an outside cybersecurity firm to audit the security of your products and conduct penetration tests of your corporate information technology infrastructure?
4. Has your company addressed all of the issues discovered by these cybersecurity experts and implemented all of their recommendations? If not, why not?
5. Do you have a process in place to receive and respond to unsolicited vulnerability reports from cybersecurity researchers and other third parties? How many times in the past five years has your company received such reports?
6. Are you aware of any data breaches or other cybersecurity incidents in which an attacker gained unauthorized access to your internal systems, corporate data or customer data? If your company has suffered one or more data breaches or other cybersecurity incidents, have you reported these incidents to federal, state and local authorities? If not, why not?
7. Has your company implemented the best practices described in the National Institute of Standards and Technology (NIST) 2015 Voluntary Voting Systems Guidelines 1.1? If not, why not?
8. Has your firm implemented the best practices described in the NIST Cybersecurity Framework 1.0? If not, why not?
Wyden's appeal to voting machine manufacturers is the latest piece in the ongoing conversation around election system and voting machine security following revelations from the 2016 U.S. presidential election. Because states handle elections in a variety of ways, implementing different styles of machine and overseeing their own voter rolls, just how airtight these systems are is difficult to assess.
For example, last month the state of Virginia decertified some of its machines, moving its statewide standard to more secure voting machines that keep a paper tally of votes — a step the state's board of elections undertook on its own. In January, the Department of Homeland Security added “storage facilities, polling places, and centralized vote tabulations locations" in addition to voter databases and voting machines to a national list of critical infrastructure, making it easier for states to expedite requests for federal cybersecurity aid for their election systems.
Coming at election security from the manufacturer angle offers an examination of one most germane pieces of the big picture. In his letter, Wyden demanded answers to the above questions from Dominion Voting, Election Systems & Software, Five Cedars Group, Hart InterCivic, MicroVote and Unisyn Voting Solutions as well as voting system test labs V&V and SLI Compliance, issuing them an October 31 deadline.
"As our election systems have come under unprecedented scrutiny, public faith in the security of our electoral process at every level is more important than ever before," Wyden said. "Ensuring that Americans can trust that election systems and infrastructure are secure is necessary to protecting confidence in our electoral process and democratic government."