Over the last few decades, the state of American election cybersecurity has been excoriated by hackers who hope to fix a host of glaring problems before the entire system is exploited.
Voting machine makers as an industry have long pushed back against security and transparency efforts until, suddenly, this week.
Tom Burt is the CEO of Election Systems & Software (ES&S), one of the biggest voting machine manufacturers in the United States. Last year, hackers gathered at the Def Con conference in Las Vegas to test the security of voting machines. While Burt’s company criticized the hackers and suggested the threat against their machines was minimal and “extremely unlikely,” the event was punctuated by an 11-year-old changing voting results and researchers finding a decade-old security flaw in an ES&S ballot counting machine used across the United States.
Four senators quickly responded to the researchers’ findings. Worried about ES&S’s lack of preparedness to combat threats and then its dismissal of hackers’ findings, the senators wrote that “independent testing is one of the most effective ways to understand and address potential cybersecurity risks.” Burt disagreed strongly then but is now pushing for a law “that mandates that all voting machine suppliers submit their systems to stronger, programmatic security testing conducted by vetted and approved researchers.”
After years of criticism and antagonism, Burt significantly changed course this week with an op-ed pushing for congressional action requiring robust security testing of voting machines and announced that the company will no longer sell paperless voting machines.
A paper trail is a key guarantor to audit and check election results against interference “because it is difficult to perform a meaningful audit without a paper record of each voter’s selections,” Burt wrote in an op-ed in Roll Call. “Mandating the use of a physical paper record sets the stage for all jurisdictions to perform statistically valid postelection audits.”
Burt’s dramatic change in tone has been welcomed by cybersecurity researchers, but it’s extremely unlikely that Congress will be passing any election security law due to opposition from Republican Senate Majority Leader Mitch McConnell. Multiple bipartisan pushes for legislation have been stopped cold by McConnell despite criticism from across the aisle and, now, an opposing view from the voting machine industry itself.
Senator Mark Warner called the stonewalling of election security laws “part of a pattern with a White House and a president that has shown no interest in tackling this problem,” the Washington Post reported.
Earlier this year, ES&S submitted its technology for security testing to the Idaho National Laboratory and is working with congressional staffers on more independent security research, ES&S revealed in April to Cyberscoop. Those steps were seen as a step forward—at least they weren’t outright dismissing the idea of heightened cybersecurity scrutiny by experts—but many in the security industry said voluntary and unenforceable actions wouldn’t be enough to secure the voting industry.
Federal legislation would be a significant step, and Burt agrees. He writes:
If Congress can pass legislation that requires a paper record for every voter and establishes a mandated security testing program for the people making voting machines, the general public’s faith in the process of casting a ballot can be restored. And that’s not just a good thing, it’s essential to the future of America.
“I see this op-ed as a positive first step,” Matt Blaze, a Georgetown professor and co-author of the Def Con report on voting machine security, tweeted when Burt made his announcement. “I think the voting system vendor community, which has long automatically denied even the most glaring security weaknesses, is starting to see the handwriting on the wall on demand for more secure voting system architecture.”