Photo: Getty

Voting machine manufacturer ES&S is facing new questions from a prominent US lawmaker regarding the security of its voting systems.

Sen. Ron Wyden, Democrat of Oregon, has asked ES&S to explain by March 30th whether its voting machines or other products come equipped with a remote-access capability. Wyden’s questions follow a report published by the New York Times Magazine last month, in which ES&S is described as having sold election-management systems with remote-access software preinstalled.

According to the report, titled “The Myth of the Hacker-Proof Voting Machine,” ES&S had advised officials to install remote-access software so that the company’s technicians could access the voting machines without being physically present.

For security reasons, election systems are supposed to be air-gapped, or isolated from unsecured networks, including the internet. The possibility that voting machines have been equipped with cellular modems and remote-access software significantly heightens the risk of sabotage—whether by foreign hackers or corrupt election officials.

Advertisement

“The American public has been repeatedly assured that voting machines are not connected to the internet, and thus, cannot be remotely compromised by hackers,” Wyden, a senior member of the Senate Intelligence Committee, wrote in a letter to ES&S.

He continued: “The default installation or subsequent use of remote-access software on sensitive election systems runs contrary to cybersecurity best practices and needlessly exposes our election infrastructure to cyberattacks.”

Wyden’s office said he had questioned ES&S and other voting machine manufacturers last year about their cybersecurity practices. “ES&S did not answer Wyden’s questions about whether the company follows basic cybersecurity best practices,” it said.

Advertisement

Gizmodo reported in August that voter files belonging to more than 1.8 million Illinois residents were discovered by security researchers on an unsecured Amazon server. The researchers, from the California-based firm UpGuard, said the server had been under ES&S’s control.