The upcoming election has brought up conversations about the security of our voting infrastructure. While recent developments have somewhat shifted attention toward more visceral threats such as "death threats against county clerks, polling-place violence, and AI-fueled disinformation," the protection of voting machine security is still a pressing concern.
Securing electronic voting infrastructure only becomes more important with time, as outdated hardware and software provide vulnerabilities for bad actors to exploit. The recently introduced Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act aims to take steps to protect voting machine security. Contained within this year's Intelligence Authorization Act, the bill would enact new requirements to strengthen election security.
Voting Machine Security Risks and Challenges
There are a number of dangers and difficulties associated with securing voting machines and ensuring the integrity of elections. Voting systems are classed as critical infrastructure, and protecting them against cybersecurity incidents and other attacks is of the utmost importance.
Even so, existing regulations are not very strict, and voting infrastructure is not a priority for funding at the state or federal level. Hacking and cyberattacks are still a major worry for lawmakers and other officials, especially as past elections and their fallouts have made it clear that election interference is a pressing threat.
The risks and challenges of voting machine security vulnerabilities include:
- Outdated voting machines (42 states will be using machines over a decade old) are in danger of failing, crashing, or having significant operational impediments.
- Aging systems are also likely to have severe security vulnerabilities due to running on software that no longer receives regular security patches.
- Paperless electronic voting machines (used in some polling places in 14 states) do not produce a paper record for voters and election officials to confirm votes.
- Security vulnerabilities can allow bad actors to deploy malware in person or remotely, enabling them to alter votes.
About The SECURE IT Act
The SECURE IT Act, originally introduced in 2023, could codify a number of new regulations to increase the levels of security surrounding elections. It would require "certain actions to strengthen the security of U.S. voting systems," including:
- The Election Assistance Commission (EAC) must carry out penetration testing in the process of testing and certifying voting system hardware and software. This would be an official codification of a recent addition to the EAC's certification standards, which are not already required in every state.
- The National Institute of Standards and Technology (NIST) would have to make recommendations to the EAC of entities to conduct penetration testing.
- The EAC would have to vote on accrediting these recommended entities.
- The EAC would also develop a five-year pilot program to allow participating cybersecurity researchers to conduct testing and disclose any vulnerabilities found in election systems.
- Manufacturers would be required to patch or mitigate severe known vulnerabilities within 180 days.
With these requirements, federally certified voting machines and ballot scanners would have fortified defenses against hacking and other cybersecurity incidents. Previously existing testing procedures consist solely of verifying whether voting machines contained specific measures for protection, like antivirus software and encryption. Mandatory penetration testing, on the other hand, enables testers—including independent researchers, with the establishment of the EAC pilot program—to approach security from the perspective of an attacker and find unknown vulnerabilities.
Best Practices for Voting Machine Security
While the SECURE IT Act would establish new requirements for improved election security, it has yet to be passed by the Senate. In the meantime, it is vital for election officials and voting machine manufacturers to take steps to secure voting infrastructure. Measures like penetration testing and ensuring that software is up to date are still important and encouraged without legislation codifying them, along with general cyber hygiene and best practices.
Security measures commonly used by election officials include:
- Ensuring that any newly purchased voting systems are tested and certified.
- Complying with all laws and regulations regarding voting device programming and configuration.
- Testing voting equipment for accuracy prior to elections.
- Auditing and verifying ballots to check that the machine registered each vote and counted them properly.
- Maintaining practices and controls for the physical security of the election location and equipment.
How SECURE IT Requirements Could Protect Election Security
While election security is widely recognized as a significant area of concern, existing regulations and policies in place have not been sufficient to ensure that elections are secure and accurate. The SECURE IT Act is designed to update regulations to mitigate the dangers associated with electronic voting machines and election interference.
By implementing new requirements, officials could bolster voting machine security and protect against cyberattacks on election infrastructure. The mandatory penetration testing and development of more effective measures would provide stronger defenses to maintain the integrity of elections.
To find out more about the kinds of bad actors undermining voting machine security and otherwise endangering national security, read our blog: FBI's Most Wanted Cybercriminals in 2023.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
