Election Agency Urged to Finalize 2020 Security Standards

WASHINGTON (CN) – During a forum on election security Thursday, Connecticut’s secretary of state urged a federal agency in charge of the process to act quickly in issuing new security standards for voting systems so states can update software in time for the 2020 election.

Employees test electronic voting machines in Atlanta, Ga., on Sept. 22, 2016. (AP Photo/Alex Sanz, File)

The U.S. Election Assistance Commission hosted three panels of witnesses, all of whom testified on ways to improve the security of the nation’s election systems during a three-hour forum in Washington, D.C.

Last year, Congress appropriated $380 million under the Help America Vote Act, which makes funds available for states to update election security measures and voter registration methods. However, the federal funds, coupled with a state-required match, were not enough to completely update voting equipment across the country.

During Thursday’s first panel, the secretaries of state for Connecticut and Louisiana, Denise Merrill and Kyle Ardoin, respectively, both spoke to the benefits of this funding. Merrill said that with the $5 million in HAVA funds appropriated to her state last year, Connecticut had implemented a virtual system that allows those in election advisory roles to view every desktop used for counting and reporting votes in the state.

In most of the state’s 169 towns, methods of recording votes differ depending on the area, Merrill said, also noting that some towns don’t use computers.

One of the largest issues facing voter systems is the certification standards required by the Election Assistance Commission, or EAC, an independent federal agency created by the HAVA. Releasing new standards for the upcoming year in a timely fashion is essential to ensuring the next set of systems is updated properly, Merrill said.

“I would say my biggest ask of this organization is to hustle up with the certification and standards because we’re going to be in a position where we’re going to have to replace our current system,” she said. “We’ve been very satisfied with the usage of these systems… But you know, I can see that there’s going to be a big need for us to have a lot of information from a source that understands this and knows where the field is going.”

EAC Commissioner Thomas Hicks said he believed securing systems ahead of the 2020 election was important, quoting former heavyweight boxing champion Mike Tyson: “Everyone has a plan until they get punched in the mouth.”

“I figure that we all have our plans ready for 2020, but I think there’s going to be a lot of swings at us. I don’t necessarily think we’re going to get hit hard, but there’s going to be a lot of attempts for folks to hit us,” Hicks said.

A second panel made up of state, federal and technical representatives for voter systems and technologies addressed certifying systems through the EAC. One major issue is upgrading operating systems from Windows 7 to Windows 10. The former software will no longer receive patch updates after January 2020, raising security concerns.

Ginny Badanes, director of strategic projections for Microsoft’s Defending Democracy Program, said she had been working with election system vendors on the role the company could play to ease the transition of updating software.

“We’ve given a lot of consideration to the role that Microsoft can play to be an impactful partner to the election community,” Badanes said. “We are committed to helping our customers remain secure as they modernize their system to make the move to Windows 10. We understand that some customers will need more time, which is why we will offer extended security updates to customers who are still running Windows 7 on their system.”

Another issue is the rate in which software, hardware or other voting technology is certified as acceptable by the commission, which takes a year or more to complete. By the time these certifications are finalized, often there are more advanced security technologies available, panelists said.

Jared Dearing, executive director for the Kentucky State Board of Elections, said another part of this issue is making sure that local election officials are well-equipped to handle security patches for voter software. Electronics usually are able to be updated by connecting to the internet, but voting systems lack this connectivity, forcing manual, hands-on updates for all systems.

Local officials are often not technology-oriented, he said, making it difficult for them to participate in voting security.

“We’re talking about local communities that are having trouble funding roads and water bills and hospitals, and we’re now also asking them to take part in the defense of foreign and state actors,” Dearing said. “And the cliff that is looming before us is that we’re failing to fund them appropriately.”

A third panel, made up of voting equipment industry representatives, discussed the processes in which equipment is tested, approved and finally certified by the EAC.

Bernie Hirsch, Microvote’s chief information, security and quality officer, said part of the issue with obtaining EAC certification is the rate at which technology changes.

“We could certify something and then three months later, they’re no longer making it,” Hirsch said. “If all of us had the funding to buy 10,000 laptops up front, then we could keep handing those out like candy for the next 10 years, but we can’t do that. So having Windows 10 has been a really big advantage, just from the standpoint of buying current hardware. But it takes years to get through certification with that, which is an issue.”

Other speakers included cyber security experts, a representative from the Department of Homeland Security, and more voting system industry representatives.

%d bloggers like this: