Election-systems cybersecurity would take a hit under new House bill, experts say
Legislation recently introduced in the House that seeks to terminate the Election Assistance Commission, or EAC, would hamper coordination efforts between state and federal officials at a time when cybersecurity concerns are top of mind, experts tell CyberScoop.
The bill, H.R. 634, would effectively gut what is considered to be one of the only organized bodies currently capable of educating election officials on how to properly protect voting systems from hackers.
“If Congress terminates the EAC, its going to be essentially driving the integrity of elections off a cliff,” said Gregory Miller, chief election technology strategist for the OSET Institute, an election technology think tank. “The states, many of whom are ill-prepared to manage the complexities of a testing and certification program, will be left to derive the standards and guidelines for machine compliance on their own — they’ll be stuck to ride this out, and we need to solve that soon.”
Founded in 2002 as part of the Help America Vote Act, the EAC is an independent, bipartisan federal commission tasked with providing various administrative services to election officials, including disseminating security information and authoring acquisition guidelines. The bill, sponsored by Rep. Gregg Harper, R-Miss., would terminate the agency within 60 days of the president’s signature, if the legislation gets that far.
The measure comes at time when other Republican lawmakers are broadly pushing for increased deregulation across the government and a restructuring of some existing federal agencies. At the same time, investigators continue to review different Russian hacking campaigns, which to varying degrees may have influenced the 2016 presidential election — an operation that may still yield information relevant to the EAC.
Repeated attempts to contact Harper’s office went unanswered.
‘Incredible and unique pressures’
While declassified reports published by the U.S. intelligence community note that Russia did not penetrate America’s election infrastructure in itself, security researchers have in fact proven over the last several years that hacking into electronic voting machines is possible.
“The stakes are high for all election officials right now. They face incredible and unique pressures, and we know that the EAC’s support is needed now more than ever before,” EAC Chairman Thomas Hicks told CyberScoop.
The EAC has long served as an intermediary between election administrators and federal agencies such as the Department of Homeland Security, the FBI and the Postal Service, he said.
“We’ve been told many times over the past weeks that it is important that we continue to play this role and we plan to,” Hicks said. “It’s unclear where that responsibility could fall if not with us, so that is a serious concern for election officials.”
By design, the legislation would also notably terminate two EAC pillars — known as the Technical Development Guidelines Committee and Voluntary Voting Systems Guidelines — currently tasked with providing security recommendation for current and future voting machines. Based on the bill’s language, it would do so without transferring any of their duties to, for example, the National Institute for Standards and Technology, which could feasible author comparable advice.
“If this standards work is completely abandoned, and looks like it will be based on the Committee Bill markup, then we’re left with the old stuff, and any certification or audit protocols or processes will be the responsibility — or perhaps an opportunity — solely of States,” said John Sebes, the OSET Institute’s chief technology officer.
Whose infrastructure?
Just before the Obama administration ended, former Homeland Security Secretary Jeh Johnson announced that DHS would designate election systems as critical infrastructure. That decision essentially called for additional resources that could be provided to states on a voluntary basis to help them secure systems from both physical and cyber-enabled attacks. Some state officials, however, publicly decried the new designation, describing it instead as a power-grab by the federal government to manage what has traditionally been a state-controlled responsibility.
“The decision to keep election systems as part of the nation’s critical infrastructure also poses unique challenges for state and local leaders, as well as for the federal agencies involved in implementing that decision,” Hicks said.
Beyond coordination efforts, the EAC’s Testing and Certification program is among the most widely accepted voting machine testing and certification guides in the U.S. In broad strokes, these guidelines are important because they mandate that the commission provide certification, decertification, and recertification of voting systems, as well as the accreditation of voting system testing laboratories to states.
“We know that this program is a vital part of the work we have planned in the future and is not currently done anywhere else but at the EAC,” said Hicks.
At the moment, a total of 43 states are still in the process of replacing their legacy voting systems with new gear before a previously agreed upon 2020 deadline passes.
“I am very concerned about what this means for trying to improve, update, and upgrade the integrity of elections and voting machinery. Without the guidance and resources of the EAC this will become an issue with uneven treatment, and the troubles we’ve experienced as recently as this past election will likely worsen,” Miller said.
At a National Association of State Election Directors meeting in Washington last week, congressional staff from the relevant committees that oversee the EAC heard widespread concern from the election community regarding efforts to eliminate the EAC. In response, those aides said they would consider it as they decide on next steps.