Congress

Voting machine makers say yes to congressional oversight

Top execs of U.S. voting machine makers said they would accept federal regulations regarding disclosure

Rep. Zoe Lofgren, D-Calif., speaks during a House Administration Committee hearing in July 2019.  Lofgren said Thursday to top executives of U.S. voting machine makers that they should disclose cybersecurity practices including how they respond to incidents. (Caroline Brehman/CQ Roll Call)

Top executives of U.S. voting machine makers told lawmakers Thursday they would accept federal regulations requiring the companies to disclose how they handle cyberattacks as well as reveal details of ownership and sources of components.

Tom Burt, CEO of Election Systems & Software, John Poulos, CEO of Dominion Voting Systems, and Julie Mathis, CEO of Hart InterCivic, told Rep. Zoe Lofgren, D-Calif., chairwoman of the House Administration Committee that they would accept a broad set of regulations governing their companies.

[Progressive group spending $100,000 to pressure McConnell, vulnerable GOP senators on election security]

Lofgren told the executives there were no “federal reporting requirements about disclosure on key business practices” by the three largest makers of voting equipment.

Lofgren said the companies should disclose cybersecurity practices including how they respond to incidents; details of cyberattacks they suffer; personnel policies including how employees are screened to ensure no insider attacks occur; details of foreign shareholding; and information on where the companies obtain their software and electronic components.

Company executives told lawmakers their machines contain components made in China, including programmable logic devices that are the heart of any computing device, as well as capacitors and touch-screen glass. None of their components were sourced from Russia, the executives said.

Security experts also have been concerned about remote access software on voting machines that could be hacked by adversaries.

Executives of all three companies told lawmakers they discontinued making machines with such access after 2007, but some Hart and Dominion machines have the capability to plug in an external modem that can transmit vote tallies after polls close, the executives said.

The hearing was the first time top executives of voting machine vendors have appeared before Congress since the 2016 election to answer questions on the security of their machines. In that year’s presidential election, U.S. intelligence agencies concluded Russian operatives attempted to break into the voter registration databases of 21 states and succeeded in penetrating the systems in a handful of states. No voting machines are known to have been breached and officials have said no votes were altered.

Special Counsel Robert S. Mueller III found evidence Russian intelligence agents breached and managed to plant malware in equipment by VR Systems of Tallahassee, Fla., which makes poll books and election management computers. The company does not make voting machines and denied it was hacked. The FBI is reportedly probing the case but has not offered any details.

ES&S, Hart and Dominion together account for 80 percent of the machines used by voters across the United States to cast ballots.

“A successful cyberattack against any of these companies could have devastating consequences for elections in vast swaths of the country,” Elizabeth Howard, counsel at the Brennan Center for Justice at NYU School of Law, told the House committee. And yet the vendors of the machines have “received little federal or congressional oversight.”

Unlike makers of a variety of consumer and industrial products who must comply with federal safety standards, voting machine makers thus far have eluded scrutiny, she said. “Even colored pencils are subject to more federal regulation than voting systems.”

The U.S. Election Assistance Commission, created in the aftermath of the 2000 presidential election, has authority to disburse federal grants to states to help them buy voting machines and other election machinery. The commission sets standards for voting machines but has no authority to issue rules or impose requirements on states.

In 2005, the agency published its first set of standards for voting machines, known as Voluntary Voting System Guidelines and updated it in 2015. But none of the vendors or the machines were certified against the updated 2015 standards, which means election officials are likely using the 2005 standards, Commission Chairwoman Christy McCormick told lawmakers last year.

In December, Congress approved $425 million in federal grants to help states boost election security measures. But the amount was less than half the $1 billion many House Democrats sought. In spring 2018, Congress approved an earlier batch of $380 million for election security.

Get breaking news alerts and more from Roll Call on your iPhone.