



BOSTON – Leaders at the Federal Election Administration Oversight Agency quietly weakened a key component of proposed security standards for U.S. voting systems, raising concern among vote integrity experts that many such systems will remain vulnerable to hacking.

The Electoral Assistance Commission is set to approve its first new security standards in 15 years after an arduous process involving multiple community technical and electoral bodies and public hearings. But ahead of a ratification vote slated for Wednesday by commissioners, EAC leaders tweaked the draft standards to remove language that stakeholders interpreted as banning modems and wireless chips from voting machines as a condition of the federal certification.

The mere presence of such wireless hardware poses unnecessary risks of tampering that could alter electoral system data or programs, say IT security specialists and activists, some of whom have long complained that the EAC is bends too easily to industry pressure.

Agency leaders say that overall, the revised guidelines represent a major improvement in safety. They point out that the rules require manufacturers to turn off wireless features found in all machines, although wireless hardware can remain.

In a February 3 letter to the agency, computer scientists and vote integrity activists say the change deeply weakens the security of the voting system and will introduce very real opportunities to attack electoral systems from a distance. They are calling for the ban on wireless equipment to be reinstated.

They are trying to make a final run to avoid scrutiny by the public and Congress, said Susan Greenhalgh, senior election security adviser for Free Speech for People, a non-partisan nonprofit, accusing agency executives of give in to industry pressure.

Seven members of the 35-member advisory committee, including its chairman, Michael Yaki, wrote to EAC leaders on Thursday expressing dismay that the standards have been substantially changed from what they approved in June. At the very least, he wrote, they deserve to explain why draft standards have backed down so drastically on a critical security issue.

Yaki said he was puzzled by the committees’ decision because the mantra adopted by just about the entire cyber community was to remove radios or things that can be communicated via wireless from the equation.

Yaki asked in the letter that commissioners postpone the February 10 vote, but withdrew that request on Friday after hearing their explanations of the changes. But he said his concerns remain.

FILE – The Electoral College ballot boxes arrive at a joint session of Congress to certify the results of the 2020 election on Capitol Hill in Washington, January 6, 2021.

A modern ban is especially important because millions of Americans continue to believe that former President Donald Trumps baselessly claims that voting equipment was somehow manipulated to deprive him of his reelection in November, Yaki said. . You don’t want to give QAnon enthusiasts or the folks at Stop the Steal ‘a reason to think our voting infrastructure is far from perfect.

EAC president Benjamin Hovland noted that the agency relied on experts from the National Institute of Standards and Technology to help it draft the guidelines. He said objections to the change should not be allowed to delay significant cybersecurity improvements of the new rules.

Banning wireless hardware in voting machines would force vendors who currently build systems with out-of-the-box components to rely on more expensive custom hardware, Hovland said, which could hurt competition. in a sector already dominated by a trio of companies. He also argued that the guidelines are voluntary, although many state laws are based on them.

You have people who put their own personal agenda, putting themselves ahead of the health of our democracy, Hovland said, adding that election officials are among those supporting change. It’s so little seeing the way some people have approached it.

Hovland noted that the amended guidelines state that all wireless capabilities must be disabled in voting equipment. But computer scientists say that if the hardware is present, the software that activates it can be introduced. And the threat comes not only from malicious actors, but also from vendors and their customers, who could turn on the wireless capability for maintenance and then forget to turn it off, leaving machines vulnerable.

Still, a member of the NIST-led technical committee, Rice University computer scientist Dan Wallach, said that while the changes came as a surprise, they don’t look catastrophic. “Objections should not delay adoption of the new guidelines, he told me.

FILE – Voters line up early in the morning to vote in the second round of the U.S. Senate, at a polling station in Marietta, Ga., Jan.5, 2021.

The states of California, Colorado, New York, and Texas already ban wireless modems in their voting equipment. The updated standards, known as the Voluntary Voting System Guidelines, are used by 38 states either as a benchmark or to define certain aspects of equipment testing and certification. In 12 states, the certification of voting materials is fully governed by the guidelines.

In 2015, Virginia decertified and scrapped a voting machine called WINVote after determining that it could be accessed and manipulated wirelessly.

Created to modernize voting technology after the debacle of chad suspended in the 2000 presidential election, the Election Assistance Committee has never had much authority. This is in part because the administration of the vote is handled individually by the 50 states and territories.

But after Russian military hackers meddled in the 2016 Trump election, nations’ voting equipment was declared critical infrastructure and Congress Democrats attempted to exert greater federal control to improve the security.

Republicans, however, have blocked attempts at electoral security reform in the Senate. While the most unreliable voting machine touchscreens, without paper recount ballots, have largely been scrapped, private equipment vendors continue to sell proprietary systems that IT scientists say remain. vulnerable to hacking.

Experts are pushing for the universal use of hand-printed ballots and better audits to build confidence in election results.

