A Senate Bill Would Radically Improve Voting Machine Security

Congress is moving person to putting America’s predetermination exertion nether a stricter cybersecurity microscope.

Embedded inside this year’s Intelligence Authorization Act, which funds quality agencies similar the CIA, is the Strengthening Election Cybersecurity to Uphold Respect for Elections done Independent Testing (SECURE IT) Act, which would necessitate penetration investigating of federally certified voting machines and ballot scanners and make a aviator programme exploring the feasibility of letting autarkic researchers probe each mode of predetermination systems for flaws.

The SECURE IT Act—originally introduced by US senators Mark Warner, a Virginia Democrat, and Susan Collins, a Maine Republican—could importantly amended the information of cardinal predetermination exertion successful an epoch erstwhile overseas adversaries stay intent connected undermining US democracy.

“This authorities volition empower our researchers to deliberation the mode our adversaries bash and exposure hidden vulnerabilities by attempting to penetrate our systems with the aforesaid tools and methods utilized by atrocious actors,” says Warner, who chairs the Senate Intelligence Committee.

The caller propulsion for these programs highlights the information that, adjacent arsenic predetermination information concerns person shifted to much visceral dangers similar decease threats against region clerks, polling-place violence, and AI-fueled disinformation, lawmakers besides stay disquieted astir the anticipation of hackers infiltrating voting systems, which are considered captious infrastructure but are lightly regulated compared to different captious industries.

Russia’s interference successful the 2016 predetermination shined a spotlight connected threats to voting machines, and contempt large improvements, even modern machines tin beryllium flawed. Experts person consistently pushed for tighter national standards and much autarkic information audits. The caller measure attempts to code those concerns successful 2 ways.

The archetypal proviso would codify the US Election Assistance Commission’s recent addition of penetration investigating to its certification process. (The EAC recently overhauled its certification standards, which screen voting machines and ballot scanners and which many states require their vendors to meet.)

While erstwhile investigating simply verified whether machines contained peculiar antiaircraft measures—like antivirus bundle and information encryption—penetration investigating volition simulate real-world attacks meant to find and exploit the machines’ weaknesses, perchance yielding caller accusation astir superior bundle flaws.

“People person been calling for mandatory [penetration] investigating for years for predetermination equipment,” says Edgardo Cortés, a erstwhile Virginia elections commissioner and an advisor to the predetermination information squad astatine New York University’s Brennan Center for Justice.

The bill’s 2nd proviso would necessitate the EAC to experimentation with a vulnerability disclosure programme for predetermination technology—including systems that are not taxable to national testing, similar elector registration databases and predetermination results websites.

Vulnerability disclosure programs are fundamentally treasure hunts for civic-minded cyber experts. Vetted participants, operating nether wide rules astir which of the organizer’s machine systems are just game, effort to hack those systems by uncovering flaws successful however they are designed oregon configured. They past study immoderate flaws they observe to the organizer, sometimes for a reward.

By allowing a divers radical of experts to hunt for bugs successful a wide scope of predetermination systems, the Warner-Collins measure could dramatically grow scrutiny of the instrumentality of US democracy.