Recent News

Elections Legislation Everyone Can Agree On: The KISS Act

A week ago the Wall Street Journal ran an editorial that’s worth a comment in reply.  I can’t argue with the WSJ taking the view that the House SAFE Act (H.R.2722) is a “partisan maneuver” (possibly they’re referring to the very recently introduced Senate version: S.2238 SAFE Act, but I doubt it from the editorial). Given that even the Senate is now hyper-partisan, publications (like the Wall Street Journal) that want to find partisanship, will find it wherever they look.

However, let’s whittle this issue down to the essentials. Imagine stripping down the Bill— dropping the tree-hugging recycled paper thing; dropping the ranked choice voting; removing whatever other nit-picks the WSJ editors found. And imagine adding the 25% state “skin-in-the-game,” adding a ballot harvesting ban, and whatever else the WSJ editors would wish to be added.

Then, imagine just considering on its merits only two (2) basic essentials:

  1. When a state conducts a Federal election it should be with paper ballots (using a ballot marking device or hand marking, or a mix of casting methods as the state chooses, and with Federal funding to do so); and
  2. Those ballots must be audited to ensure that we never have a computer problem that results in naming a winner who did not actually receive the most votes.

And while considering those two requirements, also consider whether it is right, fair, and practical for the Federal government to treat this as a funded mandate for every Federal election, with the Federal government providing the substantial majority (75%) of the funds that the state will need in order to comply with those two essential requirements, but using methods that each state decides on its own are the best for their local elections offices.

Imagine that.

I would hope that the Wall Street Journal editors would find that to be a credible and well-guided opinion about the main point — the primary goals for any Federal legislation to strengthen the confidence in the integrity of our elections, when we know nation states will be working to undermine our confidence in meaningful elections.

If so, then I humbly offer a name for such a stripped down bipartisan version of SAFE that I invited readers to imagine: the KISS Act: Keep Integrity in Elections Simple and Secure. In other words, follow the engineer’s dictum to Keep It Simple, in order to get the job done with the simplest approach possible.

Plain Talk Series on Understanding Voting System Updates Part 6: What Needs to Change?

Voting Systems Plain Talk Series logo

A six-part series about Voting Systems Updates

This is the 6th and final part of a 6-part series of slightly longer vignettes on the challenge of updating voting systems. It’s a slice-and-dice of a recent briefing on the topic.

It’s intended to acquaint relatively newcomers to understanding how voting system are purchased and maintained, and that includes anyone and everyone from concerned citizens, to journalists, to policy makers.

What’s the Way Forward?

Given the current limitations of vendor contracts, complex certification, and a unique operating environment, changes are necessary in order to provide voting system manufacturers with stronger incentives to upgrade their products and go through re-certification, and to provide local election officials with greater value in voting system updates (i.e. to make them less prematurely out-of-date).

Below are our recommendations for how federal certification could be improved, and how local election officials can better arm themselves with critical information needed to enhance vendor accountability.

For Policy Makers: Re-Thinking Federal Certification

Coming up with new ways to support more flexible voting system updates requires policy makers and the EAC to re-visit some fundamental concepts and practices that make it almost impossible to rapidly update one or more components of a voting system.

One of these has already been mentioned: namely, re-thinking the definition of “voting system.” Past federal certification campaigns have allowed only “total” system configurations, with essentially say that the EAC will only certify complete voting systems that include a comprehensive minimum set of end-to-end functions; vendors cannot simply make incremental changes in selected components and quickly deploy those updates.

Current Practices Are Unwieldy, But There Are Alternatives

Recall, for example, that under current practices, if a voting system manufacturer wanted to update only the operating system for only the back-office tabulation computers (which are especially important, since they count and report results), and nothing else, that change in OS for that one component would still result in an new “version number” for the overall voting system, and the modified voting system as a whole would still need to go through the long and costly federal certification process.

In contrast, there are alternative ways of thinking of a “voting system” that could drive more flexibility in the federal certification program.

For example, the ability for manufacturers to develop, test and seek certification for individual portions of a voting system (also known as component-level certification), rather than being required to submit only entire systems for certification, could introduce greater agility for vendors and local election officials alike.

Not Just Carrots — Add Sticks

In addition to those “carrots,” the EAC could also consider additional “sticks,” for example, in the form of new prohibitions on continued certification of voting systems whose operating systems are no longer supported by their manufacturer.

In those instances, the vendors might be required to use updated/currently-supported operating systems as a prerequisite to (re)entering the certification process.

A New Role for Federal Agencies

Finally, a heightened security environment might necessitate a new and larger role for institutions other than the federal Election Assistance Commission, with procedures that have been consciously crafted to be more flexible.

For example, allowing the Department of Homeland Security (DHS) to oversee cybersecurity testing for voting systems, with a particular eye toward increased agility, could be a good first step in the right direction.

A Combined Approach

In sum, an evolving understanding of “voting systems,” component-level certification, and re-thinking cybersecurity testing are essential because our national security depends on the agility that these programmatic changes can help to deliver.

We hope that federal and state legislators and policy makers will pay close attention to these evolutionary changes, because the cyber-threat landscape is rapidly changing, and in the future, the federal certification program must support rapid changes to voting technology.

In addition to those changes in the regulatory environment, other changes could provide states, counties, and local election officials with other tools to hold vendors more accountable, so that the playing field is less unequal. As a final consideration, let’s take a look at those.

For Election Officials: Education and Empowerment

Returning full-circle to the challenges that inspired this blog series in the first place, it should now be clear just how complex the many factors are that impose limitations on how quickly voting system updates can be implemented.

In order for the overall security profile of our nation’s voting infrastructure to be substantially improved, new incentives and sanctions will need to emerge in order to fill gaps in outdated software.

As we have seen, however, common vendor practices and certification requirements play an outsized role in disrupting both the clarity and the pace with which potential software updates might be delivered.

Moving the Needle

Since certification practices are unlikely to change quickly, and because vendors are unlikely to willingly place additional obligations on themselves , the fact of the matter is that “moving the needle” to arrive at more predictable updates may rest in the hands of state and local election officials, who are uniquely positioned to increase vendor accountability during the contracting process.

Vendors want to sell voting systems; they expend significant dollars for development, certification, operations, and marketing, and by the time an election jurisdiction announces an intent to award a particular vendor with a new sale, vendors are motivated to close the transaction with a mutually binding contract.

The Initial Punch List

As this blog series illustrates, the complex network of variables that impact voting system updates can be boiled down to just four major elements that all procurement departments and election officials should become very familiar with; this is the initial “punch list” to guide their assessment of the playing field:

  1. Initial purchase. Review the purchase order, quote, or “bill of sale” closely. What hardware is included? What software is installed on the hardware? And what software licenses are already included for the first year?
  2. Baseline annual fees: Review the “license and support” fee schedule carefully, to understand the costs that the customer will incur to continue using the hardware and software, year after year, over the term of the contract. License and support fees are typically listed separately from the initial hardware and software schedule.
  3. Software update policies. In addition to reviewing the “license and support” fee schedule, carefully review any separate “License and Support Agreements,” which are typically distinct from “Master Agreements” or “General Terms.”
    1. Do a word search on “updates” in all of these documents, and review the vendor’s default boilerplate update policies. Accountability, transparency and predictability of potential software updates is likely to be enhanced by providing substitute language to replace the vendor’s default software update policy.
  4. Certification. State and local election officials should familiarize themselves with their state’s policies around certification of voting system updates. The Secretary of State’s office can provide information about timelines and policies for certification of voting systems.

Ask Questions Before You Sign

With all of the above information as an initial baseline for negotiation, state and local election officials are now in a position to collaboratively discuss more detailed questions with their preferred voting system vendor, before any contract is signed.

We recommend discussing the following questions, among others:

  • What types of updates are included through annual license and support payments, with no additional charges necessary?
    • Are security-only updates included as part of “software updates”? Who decides?
    • What types of updates might require additional, separate costs? Who bears those costs?
  • If annual license and support payments provide the customer with “updates,” does that include installation of updates, or is that a separate fee?
    • Are there any other additional fees associated with installation? Shipping? Consumables? Anything else?
  • If any new software licenses are associated with the update, who will pay for them?
  • Who is responsible for paying any third-party licenses that might be required to operate the updated system?
  • How are updates installed?
    • By the vendor? The state? Counties?
    • What’s included in “installation”? Does it include on-site service? Or is installation by the customer possible?
    • What is the customer “acceptance” process after the update is complete?
  • Is there any way to predict and/or limit what software and security upgrades might cost (especially to facilitate budgeting)?
  • Are there any circumstances in which the customer wishes the vendor to be obligated to provide an update?
    • For example, if a COTS operating system or other major third-party component reaches “end of support” from the manufacturer, is the vendor obligated to do anything to update the system with a newer version? If so, how quickly must the vendor respond? For example:
      • “Not later than 3 months after a commercial operating system manufacturer announces end of support for their product, voting system Vendor shall initiate a project planning process to collaborate with the county on a future anticipated update plan, subject to mutual agreement.

It’s Time to Fix the Voting System Update Process

Given the fact that voting systems are part of our nation’s critical democracy infrastructure, the outdated nature of much voting system software should concern all Americans.

As this series illustrates, election technology updates are a complex affair, and the limitations that exist today need to be improved.

Currently, vendor behavior, vague contract terms, and disincentives generated by a cumbersome regulatory process are preventing many of our nation’s election officials from having voting technology that keeps pace with more mainstream advancements in a timely fashion.

In the current threat environment, outdated voting technology is an unacceptable security risk.

This can and must change.

As policymakers consider testing and certification programs for the future, they should not simply assume that past practices provide guideposts to the road that lies ahead.

It will take careful thought and a concerted effort to create a more flexible path to regular, ongoing cybersecurity improvements in the future.

And in the meantime, we say to state and local election officials: now that you have more information, remember…knowledge is power.

To read more, here are all of the articles in this Voting Systems Update Series published to date.

Plain Talk Series on Understanding Voting System Updates Part 5: What’s Required to Update?

Voting Systems Plain Talk Series logo

A six-part series about Voting Systems Updates

This is the 5th of a 6-part series of slightly longer vignettes on the challenge of updating voting systems. It’s a slice-and-dice of a recent briefing on the topic.

It’s intended to acquaint relatively newcomers to understanding how voting system are purchased and maintained, and that includes anyone and everyone from concerned citizens, to journalists, to policy makers.

The Contract is in Place. What’s Next?

Assuming that a vendor actually agreed to develop, test, and release updated software for a voting system, implementing the update is far more complicated than what mainstream technology users are accustomed to, due to the unique operating and regulatory requirements for election infrastructure.

Unlike an Internet-connected personal computer at one’s home, for example, voting equipment cannot simply be modified by an clicking a button, based on new software “pushed” by the manufacturer, over a network.

In other words, for voting systems, there is nothing equivalent to familiar messages like this, which might appear on your computer screen:

Updates are available. Would you like to install the new version 12.5 of your web browser? Select Yes or No.

Voting Systems Aren’t Easy To Update

The two main reasons that voting system update requirements are very different from mainstream technology are:

  1. All updated voting system software must go through federal and/or state approval processes before being released and installed; and
  2. Because voting components are typically (but not always) “air-gapped” (meaning they are not connected to the Internet or other networks), changing their software usually requires physical labor in a warehouse, such as inserting a USB device, or replacing individual memory cards in each voting device. That takes time and money, and is subject to human error.

Let’s look at each of these challenges more closely.

Voting System Approval and Certification: Time-Consuming and Costly

Before voting system releases can be implemented and used, approximately 40 states in the U.S. require that the voting system configuration first be federally certified by the U.S. Election Assistance Commission (EAC).

This federal institution works with accredited third-party test labs, known as Voting System Test Laboratories (VSTLs), to ensure that each voting system release complies with the federal Voluntary Voting System Guidelines (VVSG).

The federal certification process poses significant challenges for rapid updates, however, because the EAC certifies only complete voting systems, irrespective of how incremental software changes might be.

Furthermore, although back-office EMS computers and individual voting devices include a combination of operating system software and proprietary voting system software, they cannot be changed independently of each other, without resulting in a new voting system configuration or “version,” which must be re-tested and re-certified.

Certification Process Limitations

These limitations (above) mean that none of the following update procedures are possible under current federal certification, without undergoing a comprehensive re-certification process:

  • An operating system on a back-office EMS computer or on a voting device cannot be changed or updated separately from the proprietary voting software; the OS and the voting system software are bundled together and are considered an integrated “package.”
  • Security “patches” or other minor updates cannot be applied to either operating systems or proprietary voting system software.
  • Neither operating systems nor individual voting software applications can be changed without changing the “version number” of the overall voting system (e.g., if there is a small change in even one component of a voting system with many other parts, the entire combination of components is considered a different “system version”).

Given the need for manufacturers to achieve certification of the “total voting system,” even a change in the operating system alone (e.g., moving from Windows 7 to Windows 10) requires significant development and integration testing, followed by a long certification cycle.

Limits on Certification Delay Updates — and Increase Costs

Those factors also help to explain why vendors attempt to “hedge” their costs, with contract language about updates that reserves the vendors’ right to impose additional charges for updates (i.e., charges above and beyond annual license and support fees).

Neither development nor certification is free, and in the end, those costs flow down to election officials (and ultimately we, the taxpayers), as either hidden costs or explicit fees.

Because all of these restrictions make it impossible to develop and deploy software changes in a “modular” fashion, the net effect is that any updated voting system will almost certainly be “behind the times” – or even worse, out-of-date — by the moment it reaches an election jurisdiction’s warehouse.

How Long Will These Updates Actually Take to Complete?

Even at a relatively fast pace, a federal certification for an updated system might require 3 to 6 months (and it could be much longer), and state certifications typically require at least 1 to 3 months.

So, best case scenario, that’s at least half a year (and perhaps close to a year) before an update could be ready for implementation, not including the time it would take the manufacturer to develop and test the updated software – and that’s if the manufacturer chooses to do so, in the first place.

Bottom line, the dynamic between voting system manufacturers and the federal EAC is broken: on the one hand, the EAC does not compel vendors to make timely technology updates (e.g., by prohibiting the use of outdated operating systems), nor does the federal certification program facilitate such updates. Given those two choices, and until something in the federal certification program changes, vendors are likely to continue taking the easy way out, by selling older certified technology, even if it has not caught up with the latest advancements.

Software Installation Process: Labor-Intensive, with Potentially Marginal Gains

Assuming a software update were to be developed, certified, and made available to local election officials, there’s still the question of actually getting it installed on all of the jurisdiction’s PCs and voting devices.

This requires physical activities such as:

  • replacing hard drives on EMS computers;
  • labor-intensive staging of dozens, hundreds, or potentially even thousands of voting devices, so that USB sticks or other technology tools can be used to update firmware; and/or
  • an intensive post-installation process of testing and formally “accepting” the updated devices (usually accomplished by running comprehensive diagnostics, or a mock election).

An Uncertain and Inflexible Voting System Update Process

Furthermore, as noted in Part 4 (“When Might Voting System Updates Happen? {insert link}”), due to the vague nature of contractual language around updates, which reserves wide discretion for vendors to do only what they want (including the possibility of charging for updates), local elections officials are left with much uncertainty:

  • They may not be able to plan far in advance for when updates might be coming;
  • Their flexibility is tightly constrained by immovable election cycles (which last several months at a time), during which changes to equipment cannot be made;
  • They may not know how much the update process is going to cost;
  • They may not have the budget to pay vendor fees associated with installation; and
  • They may not have adequate personnel resources (in terms of either numbers or technical expertise) to install updates themselves.

Finally, depending on the particular state in which the jurisdiction is located, there may be additional limitations on the nature of the work that can be done by the vendor, or by local jurisdictions.

Some states (such as Colorado, for example) have an intensive “trusted build” process that is intended to protect the chain of custody of all voting system components:

  1. The state receives the updated software directly from the appropriate testing lab;
  2. the vendor must directly train authorized state technical staff to perform the software installation process; and
  3. all installations must be performed (in each and every local jurisdiction) only by authorized state personnel – not by the vendor, and not by local officials.

The Current Voting System Update Process Means Voting Systems Are Vulnerable

As one can imagine, all of these uncertainties and restrictions have a direct impact on how local election officials might perceive the value or utility of installing any particular voting system software update.

Indeed, in some cases, they might not bother. And even for those officials that do regularly update, because of the complexities of certification and installation, they will still be “last in line,” with update software that is prematurely dated.

The net result of these challenges is that much of the nation’s voting infrastructure is likely to contain security vulnerabilities that were stamped out months or years ago by IT security teams in more mainstream organizations.

So what, if anything, might improve things in the future? We’ll provide some recommendations in our final post in this series. To read more, here are all of the articles in this Voting Systems Update Series published to date.