Voting Systems Plain Talk Series logo

A six-part series about Voting Systems Updates

This is the 6th and final part of a 6-part series of slightly longer vignettes on the challenge of updating voting systems. It’s a slice-and-dice of a recent briefing on the topic.

It’s intended to acquaint relatively newcomers to understanding how voting system are purchased and maintained, and that includes anyone and everyone from concerned citizens, to journalists, to policy makers.

What’s the Way Forward?

Given the current limitations of vendor contracts, complex certification, and a unique operating environment, changes are necessary in order to provide voting system manufacturers with stronger incentives to upgrade their products and go through re-certification, and to provide local election officials with greater value in voting system updates (i.e. to make them less prematurely out-of-date).

Below are our recommendations for how federal certification could be improved, and how local election officials can better arm themselves with critical information needed to enhance vendor accountability.

For Policy Makers: Re-Thinking Federal Certification

Coming up with new ways to support more flexible voting system updates requires policy makers and the EAC to re-visit some fundamental concepts and practices that make it almost impossible to rapidly update one or more components of a voting system.

One of these has already been mentioned: namely, re-thinking the definition of “voting system.” Past federal certification campaigns have allowed only “total” system configurations, with essentially say that the EAC will only certify complete voting systems that include a comprehensive minimum set of end-to-end functions; vendors cannot simply make incremental changes in selected components and quickly deploy those updates.

Current Practices Are Unwieldy, But There Are Alternatives

Recall, for example, that under current practices, if a voting system manufacturer wanted to update only the operating system for only the back-office tabulation computers (which are especially important, since they count and report results), and nothing else, that change in OS for that one component would still result in an new “version number” for the overall voting system, and the modified voting system as a whole would still need to go through the long and costly federal certification process.

In contrast, there are alternative ways of thinking of a “voting system” that could drive more flexibility in the federal certification program.

For example, the ability for manufacturers to develop, test and seek certification for individual portions of a voting system (also known as component-level certification), rather than being required to submit only entire systems for certification, could introduce greater agility for vendors and local election officials alike.

Not Just Carrots — Add Sticks

In addition to those “carrots,” the EAC could also consider additional “sticks,” for example, in the form of new prohibitions on continued certification of voting systems whose operating systems are no longer supported by their manufacturer.

In those instances, the vendors might be required to use updated/currently-supported operating systems as a prerequisite to (re)entering the certification process.

A New Role for Federal Agencies

Finally, a heightened security environment might necessitate a new and larger role for institutions other than the federal Election Assistance Commission, with procedures that have been consciously crafted to be more flexible.

For example, allowing the Department of Homeland Security (DHS) to oversee cybersecurity testing for voting systems, with a particular eye toward increased agility, could be a good first step in the right direction.

A Combined Approach

In sum, an evolving understanding of “voting systems,” component-level certification, and re-thinking cybersecurity testing are essential because our national security depends on the agility that these programmatic changes can help to deliver.

We hope that federal and state legislators and policy makers will pay close attention to these evolutionary changes, because the cyber-threat landscape is rapidly changing, and in the future, the federal certification program must support rapid changes to voting technology.

In addition to those changes in the regulatory environment, other changes could provide states, counties, and local election officials with other tools to hold vendors more accountable, so that the playing field is less unequal. As a final consideration, let’s take a look at those.

For Election Officials: Education and Empowerment

Returning full-circle to the challenges that inspired this blog series in the first place, it should now be clear just how complex the many factors are that impose limitations on how quickly voting system updates can be implemented.

In order for the overall security profile of our nation’s voting infrastructure to be substantially improved, new incentives and sanctions will need to emerge in order to fill gaps in outdated software.

As we have seen, however, common vendor practices and certification requirements play an outsized role in disrupting both the clarity and the pace with which potential software updates might be delivered.

Moving the Needle

Since certification practices are unlikely to change quickly, and because vendors are unlikely to willingly place additional obligations on themselves , the fact of the matter is that “moving the needle” to arrive at more predictable updates may rest in the hands of state and local election officials, who are uniquely positioned to increase vendor accountability during the contracting process.

Vendors want to sell voting systems; they expend significant dollars for development, certification, operations, and marketing, and by the time an election jurisdiction announces an intent to award a particular vendor with a new sale, vendors are motivated to close the transaction with a mutually binding contract.

The Initial Punch List

As this blog series illustrates, the complex network of variables that impact voting system updates can be boiled down to just four major elements that all procurement departments and election officials should become very familiar with; this is the initial “punch list” to guide their assessment of the playing field:

  1. Initial purchase. Review the purchase order, quote, or “bill of sale” closely. What hardware is included? What software is installed on the hardware? And what software licenses are already included for the first year?
  2. Baseline annual fees: Review the “license and support” fee schedule carefully, to understand the costs that the customer will incur to continue using the hardware and software, year after year, over the term of the contract. License and support fees are typically listed separately from the initial hardware and software schedule.
  3. Software update policies. In addition to reviewing the “license and support” fee schedule, carefully review any separate “License and Support Agreements,” which are typically distinct from “Master Agreements” or “General Terms.”
    1. Do a word search on “updates” in all of these documents, and review the vendor’s default boilerplate update policies. Accountability, transparency and predictability of potential software updates is likely to be enhanced by providing substitute language to replace the vendor’s default software update policy.
  4. Certification. State and local election officials should familiarize themselves with their state’s policies around certification of voting system updates. The Secretary of State’s office can provide information about timelines and policies for certification of voting systems.

Ask Questions Before You Sign

With all of the above information as an initial baseline for negotiation, state and local election officials are now in a position to collaboratively discuss more detailed questions with their preferred voting system vendor, before any contract is signed.

We recommend discussing the following questions, among others:

  • What types of updates are included through annual license and support payments, with no additional charges necessary?
    • Are security-only updates included as part of “software updates”? Who decides?
    • What types of updates might require additional, separate costs? Who bears those costs?
  • If annual license and support payments provide the customer with “updates,” does that include installation of updates, or is that a separate fee?
    • Are there any other additional fees associated with installation? Shipping? Consumables? Anything else?
  • If any new software licenses are associated with the update, who will pay for them?
  • Who is responsible for paying any third-party licenses that might be required to operate the updated system?
  • How are updates installed?
    • By the vendor? The state? Counties?
    • What’s included in “installation”? Does it include on-site service? Or is installation by the customer possible?
    • What is the customer “acceptance” process after the update is complete?
  • Is there any way to predict and/or limit what software and security upgrades might cost (especially to facilitate budgeting)?
  • Are there any circumstances in which the customer wishes the vendor to be obligated to provide an update?
    • For example, if a COTS operating system or other major third-party component reaches “end of support” from the manufacturer, is the vendor obligated to do anything to update the system with a newer version? If so, how quickly must the vendor respond? For example:
      • “Not later than 3 months after a commercial operating system manufacturer announces end of support for their product, voting system Vendor shall initiate a project planning process to collaborate with the county on a future anticipated update plan, subject to mutual agreement.

It’s Time to Fix the Voting System Update Process

Given the fact that voting systems are part of our nation’s critical democracy infrastructure, the outdated nature of much voting system software should concern all Americans.

As this series illustrates, election technology updates are a complex affair, and the limitations that exist today need to be improved.

Currently, vendor behavior, vague contract terms, and disincentives generated by a cumbersome regulatory process are preventing many of our nation’s election officials from having voting technology that keeps pace with more mainstream advancements in a timely fashion.

In the current threat environment, outdated voting technology is an unacceptable security risk.

This can and must change.

As policymakers consider testing and certification programs for the future, they should not simply assume that past practices provide guideposts to the road that lies ahead.

It will take careful thought and a concerted effort to create a more flexible path to regular, ongoing cybersecurity improvements in the future.

And in the meantime, we say to state and local election officials: now that you have more information, remember…knowledge is power.

To read more, here are all of the articles in this Voting Systems Update Series published to date.