Congress is transferring nearer to placing US election expertise below a stricter cybersecurity microscope.
Embedded inside this 12 months’s Intelligence Authorization Act, which funds intelligence businesses just like the CIA, is the Strengthening Election Cybersecurity to Uphold Respect for Elections by Impartial Testing (SECURE IT) Act, which might require penetration testing of federally licensed voting machines and poll scanners, and create a pilot program exploring the feasibility of letting impartial researchers probe all method of election techniques for flaws.
The SECURE IT Act—initially launched by US senators Mark Warner, a Virginia Democrat, and Susan Collins, a Maine Republican—may considerably enhance the safety of key election expertise in an period when overseas adversaries stay intent on undermining US democracy.
“This laws will empower our researchers to suppose the best way our adversaries do, and expose hidden vulnerabilities by trying to penetrate our techniques with the identical instruments and strategies utilized by dangerous actors,” says Warner, who chairs the Senate Intelligence Committee.
The brand new push for these applications highlights the truth that at the same time as election safety issues have shifted to extra visceral risks similar to demise threats towards county clerks, polling-place violence, and AI-fueled disinformation, lawmakers stay anxious about the potential of hackers infiltrating voting techniques, that are thought-about important infrastructure however are calmly regulated in comparison with different very important industries.
Russia’s interference within the 2016 election shined a highlight on threats to voting machines, and regardless of main enhancements, even fashionable machines might be flawed. Specialists have persistently pushed for tighter federal requirements and extra impartial safety audits. The brand new invoice makes an attempt to handle these issues in two methods.
The primary provision would codify the US Election Help Fee’s current addition of penetration testing to its certification course of. (The EAC lately overhauled its certification requirements, which cowl voting machines and poll scanners and which many states require their distributors to fulfill.)
Whereas earlier testing merely verified whether or not machines contained specific defensive measures—similar to antivirus software program and knowledge encryption—penetration testing will simulate real-world assaults meant to search out and exploit the machines’ weaknesses, doubtlessly yielding new details about severe software program flaws.
“Folks have been calling for obligatory [penetration] testing for years for election tools,” says Edgardo Cortés, a former Virginia elections commissioner and an adviser to the election safety crew at New York College’s Brennan Heart for Justice.
The invoice’s second provision would require the EAC to experiment with a vulnerability disclosure program for election expertise—together with techniques that aren’t topic to federal testing, similar to voter registration databases and election outcomes web sites.
Vulnerability disclosure applications are primarily treasure hunts for civic-minded cyber consultants. Vetted members, working below clear guidelines about which of the organizer’s laptop techniques are honest sport, try to hack these techniques by discovering flaws in how they’re designed or configured. They then report any flaws they uncover to the organizer, typically for a reward.
By permitting a various group of consultants to hunt for bugs in a variety of election techniques, the Warner–Collins invoice may dramatically increase scrutiny of the machine of US democracy.
