BOSTON – Leaders of the federal agency overseeing election administration have quietly weakened a key element of proposed security standards for voting systems, raising concern among voting-integrity experts that many such systems will remain vulnerable to hacking.
The Election Assistance Commission is poised to approve its first new security standards in 15 years after an arduous process involving multiple technical and elections community bodies and open hearings. But ahead of a scheduled Feb. 10 ratification vote by commissioners, the EAC leadership tweaked the draft standards to remove language that stakeholders interpreted as banning wireless modems and chips from voting machines as a condition for federal certification.
The mere presence of such wireless hardware poses unnecessary risks for tampering that could alter data or programs on election systems, say computer security specialists and activists, some of whom have long complained than the EAC bends too easily to industry pressure.
Agency leaders argue that overall, the revised guidelines represent a major security improvement. They stress that the rules require manufacturers to disable wireless functions present in any machines, although the wireless hardware can remain.
In a Feb. 3 letter to the agency, computer scientists and voting integrity activists say the change “profoundly weakens voting system security and will introduce very real opportunities to remotely attack election systems.” They demand the wireless hardware ban be restored.
“They’re trying to do an end run to avoid scrutiny by the public and Congress,” said Susan Greenhalgh, senior advisor on election security for Free Speech for People, a nonpartisan nonprofit, accusing agency leaders of bowing to industry pressure.
Seven members of the commission’s 35-member advisory board including its chair, Michael Yaki, wrote EAC leadership on Thursday to express dismay that the standards were “substantially altered” from what they approved in June. At the very least, the wrote, they deserve an explanation why the draft standards “backtracked so drastically on a critical security issue.”
Yaki said he was puzzled by the commission’s move because “the mantra adopted by pretty much the entire cyber community has been to take radios or things that can be communicated via wireless out of the equation.”