Cybersecurity

Senate Intelligence Committee members raise concerns about voting system vulnerabilities

A bipartisan group of lawmakers on the Senate Intelligence Committee raised concerns Wednesday about the election voting systems provided by one of the largest vendors in the United States, questioning whether the company is doing enough to safeguard itself from hackers. 

Four committee members wrote in a letter they were disappointed that Election Systems & Software (ES&S) has not agreed to undergo independent testing to determine the security level of its systems.

The letter comes after an annual hacking conference earlier this month appeared to reveal security vulnerabilities in ES&S voting systems.

{mosads}”We are concerned that ES&S and other election system providers may not be prepared for the growing threats to our elections,” Senate Intelligence Committee Vice Chairman Mark Warner (D-Va.) and Sens. Susan Collins (R-Maine), James Lankford (R-Okla.), and Kamala Harris (D-Calif.) wrote in a letter to the company.

The senators criticized ES&S for its refusal to allow independent testing of its systems at the popular DEFCON convention, where hackers attempted to find ways to exploit voting technology.

“We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing,” the lawmakers wrote in their letter to CEO Tom Burt. “We believe that independent testing is one of the most effective ways to understand and address potential cybersecurity risks.”

Sen. Ron Wyden (D-Ore.), a member of the Intelligence panel, separately slammed ES&S on Wednesday for failing to provide answers to basic questions about its cybersecurity practices.

“It is inexcusable that American democracy depends on hackable voting technology made by a handful of companies that have evaded oversight and stonewalled Congress. That must end,” Wyden said during a Senate Rules Committee hearing, according to a transcript of his remarks.

Wyden and other lawmakers became alarmed by some of the company’s practices after The New York Times reported in February that ES&S had installed remote access software onto the voting technology it sold. The company later admitted to installing such software on a “small number” of election management systems between 2000 and 2006.

ES&S quickly pushed back on the lawmakers’ claims that they do not independently test their products. 

“Any assertion that our products are not thoroughly and independently tested is erroneous,” the company said in a statement. “In fact, ES&S products are certified by the U.S. government, which conducts testing independent of our own testing. In addition, our products are tested by a number of third-party experts.”

The election systems company offered to meet with each senator to discuss how they could take further measures to ensure U.S. elections are secure.

“We look forward to fully addressing each question expressed in their letter, and extend an invitation to each Senator to meet with us to discuss all of the protective steps we have taken and continue to take to ensure the integrity of America’s democracy,” the statement continues.

The criticism from the senators comes amid heightened fear that foreign adversaries may seek to interfere in the 2018 midterm elections and other subsequent U.S. elections.

“As members of the United States Senate Select Committee on Intelligence, we agree with the conclusion of the Intelligence Community: America’s elections are the target of unprecedented attacks by foreign adversaries,” the four senators wrote in their letter to Burt. “Free, fair, and trusted elections are the bedrock of our democracy, and safeguarding our elections is an urgent national security priority.”

Microsoft announced earlier this week that it had shut down six websites created by a hacking group known as “Fancy Bear,” which has been linked to Russia’s intelligence agency. The hackers targeted two conservative think tanks that have been critical of the Kremlin, in addition to targeting the U.S. Senate, though Microsoft said the attacks were not specific to a “particular” office or senator.

Fancy Bear is an active, powerful hacking group whose attacks have included the successful hack of the Democratic National Committee (DNC) in 2016.

Special counsel Robert Mueller, who is investigating Russian interference in the 2016 election, indicted a dozen Russian intelligence officials for their involvement in the DNC hack.

— Updated 5:35 p.m.