The Cybersecurity 202: New voting machine security standards are already drawing controversy

Adopting VVSG 2.0 is the most important action the EAC has taken in 15 years”  EAC Commissioner Ben Hovland said at the vote yesterday.

But the new standards are already drawing scrutiny from lawmakers and voting security advocates.

They worry they leave loopholes allowing voting machine companies to skirt best practices and leave machines vulnerable to interference. They were approved as some of the nation’s most prominent voting machine companies are suing Fox News and top lawyers for Trump because of their unfounded fraud claims related to their machines.

In a letter led by Rep. Bill Foster (D-Ill.), more than 20 members of Congress are asking the EAC to reconsider its recommendations. The letter expresses concerns about how the guidelines frame the use of machines with parts that can connect to the Internet. 

This is extremely troubling, as computer security and networking experts have warned that merely disabling networking capability is not enough, they wrote. Benign misconfigurations that could enable connectivity are commonplace and malicious software can be directed to enable connectivity silently and undetectable, allowing hackers access to the voting system software.

Foster tweeted after the meeting:

House Homeland Security Committee Democrats also expressed disappointment on Twitter:

More than two dozen election security experts and voter advocacy groups also have criticized the language, accusing the agency of pulling a last-minute switch from draft guidelines that went through a public comment process before approval. (The new language did not go through the comment process.)

The EAC’s decision to make substantive security changes to the VVSG 2.0 draft, outside of the legally mandated process is not just legally troubling, it is particularly tone-deaf. Transparency, accountability and trust in our election processes and systems are principles the EAC should be advancing, not degrading, Susan Greenhalgh, senior adviser on election security at Free Speech For People wrote in a statement.

The group believes there are valid concerns that the EAC amended requirementsas a result of nonpublic meetings with voting system vendors.