July 15, 2019

Wyden Questions EAC: How Will You Address Widespread Use of Insecure Election Systems?

Most New Election Systems Depend on Outdated, Insecure Software, Associated Press Reports

Washington, D.C. — Sen. Ron Wyden, D-Ore., asked the Election Assistance Commission how it plans to address a new looming election security crisis – the fact that most new election management systems depend on out-of-date software that will soon be highly vulnerable to hackers, in a letter sent Friday.

The Associated Press reported this weekend that most new election management systems – the machines that program voting machines and count votes – run on Windows 7, an old, outdated operating system that will no longer be regularly updated by Microsoft starting in January. The use of out of date software increases the risk that election equipment will be hacked by foreign governments and cybercriminals.

There are currently no binding federal security standards for election management systems. Voting machine vendors are free to sell insecure equipment and software to state and local governments.

Intelligence officials have made it clear that Russian hackers targeted our elections in 2016, and that they expect similar threats in 2020,” Wyden wrote to EAC Chairwoman Christy McCormick. “The continued use of out-of-date software on voting machines and the computers used to administer elections lays out the red carpet for foreign hackers. This is unacceptable.”

Wyden’s election security bill, the Protecting American Votes and Elections Act, gives the Department of Homeland Security authority to set mandatory cybersecurity requirements for every aspect of the election system.

Wyden asked McCormick to answer the following questions by July 26:

  1. Do you expect that all of the voting machines and election management systems used by states and local governments in the November 2020 election will be running up-to-date, vendor-supported software? If not, which states do you expect to be using voting systems that run out-of-date software, and what is the EAC doing to address this serious cybersecurity problem?
  2. Has the EAC directed ES&S to submit for certification updated products that use operating system software that will be supported by the manufacturer beyond November, 2020? If not, why not
  3. Does the EAC intend to decertify ES&S products that use Windows 7 before January 15, 2020? If not, why not?

Read Wyden’s full letter to the EAC here.