Election equipment vendors should face more security oversight, report argues

Efforts to fend off election hackers in 2020 and beyond have revolved around protecting ballot equipment and the databases of registered voters. Little attention has been focused on the vendors and their employees.

But the nonpartisan Brennan Center for Justice is proposing that the vendors who make election equipment and related systems be subjected to heightened oversight and vetting, much like defense contractors or others involved in national security.

"There is almost no federal regulation of the vendors that design and maintain the systems that allow us to determine who can vote, how they vote, or how their votes are counted and reported," according to a new report from the nonpartisan policy institute.

The "Framework for Election Vendor Oversight" released Tuesday calls for a new federal certification program that would be operated by a reconstituted and expanded Election Assistance Commission.

The commission would establish standards concerning cybersecurity, personnel, disclosure of ownership and foreign control that vendors would have to meet.

One option, the report proposes, would be for these standards to be voluntary.

"A voluntary approach — leaving it to the states and local jurisdictions to decide whether to contract with non-federally certified vendors — could draw states into the voting system certification process," the report states. "It may also be more politically feasible."

One key element of the framework would be background checks and other security measures — such as ongoing substance abuse screening — that vendors would use to screen prospective employees for security risks.

"Some of the most effective cyberattacks of recent years have involved insiders," the report states. "To mitigate these risks, vendors should demonstrate during certification that they have sound personnel policies and practices in place."

Much of what is being proposed would require congressional action, particularly when it comes to dealing with the Election Assistance Commission.

The report notes that the EAC has a checkered history of "controversy and inaction" and would need an expanded budget and increased expertise in cybersecurity in order to take on the role of monitoring election vendors.