New U.S. guidelines ban network-connected voting systems, acknowledging vulnerability to attack
After years of warnings about state-sponsored hackers and the contentious end of the 2020 election, the federal commission that sets the standards for American voting machines has made a major change rather quietly: Going forward, vote systems cannot be connected to any digital networks, and wireless technology must be disabled too.
The Election Assistance Commission's Voluntary Voter System Guidelines 2.0 were released earlier this year without much fanfare and nominal media coverage, even though they were the first major revisions since 2015 and the first complete overhaul since VVSG 1.0 was issued 16 years ago.
The last guidelines from 2015 permitted connectivity to what was called "public telecommunications networks," provided that any data transmitted was encrypted and network-connected machines were able to "preserve the secrecy of voter ballot selections and prevent anyone from violating ballot privacy." Outside the guidelines, however, EAC urged election administrators and voting machine makers through certification reviews to avoid direct connections to the internet to have the best practices.
The new requirements provide a much more draconian ban on external access to the Internet or other computer networks, a security provision otherwise known as an "air gap." The commission specifically cited the potential threat posed by foreign adversaries to meddle in elections.
"VVSG 2.0 does not permit devices or components using external network connections to be part of the voting system," the commission wrote in its new guidelines. "There are significant security concerns introduced when networked devices are then connected to the voting system. This connectivity provides an access path to the voting system through the Internet and thus an attack can be orchestrated from anywhere in the world (e.g., nation state attacks). The external network connection leaves the voting system vulnerable to attacks, regardless of whether the connection is only for a limited period or if it is continuously connected."
The commission cited a variety of potential hacking threats it was trying to thwart, including malware, eavesdropping and ransomware attacks, in which hackers hold data hostage until ransom is paid. Its press release identified the air gap requirement as one of the "major updates" in its guidelines.
The commission also addressed wireless connectivity ports which allow devices like Bluetooth mice, optical pens or WiFi printers to connect remotely to a voting machine. It ruled that voting machines can have such ports but they must always be disabled.
"The VVSG 2.0 requires that a voting system be incapable of broadcasting a wireless network ... Instead, a voting system could use wired technology, e.g., Ethernet cables, to connect devices such as printers," the guidelines stated.
Some policymakers don't believe that prohibition goes far enough, citing cybersecurity experts who say even a disabled wireless port can be maliciously attacked.
Nearly two dozen prestigious cybsersecurity experts decried the EAC's decision to allow disabled wireless ports, saying it "profoundly weakens voting system security and will introduce very real opportunities to remotely attack election systems."
Rep. Bob Gibbs (R-Ohio) wrote an op-ed this spring saying the EAC was leaving a major vulnerability in systems by allowing them to have even disabled wireless ports.
"Unfortunately, the EAC recently passed new provisions that allow election systems to have wireless connection components so long as they are 'disabled,'" he wrote in the the Canton Repository. "The inclusion of this provision was added to the proposal at the last minute.
"This is a serious mistake, as it needlessly adds an attack vector that could be utilized by foreign threats. A group of cybersecurity experts warned the EAC not to include this provision, saying it is 'recklessly naive to allow election systems with wireless capability.'"
Gibbs alleged the provision was included "at the request of companies that manufacture and sell voting machines who consider it a cost-saving measure."
After Gibbs' commentary, the state of Ohio this summer issued state guidelines that adopted much of the EAC's 2.0 guidelines but went further in banning any wireless ports on voter machines.
"A voting machine shall not be connected to the Internet. A voting system or voting machine is prohibited from containing any wireless communication hardware or software components," the bipartisan Ohio Board of Voting Machine Examiners wrote in the new state guidelines.
A spokesman for the EAC did not return a call seeking comment Tuesday.
Nicolee Ambrose, a Republican National Committeewoman from Maryland who led one of the GOP's key election integrity panels this year, strongly criticized the EAC for waiting to formally impose the new internet ban until after the 2020 election was over.
"Because the EAC allowed certified voting machines to be connected to the internet while Americans voted in 2020, our elections were at significant risk of cyber-attack," she said. "Where voting machines were online, these system vulnerabilities exposed the integrity of Americans' votes to all forms of cyber-attack, both foreign and domestic. With nearly 80% of Americans supporting ballot integrity, this vulnerability in our systems was inexcusable."
U.S. intelligence officials said there is no evidence that foreign or other hackers compromised election vote counting systems or changed vote tallies in either 2016 or 2020, but they did acknowledge both Russia and Iran were able to obtain voter registration data from election servers last year in an effort to try to influence American voters.