What just happened? The US voting system has been a target of foreign state-sponsored hackers for years. Now, a bipartisan proposal is trying to introduce more stringent security requirements through certified penetration testing procedures.
A bill introduced by senators Mark R. Warner (D-VA) and Susan Collins (R-ME) wants to strengthen the cyber-security of US election digital infrastructure, providing new testing requirements for voting machines going through the certification process by the Election Assistance Commission (EAC).
The bill, which goes by the SECURE IT moniker or Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing, wants the voting machines to go through a proper, certified penetration testing procedure.
Current regulations under the Help America Vote Act (HAVA) require that EAC provides testing and certification, decertification, and recertification of voting system hardware and software through accredited laboratories, the two senators say. Yet HAVA still doesn't explicitly require pentest procedures for digital voting systems.
A thorough security check-up of hardware and software configurations used in voting procedures is essential for reassuring American citizens and elected officials about the integrity of the election process, Senator Collins said. After all, security experts and "white hat" hackers have been testing voting machines by themselves for years, discovering dangerous vulnerabilities and identifying state-sponsored actors (from Russia, Iran or elsewhere) actively working to undermine US elections.
The proposed bill would amend current HAVA regulations, setting up a voluntary vulnerability disclosure program (Coordinated Vulnerability Disclosure Program) where ethical, "vetted" hackers and researchers would be given access to commercial voting systems provided by manufacturers. Vulnerabilities found in the systems would be disclosed to said manufacturers and EAC, keeping the flaws secret for 180 days to provide developers enough time to fix the issues.
According to Senator Warner, if the US is going to defeat its adversaries, "we have to be able to think like they do." The SECURE IT Act would allow researchers to step into the shoes of cybercriminals by discovering vulnerabilities and flaws that might not be found otherwise. Foreign and domestic threats are continuing to target US democracy, Warner said, and a new, up-to-date legislation designed to harness the "critical cybersecurity practice" of white hat pentesting will help the federal government safeguard the US elections infrastructure.