Report: Supply chain risk management key to election security

Election cybersecurity could be compromised in the supply chain for voting systems, warns a report published this week by a nonprofit global policy think tank.

The report, published Tuesday by RAND Corporation, advises the use of supply chain risk management that examines players in every step from the design of voting machines to their return after voting in order to secure elections.

In order to protect election confidentiality, integrity and availability, the report authors recommend that election agencies institute a trusted supplier program with a system of certification similar to the Department of Defense’s current contractor compliance requirements. They also suggest election officials analyze the impact of supply chain actors with risk assessment tools, citing one currently in development at the National Institute of Standards and Technology.

In 2017, following Russian interference in the 2016 election, election infrastructure – the physical locations related to voting and tabulation and the information and communication technology utilized in elections – was declared critical national infrastructure, making its protection a government priority. Since then, the Cybersecurity and Infrastructure Security Agency (CISA) has been reaching out to state and local governments to offer security services and advice. In partnership with the EAC, the agency released its own risk assessment tool at the beginning of September to help election officials and federal agencies manage cybersecurity risks to the Election Infrastructure Subsector.

Because each state sets its own election processes and structures, there is variation in methods and machines used for elections, even between jurisdictions within the same state. Currently, most concern about election security is focused at the jurisdictional level. However, according to the RAND report, there is a possibility that machines or systems could be compromised in the supply chain prior to elections, giving an attack a broader scale of impact.

Despite variations in model, the report warns most machines are similar enough in build that they may share basic parts, such as central processing units from the same provider. This offers an opportunity for attackers to affect a significant portion of systems by compromising components early in the supply chain, before machines are assembled.

The potential for foreign interference during manufacturing and assembly of voting machines is especially notable, the report says, because over half of the election systems vendors involved in the design, manufacturing and assembly of voting systems have locations in China, Russia or both.

Currently, election systems vendors can undergo testing and certification from the independent bipartisan Elections Assistance Commission (EAC), but the testing is not required. The report also raises concerns about the stringency of this test and its place late in the supply chain, which means it does not examine parts and software suppliers. In a 2019 report, the Brennan Center for Justice calls the agency’s history since its 2002 creation by the Helping Americans Vote Act one of “controversy and inaction in carrying out its core mission.” The same report advocates for the strengthening of the EAC so it can carry out oversight effectively.

The FBI and CISA released a PSA Wednesday stating that cyber threats could potentially slow the voting process but that there was no evidence that citizens would be prevented from voting. It also states that any attempts to compromise election infrastructure tracked by the two agencies were localized and “blocked, minimal, or easily mitigated.” Additionally, the announcement sought to assure voters that election officials have multiple safeguards in place to limit negative impact should a cyber incident occur.