House Hearing on Election Security Broaches Supply Chain Issues
The Committee on House Administration, the committee with oversight responsibility for matters relating to federal elections, held a hearing today entitled “2020 Election Security: Perspectives from Voting System Vendors and Experts.” The CEOs of the three voting machine makers (Election Systems & Software, Hart InterCivic, Dominion Voting Systems) provided written testimonies, two of which included statements about supply chain risk.
Supply chain risk management is a timely topic.
Last month, Interos, an Arlington, VA-based supply-chain monitoring company, published a new study entitled Election Technology & Global Supply Chain. Using an electronic touchscreen-based voting machine manufactured by one of the major US-based election vendors, some component parts were determined to be made by companies with ties to China and Russia. The Interos researchers broke down the voting machine into 140 digital and physical components. Out of the 140 components, Interos discovered 38 parts that the voting machine manufacturer directly buys from suppliers (its Tier 1 suppliers). Then, the researchers identified 50 known parts that make up those Tier 1 components and identified the suppliers behind those parts (its Tier 2 suppliers). Finally, Interos identified 70 components within those Tier 2 components (its Tier 3 suppliers). The study reported the following findings:
Approximately 20% of the voting machine components came from China-based companies. The components include:
Control boards
AI processors
Infrastructure software
Touchscreens
Approximately 56% of suppliers within the first three tiers had at least one location in China.
Approximately 14% of suppliers within the first three tiers had at least one location in Russia.
Approximately 59% of companies within the first three tiers of the machine’s supply chain had locations in China, Russia, or China and Russia.
Rather than drawing conclusions about compromises in the voting machine studied, the researchers want to draw the public’s attention to the potential risks worthy of increased awareness and scrutiny.
In October 2019, Jeanette Manfra, the then Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), addressed supply chain concerns regarding problematic companies including Kaspersky Labs and Huawei Technologies, the Russian and Chinese companies, respectively.
The MITRE Corporation (a corporation the OSET Institute collaborates with on election technology research), working with the Department of Homeland Security (DHS) to ensure the best election security, highlighted supply chain risks at a 2018 MITRE software meeting. MITRE recommended that a supply chain risk assessment “be expanded to cover components used by third-party providers with which the voter registration system interacts.” (Note: the OSET Institute has also been calling out the supply chain security risk issue since August 2017. See slide 3 of this Nov 2017 presentation to members of Congress following work with other elements of the national security apparatus.)
The Homeland Department’s continued work on securing the nation’s election system and the convening of an industry-backed task force on mitigating supply-chain risks were highlighted at a meeting hosted by MITRE, as a way to explain the emerging role of the department’s new National Risk Management Center (NRMC). Robert Kolasky, Director of NRMC, is advancing a public-private initiative, the Information Communications Technology Supply Chain Risk Management Task Force.
Given how important election technology infrastructure is to our national security, some have questioned whether it is appropriate for critical election infrastructure assets to be developed and managed by private vendors whose corporate status and business procedures are not currently subject to federal oversight. In A Framework for Election Vendor Oversight, the Brennan Center for Justice proposes that in addition to the current standards that exist for voting system technology products, the federal government should take steps to increase oversight of election technology vendors on par with the oversight of vendors in the defense sector.
John Sebes, Co-Founder and Chief Technology Officer for the OSET Institute, asked what the future state of supply chain risk management (SCRM) might look like for election technology. One possible future state might include:
Some government organization that operates a closed supply chain program, perhaps piggybacking on existing Department of Defense programs.
Voting technology manufacturers source their hardware components from the hardware vendors in this program.
Voting technology manufacturers would operate an SCRM program, with similar types of documentation and compliance requirements.
Voting technology operators—election officials—would cease their current practice of replacing failing components with parts sourced on the open market.
While this was only one of several important issues raised in today’s Hearing, clearly this discussion needs to continue and expand. Bring on your comments.
-JLo
Publisher’s Note: Joy “JLo” London doesn’t post here often, but when she does it’s worth a read. JLo is the Associate General Counsel and Director of International Development here at the OSET Institute, where her work focuses on critical democracy infrastructure, election law, public policy and international government relations. Joy earned her JD from Temple University School of Law and is licensed to practice law in the State of New York. Ms. London has held several positions at international law firms, and at one of the “Big-4” management consulting firms. She also earned her Master of Professional Studies in Cyber Policy & Risk Analysis from Utica College, and published a Capstone research paper: The Threat of Nation-State Hacking of State Voter Registration Databases in U.S. Presidential Elections. In her spare time this month she was accepted into and is attending an executive education program at the John F. Kennedy School of Government at Harvard University, “Cybersecurity: The Intersection of Policy and Technology.”