According to Tech Crunch, Oregon Senator Ron Wyden, a member of the Senate Intelligence Committee, sent a letter to the six main voting machine manufacturers in the U.S. to update lawmakers about the efforts they are taking to protect voting machines and election cybersecurity.
The U.S. Department of Homeland Security determined that voting machines in 21 states were hacked during the 2016 U.S. presidential election, and recently contacted state elections officials to discuss the details, according to National Public Radio.
Election commissions and local governments use a variety of machines and methods to secure voter rolls, so Wyden went straight to the manufacturers requesting responses about the security of the voting machines they make by the end of the month.
As our election systems have come under unprecedented scrutiny, public faith in the security of our electoral process at every level is more important than ever before,” Wyden said.
Wyden sent the following election cybersecurity questions to Dominion Voting, Election Systems & Software, Five Cedars Group, Hart InterCivic, MicroVote and Unisyn Voting Solutions, as well as voting system test labs V&V and SLI Compliance.
- Does your company employ a Chief Information Security Officer? If yes, to whom do they directly report? If not, why not?
- How many employees work solely on corporate or product information security?
- In the last five years, how many times has your company utilized an outside cybersecurity firm to audit the security of your products and conduct penetration tests of your corporate information technology infrastructure?
- Has your company addressed all of the issues discovered by these cybersecurity experts and implemented all of their recommendations? If not, why not?
- Do you have a process in place to receive and respond to unsolicited vulnerability reports from cybersecurity researchers and other third parties? How many times in the past five years has your company received such reports?
- Are you aware of any data breaches or other cybersecurity incidents in which an attacker gained unauthorized access to your internal systems, corporate data or customer data? If your company has suffered one or more data breaches or other cybersecurity incidents, have you reported these incidents to federal, state and local authorities? If not, why not?
- Has your company implemented the best practices described in the National Institute of Standards and Technology (NIST) 2015 Voluntary Voting Systems Guidelines 1.1? If not, why not?
- Has your firm implemented the best practices described in the NIST Cybersecurity Framework 1.0? If not, why not?