Skip to content

Shaheen, Klobuchar Seek Answers from Election Equipment Vendors to Ensure Security of Voting Machines

**U.S. intelligence community has confirmed that Russia interfered with the 2016 elections; Russian actors attempted to hack a U.S. voting software company and at least 21 states’ election systems**

**Recent reports indicate that U.S. based firms operating on U.S. government platforms gave Russian authorities access to their source code** 

WASHINGTON- U.S. Senators Jeanne Shaheen (D-NH) and Amy Klobuchar (D-MN) sent a letter to the three largest election equipment vendors- Election Systems & Software, LLC; Dominion Voting Systems, Inc.; and Hart InterCivic, Inc. - inquiring about the security of their voting machines and whether their companies have been asked to share the source code or other sensitive or proprietary details associated with their voting machines with Russian entities. Recent reports indicate that U.S. based firms operating on U.S. government platforms gave Russian authorities access to their software. In order to sell their software within Russia, these companies allowed Russian authorities to review their source code for flaws that could be exploited. While some companies maintain this practice is necessary to find defects in software code, experts have warned that it could jeopardize the security of U.S. government computers if these reviews are conducted by hostile actors or nations. U.S. tech companies, the Pentagon, former U.S. security officials, and a former U.S. Department of Commerce official with knowledge of the source code review process have expressed concerns with this practice.

“Foreign access to critical source code information and sensitive data continues to be an often overlooked vulnerability. Further, if such vulnerabilities are not quickly examined and mitigated, future elections will also remain vulnerable to attack,” the senators wrote. “The 2018 election season is upon us. Primaries have already begun, and time is of the essence to ensure any security vulnerabilities are addressed before the 2018 and 2020 elections.”

The full text of the senators’ letter is below:

Dear Mr. Braithwaite, Mr. Burt, and Mr. Poulos:

Recent reports of U.S. IT and software companies submitting to source code reviews in order to access foreign markets have raised concern in Congress given the sensitivity of the information requested by countries like China and the Russian Federation. As such, we write to inquire about the security of the voting machines you manufacture and whether your company has been asked to share the source code or other sensitive or proprietary details associated with your voting machines with the Russian Federation. 

The U.S. intelligence community has confirmed that Russia interfered with the 2016 presidential elections. As a part of a multi-pronged effort, Russian actors attempted to hack a U.S. voting software company and at least 21 states’ election systems. According to the Chicago Board of Elections, information on thousands of American voters was exposed after an attack on their voter registration system.

Foreign access to critical source code information and sensitive data continues to be an often overlooked vulnerability. The U.S. government and Congress have recently taken steps to address some cyber vulnerabilities, including by banning the use Kaspersky Lab, a Moscow-based cybersecurity firm that has maintained a relationship with Russia’s military and intelligence sectors, from all U.S. government computers. Now, we must also ensure the security of our voting machines and associated software.

Recent reports indicate that U.S. based firms operating on U.S. government platforms gave Russian authorities access to their software. [1] In order to sell their software within Russia, these companies allowed Russian authorities to review their source code for flaws that could be exploited. While some companies maintain this practice is necessary to find defects in software code, experts have warned that it could jeopardize the security of U.S. government computers if these reviews are conducted by hostile actors or nations. U.S. tech companies, the Pentagon, former U.S. security officials, and a former U.S. Department of Commerce official with knowledge of the source code review process have expressed concerns with this practice.[2] [3]

In addition, Russia’s requests for source code reviews have increased. According to eight current and former U.S. officials, four company executives, three U.S. trade attorneys, and Russian regulatory documents, between 1996 and 2013 Russia conducted reviews for 13 technology products from Western companies, but has conducted 28 such reviews in the past three years alone.[4]

As the three largest election equipment vendors, your companies provide voting machines and software used by ninety-two percent of the eligible voting population in the U.S.[6] According to voting machine testing and certification from the Election Assistance Commission, most voting machines contain software from firms which were alleged to have shared their source code with Russian entities. We are deeply concerned that such reviews may have presented an opportunity for Russian intelligence agents looking to attack or hack the United States’ elections infrastructure.  Further, if such vulnerabilities are not quickly examined and mitigated, future elections will also remain vulnerable to attack.

In order to help the security and integrity of our systems and to understand the scope of any potential access points into our elections infrastructure, we respectfully request answers to the following questions:

  1. Have you shared your source code or any other sensitive data related to your voting machines or other products with any Russian entity?
  2. To your knowledge, has any of the software that runs on your products been shared with any Russian entity?
  3. What steps have you taken or will you take in order to upgrade existing technologies in light of the increased threat against our elections?

The 2018 election season is upon us. Primaries have already begun and time is of the essence to ensure any security vulnerabilities are addressed before 2018 and 2020.

Thank you for your attention to this matter, and we look forward to working with you to secure our elections. 

Sincerely,

 

___________________________

Jeanne Shaheen

United States Senator

 

___________________________

Amy Klobuchar

United States Senator

 

[1] Volz, Dustin, et al. “Tech firms let Russia probe software widely used by U.S. government.” Reuters, Reuters. 25 Jan. 2018, www.reuters.com/article/us-usa-cyber-russia/tech-firms-let-russia-probe-software-widely-used-by-u-s-government-idUSKBN1FE1DT.

[2] Ibid.

[3] Schectman, Joel, et al. “Under pressure, Western tech firms bow to Russian demands to share cyber secrets.” Reuters, Reuters. 23 June 2017, www.reuters.com/article/usa-russia-tech/insight-under-pressure-western-tech-firms-bow-to-russian-demands-to-share-cyber-secrets-idUSL1N1JK0II.

[4] Ibid.

[6] “The Business of Voting.” University of Pennsylvania Public Policy Initiative. https://trustthevote.org/wp-content/uploads/2017/03/2017-whartonoset_industryreport.pdf