The wireless and internet bans are included in the latest draft of the “system integrity” section of the VVSG update. A working group focused on the VVSG’s cybersecurity elements reviewed the document during an Oct. 29 teleconference.
As its name suggests, the VVSG — produced by the Election Assistance Commission and the technical standards agency NIST — is not a set of mandatory federal rules. However, most states require voting equipment to pass VVSG-based testing before they buy it.
Security experts have frequently criticized the VVSG for lacking robust protections against hacking. It has not been significantly updated since the EAC adopted the first version in 2005.
Wireless connectivity has been a particular concern. Some vendors offer machines with cellular modems that allow poll workers to rapidly transmit unofficial results to central offices on election night. Some election officials appreciate the modems’ convenience, but experts say they create serious vulnerabilities by connecting machines to the internet.
In May, advocacy groups said that they had driven more than 50,000 public comments to the EAC urging the commission to ban wireless and internet connectivity. Dan Savickas, federal affairs manager at the conservative organization FreedomWorks, called it “a commonsense measure to ensure the integrity of our voting machines.”
The NIST employees drafting VVSG 2.0 ultimately agreed. “Exposure to the internet could allow nation-state attackers to gain remote access to the voting system,” they wrote in the discussion section of the new wireless ban.
Even local wireless connections such as Bluetooth “can expand the attack surface of the voting system,” they wrote in explaining the separate wireless ban.
Bluetooth is one way for hearing-impaired voters to connect accessories they need to use in polling places. Under the new rules, which were developed in collaboration with the VVSG accessibility working group, those voters will still be able to use assistive devices by plugging in adapters.
During the Oct. 29 cyber working group meeting, NIST staffer Gema Howell confirmed that, if this rule were approved, election officials would have to transmit results using non-voting technology, such as by taking cellphone pictures of results and emailing them to central offices.
“The process for transmitting the results would be handled completely separate[ly],” Howell told the working group, which includes government employees, security experts, vendor representatives and activists.
The proposed bans “should be an absolute no-brainer,” said Susan Greenhalgh, the vice president of policy and programs at the National Election Defense Coalition, which helped drive the public comment campaign. “It’s troubling that it took so long to get here.”
Internet connections in voting systems have been the source of recent controversy at the EAC. In May, the agency’s Republican chairwoman, Christy McCormick, falsely told the Senate Rules Committee that the current VVSG bans internet connectivity. Following a POLITICO inquiry, Sen. Amy Klobuchar (D-Minn.,) the committee’s top Democrat, asked McCormick to correct the record, which she did in June.
The new rules, along with the rest of VVSG 2.0, must survive approval by three EAC advisory groups. The 15-member Technical Guidelines Development Committee will meet on Friday to review the draft. If they approve it, the EAC will then submit it to the agency’s Board of Advisors, as well as its Standards Board. It remains unclear, however, whether the EAC’s four politically appointed commissioners will have to vote to approve the rules after that.
The EAC also has not yet developed a plan for phasing out the old VVSG. There will likely be a transition period during which states can ask vendors to meet either the old or the new standards.