Biden AdministrationUkraine InvasionInflationEnergyCybersecurity

Just How Regulated Are Our Nation’s Elections?

December 4, 2019, 3:00 PM UTC

The U.S. federal government subjects nearly every industry to a slew of operational rules and regulations.

Defense contractors are prohibited from utilizing certain Chinese telecommunications companies like Huawei in order to prevent theft of the nation’s military technology. Power companies must abide by mandatory reliability standards and report any attempted or successful breaches of their systems to a federal commission. National banks implement federally required security procedures to prevent robberies. 

These sectors are meticulously managed with hundreds of requirements specifically because the Department of Homeland Security considers them so vital that their incapacitation would have a “debilitating effect” on the country as a whole. 

But when it comes to elections, a cornerstone of American democracy, the vendors whose voting equipment is used throughout the country largely lack the level of federal oversight and direction that protect other critical infrastructure industries from domestic and foreign interference. 

In early November, several federal agencies, including Homeland Security, the Justice Department, and the FBI, released a joint statement naming election security “a top priority for the United States government.” Yet there is not, nor has there ever been, any required federal oversight of election security. 

“Elections in the U.S. are a fairly laissez-faire affair,” says Joshua Franklin, president of digital infrastructure company OutStack. “In fact, the United States Constitution contains a section specifically about this, known as the Elections Clause. Succinctly said, unless otherwise noted by Congress, states get to choose all the election things.”

The framers of the Constitution feared concentrated political power, and for this reason, they gave the national government limited enumerated powers, which do not include running elections. Since the confirmation of Russian interference in the 2016 elections, though, many Americans have grown concerned about the absence of federal checks on U.S. election security. 

What’s required now

In 2002, Congress created the Election Assistance Commission (EAC), the first federal entity charged to help states administer safe and secure elections. The commission set forth the Voluntary Voting System Guidelines (VVSG), a group of standards used to certify systems and machines used in elections. Laboratories test the hardware and software functionality of voting machines in an environment simulating the intended storage, operation, and maintenance necessities of an actual election. 

The EAC test essentially searches for vulnerabilities in a machine, and if none can be found, certification is granted. However, as the name states, these guidelines are only voluntary. States and counties are not required to use systems and machines that are federally certified. 

“The problem is that the federal certification itself is weak from a security standpoint and that not all states require it,” says J. Alex Halderman, a professor of computer science and engineering at the University of Michigan. “There are more federal requirements that apply to plastic water bottles or whiskey than apply to electronic voting security, which is absolutely incredible to me.”

According to a 2018 analysis by the National Conference of State Legislatures, only 12 states currently require the use of machines and systems that are fully federally certified: Delaware, Georgia, Idaho, Louisiana, North Carolina, North Dakota, Ohio, South Carolina, South Dakota, Washington, West Virginia, and Wyoming. 

Many other states believe the federal certification tests are too broad, so they certify their systems by individualized state standards. Even within a state, though, there can be variations in equipment and security levels by county. 

A DIY approach

Los Angeles County, the largest and most complex election jurisdiction in the country, is one of many counties that does not plan to use a federally certified voting system in 2020. 

Nearly a decade ago, in 2009, the county’s election officials began a $300 million project to design its own voting system, Voting Solutions for All People (VSAP). Dean Logan, the L.A. County registrar-recorder and county clerk who launched VSAP, wanted to make voting in his county as easy and secure as possible, an ambition made challenging by the fact that L.A. is one of the most diverse counties in the country. 

A majority of residents speak a primary language other than English. One in five adults has at least one disability. City, suburban, and rural life are all represented. 

“It’s just an incredible microcosm for the entire United States. And what they realized about 10 years ago is there wasn’t a product on the market that really served all of their voters, that made elections secure [and] fully accessible for the diversity of people there,” says David Becker, executive director of the bipartisan nonprofit Center for Election Innovation & Research.

Voters in Tennessee
Voters fill in their ballots at the Brentwood Library, Tenn., Nov. 2018.
William DeShazer—The Washington Post/Getty Images

After the strenuous design process, a lesser-known voting vendor in the U.S. called Smartmatic licensed the specifications and produced machines under the approval of California Secretary of State Alex Padilla. The first time L.A. County plans to roll out the new system is in March for the presidential primary election.

California law allows the secretary of state to bypass the federal certification process if, in the secretary’s judgment, the system is secure and otherwise adequately meets standards. VSAP underwent functional and security testing prior to Padilla’s certification.

“The kind of system that L.A. County has adopted is based on voters voting on a touch screen that then prints a paper ballot, which is called a ballot-marking device,” says Halderman of the University of Michigan. “That raises its own security questions that I don’t think L.A. County has yet satisfactorily addressed.”

The main security concern with VSAP is that while the machine will spit out a voter-verifiable paper record, voters are not likely to double-check that their votes were actually recorded correctly. This is an issue with any system that creates a paper record, and critics of the system and others like it say this could give hackers an opportunity to make changes to ballots undetected. 

Logan, however, has repeatedly assured skeptics that the new system is secure, claiming California has the strictest voting security standards in the country. 

California state standards for voting system security are more stringent than those set forth in the federal guidelines. The state requires extensive machine testing prior to elections, paper trails, and audits of a random 1% of ballots to ensure vote count accuracy.

The cost and value of certification

While money was not a barrier to innovation for the well-resourced L.A. County, the price tag on machine testing for federal certification makes it difficult for smaller companies to even attempt to be certified.

The Election Assistance Commission lists 18 registered voting vendors on its website, but three companies—Election Systems & Software, Dominion Voting Systems, and Hart InterCivic—dominate more than 90% of the market. These larger companies tend to be the ones able to afford EAC certification, resulting in the high market barrier to entry.

Companies are required to pay for the costs associated with testing, and research from the Wharton Public Policy Initiative at the University of Pennsylvania reports that EAC certification can easily run over $1 million per machine. The same report shows that Election Systems & Software once spent $4 million to become certified in a single state. 

In terms of the actual value of the process, though, in most states, election machine vendors don’t need to be certified to be granted a contract.

Election research director Becker notes that certification doesn’t actually certify that a system can’t be hacked.

“It can’t do that any more than certification of a refrigerator can tell you that refrigerator is always going to work and always going to keep things cold,” he says. “Certification is only really saying to a certain spec that is established, in this case with the Voluntary Voting System Guidelines, that the system seems to work.”

Still, Becker maintains that certification is good because it enables machines to be tested for basic vulnerabilities so that improvements can be made before these machines are used, at least for those companies who can afford it. 

More or less tech

Cybersecurity blogger Bruce Schneier is among the substantial group of experts who think, apart from federal regulation and certification, the key to alleviating the country’s election security concerns is paper-based systems. 

“The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper,” Schneier wrote in his blog in April 2018

Paper-based ballots can either mean the voter fills in an oval by hand on paper or uses a machine that immediately prints out a paper record of that vote. 

Either way, the mass implementation of postelection audits where randomly selected precincts hand-count paper voting records has the potential to lessen the need for strict federal certification of voting systems altogether. 

While a vast majority of voters—nearly 90%, according to Lawrence Norden, director of the Brennan Center for Justice—will use paper ballots or machines that create a paper record in the next election, there is no single U.S. agency dedicated to verifying or auditing elections. 

The Voluntary Voting System Guidelines were last modernized in 2015, and the commission is currently working on another update. One of the most notable additions will require that systems be auditable, meaning they must produce a paper record that can be verified.

“I think there should absolutely be a federal requirement that every federal race needs to be audited to a high level of statistical confidence,” says Michigan computer science professor Halderman. “If states don’t do the audit, then having the machines be auditable doesn’t get us any more security.”

There is no proposed timeline as to when the Election Assistance Commission will approve the VVSG 2.0, but even if the new guidelines were to take effect prior to the 2020 presidential election, they would only affect new systems seeking certification. Voting machines already certified under past versions of the guidelines would maintain their certification, and decertification is rare. 

Nonetheless, whether systems adhere to any version of the VVSG is like every other aspect of election security: left up to the states.

More must-read stories from Fortune:

—These tech companies spend the most on lobbying
Is divorce costing Florida too much money?
2020 Crystal Ball: Predictions for the economy, politics, technology, and more
—All the candidates who qualify for the December Democratic debate—so far
—The 2020 tax brackets are out. Here’s what you need to know
Get up to speed on your morning commute with Fortune’s CEO Daily newsletter.