Voting-Machine Parts Made by Foreign Suppliers Stir Security Concerns
Voting-Machine Parts Made by Foreign
Suppliers Stir Security Concerns
Technology linked to
companies under authoritarian governments highlights risks; China-based
suppliers don’t always mean Chinese-made parts
A voting machine that is widely used across the country contains
some parts made by companies with ties to China and Russia, researchers found,
fueling questions about the security of using overseas suppliers, which has
also sparked scrutiny in Washington.
Voting-machine vendors could be at risk of using insecure
components from such overseas suppliers, which generally are difficult to vet
and monitor, said a report being released Monday by Interos Inc., an Arlington,
Va.-based supply-chain monitoring company that has consulted for government agencies
and Fortune 500 companies.
The findings are likely to fan worries about whether
voting-machine vendors are doing enough to defend themselves against foreign
interference ahead of the 2020 U.S. elections, which U.S. intelligence
officials say hostile powers could try to disrupt.
Voting-machine vendors assailed the research, which Interos
conducted independently, saying the report failed to note existing safeguards,
such as testing done at the federal, state and local levels, and the vendors’
internal protocols.
Supply-Chain Connections
One widely used
electronic voting machine was found to contain components from suppliers with
locations in China and Russia. Researchers categorized the suppliers by three
different tiers, according to where they are in the supply chain.
The report comes as
U.S. lawmakers and national-security officials increasingly have sounded alarms
about supply-chain risks. Although supply chains that span the globe are common
in the tech industry, Russia and China pose concerns because of how, according
to U.S. officials, they press companies for access to
technology within their borders.
Washington lawmakers have specifically cited voting machines as
an area of concern, among such other products as telecom equipment made by
Chinese firm Huawei and
antivirus software from Russia-based Kaspersky Lab.
Officials at the Russian and Chinese embassies in Washington
didn’t immediately respond to requests for comment. Both countries historically
have denied interfering in U.S. politics.
The report examined one voting machine as a case study. In that
machine, around 20% of the components in the supply chain that Interos was able
to identify came from China-based companies, including processors, software and
touch screens, according to the Interos research. Those components weren’t
necessarily made in China, as the suppliers may have several locations
globally, and the Interos data doesn’t necessarily cover the entire supply
chain, the researchers noted.
Researchers
declined to name the particular model of voting machine they examined, or its
maker, citing the sensitivity of the issue. They said only that it is “widely
used” in the U.S. Three voting machine vendors, Election Systems & Software
LLC, Dominion Voting Systems Corp., and Hart InterCivic Inc., said they didn’t
think it was one of their products.
“Technology is created in different parts of the world, and you
may not be able to avoid working with those businesses,” said Jennifer
Bisceglie, founder and CEO of Interos, in an interview. “But just asking those
questions” can help companies mitigate risk in sensitive countries, she said.
Voting-machine vendors faulted the methods used by researchers.
The researchers didn’t conduct “any research into the protocols
and safeguards currently employed by the industry,” said a joint statement from
five main vendors—Election Systems & Software LLC, Dominion Voting Systems
Corp., Hart InterCivic Inc., Smartmatic USA Corp., and Unisyn Voting Solutions
Inc.
The vendors added: “Further, the practice of assessing risk
based solely—or even primarily—on the geography of a supplier’s corporate
locations is a practice that has been widely discredited.”
Ms. Bisceglie defended the research and noted that the Interos
report doesn’t claim that a voting machine had been compromised.
“All the report was trying to do was trying to elevate the
conversation around the fact that every company and every country is
hyperconnected,” she said .
The researchers said they traced the supply chain by sifting
through reams of publicly and commercially available data, such as import and
export records and SEC filings, using an artificial-intelligence platform
developed by Interos.
The vendors said that since 2016, they have stepped up their
security measures amid urging from security experts and congressional
lawmakers, after U.S. intelligence agencies said they discovered a sweeping
Russian hacking and social-media campaign aimed at the 2016 U.S. presidential
election.
According to the vendors’ statement, such measures include
“rigorous” testing by government experts; requiring suppliers and
subcontractors to meet certain security standards; and disclosing details about
their supply chains to U.S. authorities.
In 2018, a bipartisan Senate Intelligence Committee report cited
“concerns about supply-chain vulnerability” for voting machines, saying that it
is a particular concern because only three companies make most of the country’s
voting machines.
In addition, cybersecurity researchers who scrutinized voting
machines at the Defcon computer security conference in recent years also issued
warnings about supply-chain risks.
Some states have added new measures recently.
Lawmakers in Indiana passed a law requiring
that voting-system vendors disclose certain foreign ties, among other security
measures. In North Carolina, officials
asked vendors to provide details about their ownership and
vetted that information with the federal Department of Homeland Security.
In 2018, the FBI said that a Russian oligarch had business ties
to a vendor that provided election-related services for the state of Maryland,
though the vendor said the oligarch wasn’t directly involved in its elections
operations, according to the Brennan Center for Justice, a nonpartisan think
tank. The company cut ties with the Russian investor after Maryland lawmakers
criticized the arrangement, the center said.
Comments
Post a Comment