The US Election Assistance Commission (EAC) recently closed the period for public comment on its draft of requirements for the first major revision to the Voluntary Voting System Guidelines for election technology, also known as VVSG 2.0. They received 77 sets of comments with individual comments totaling in the thousands. Smartmatic was among those who provided input. As a technology manufacturer, we specifically addressed two areas that are important to us.
We have grave concerns that VVSG 2.0, in its current form, will likely not keep anyone satisfied for more than a few years. In our opinion, the draft is not forward-looking and, sadly, some aspects of it have been politicized. Examples of these grave concerns include:
- Lack of an Innovations Clause/Innovations Class, which would allow breakthrough technologies and architectures not contemplated in, or available for testing and certification, through VVSG.
- Wholesale banning of technologies, such as all forms of wireless.
There are two aspects to these concerns.
First, the EAC and the National Institute of Standards and Technology (NIST) fell prey to a very small number of extremely vocal activists in the Public Working Groups. In fact, NIST was forced to cease the Public Working Group meetings for a time due to bullying behaviors and shrill attempts to spread misinformation by multiple activists. This was also evidenced by the various draft requirements to produce certain election artifacts “at no cost.”
While “cost” might be reasonably construed to mean monetary compensation, it is an undefined term. Generating any report carries a cost for labor and time expended; and most important for the integrity of a VVSG, it is an untestable requirement.
Smartmatic agrees completely that election jurisdictions own all work product derived from the conduct of an election and that the ability for the public to audit the system and gain confidence in the results is paramount to a functioning democracy. However, attempting to “legislate” this concept through VVSG is not the means to achieve transparency in voting systems.
The second point is about stifling innovation. Coupling technology bans with the lack of an Innovations Clause ensures that voting systems will not keep up with general technology advances in industries outside of elections.
Personal devices of all stripes are shedding hardware connections and moving to wireless connections thanks to cross-industry innovation. These are demonstrably secure. When researchers find vulnerabilities, they are remedied. This is precisely why developmental testing and pre-event installation testing are done for elections.
Information is moving to cloud computing providers. The United States military and intelligence communities are rapidly migrating their sensitive data to the cloud. There are established federal regulatory frameworks for this, and security governance associated with it.
VVSG prevents a similar evolution for voting systems. Instead, it sentences under-funded and under-staffed county election officials to secure their systems against nation-state attacks, rather than enabling them to utilize cloud providers’ countless, highly trained security professionals and their annual billion-dollar security investments.
Locking down VVSG, and thus future voting systems, is not a sustainable response to system security concerns. Instead, VVSG should provide a sustainable response that includes raising the bar for “baked-in” security, adopting new security architectures, and welcoming holistic coverage against existing and unforeseen threats. A sustainable response would allow for innovation and the incorporation of new technologies proven by other industries.
During the three public hearings regarding the draft VVSG, EAC Chair Hovland asked panelists if the draft VVSG 2.0 is better than the existing and past VVSGs. The response was always that, indeed, draft 2.0 is better than previous VVSGs.
But that doesn’t mean that 2.0 is ready to be codified. VVSG 2.0 can’t simply be written for today. It must be written for tomorrow and provide room for growth from innovations that have yet to be dreamt of. Regulations like VVSG don’t get revised frequently enough to allow it to be any other way. Relying on the not-yet-written Test Assertions for the needed evolution is unworkable.