Lawmakers expressed concern about foreign components in the nation’s election equipment, as the top executives of the three major voting manufacturers appeared before Congress on Thursday to try to provide assurances that their products are secure.
Thursday’s hearing by the Committee on House Administration marked the first time the top executives of the nation’s three major voting manufacturers — Election Systems & Software, Dominion Voting Systems and Hart InterCivic — have appeared before Congress.
Their appearance comes weeks before the start of primaries and amid heightened concerns of foreign interference in the presidential election. U.S. intelligence chiefs have warned that Russia, Iran and others remain interested in seeking to undermine U.S. elections.
The three executives faced repeated questioning from lawmakers about the sources of the parts used to manufacture their voting machines, what steps they have taken to secure these products from tampering and what, if anything, can be done to utilize American-made products.
The executives said the machines they manufacture include, to some extent, components from China and noted the issue of foreign suppliers isn’t unique to the voting equipment industry.
“Several of those components, to our knowledge, there is no option for manufacturing those in the United States,”said John Poulos, CEO of Dominion Voting Systems.
Election integrity activists are concerned about what is known as supply-chain security, the tampering of election equipment during manufacturing. A document submittedto North Carolina elections officials by ES&S last year shows, for example, that it has manufacturing operations in the Philippines.
The executives acknowledged there is no method of voting that is 100 percent secure. All three told the committee they had not been breached or hacked by a foreign government.
The three companies also acknowledged that some of their equipment allows for the transmission of election-night vote counts via modem, a vulnerability security experts say hackers could exploit. They said some state and local election offices require this, although some states and jurisdictions prohibit the practice.
“There are additional risks that are posed when you have remote transmission of results,” Poulos said. “We work to mitigate them with state and local officials.”
Under questioning by Committee Chairwoman Zoe Lofgren, a Democrat from California, the executives said they would support legislation to formalize industry standards to address security concerns, such as mandatory background checks, disclosure of corporate ownership and foreign investor information and reporting of any cyberattacks.
The three companies make an estimated 80 percent of all voting machines in use in the U.S. They have faced criticism over a lack of transparency and reluctance to open up their proprietary systems to outside testing. A report by The Associated Press last year found the leading voting-related companies had long skimped on security in favor of convenience and operated under a shroud of financial and operational secrecy despite their critical role in elections.
The executives sought to reassure Congress and the public that it takes security seriously, but experts have said it’s difficult to confirm measures taken by the companies given the limited visibility into their operations and the absence of federal regulations.
The executives said they support increased federal oversight along with standards for voter-verified paper ballots, rigorous post-election audits and and additional security standards. They said they now work with the Department of Homeland Security to share threat information.
The executives expressed support for the development of a program overseen by the federal government that would allow pre-screened, so-called “ethical” hackers to identify and report vulnerabilities within their systems. But they said any identified vulnerabilities should not be publicly disclosed.
The lack of vendor oversight was highlighted in a recent reportby The Brennan Center for Justice. The report called on Congress to establish a framework for federal certification of election vendors, including standards that give federal officials the power to monitor compliance and address any violations.
Cassidy is in Atlanta. Associated Press Cybersecurity Writer Frank Bajak contributed from Boston. Follow Christina Almeida Cassidy on Twitter at http://twitter.com/AP_Christina.