Introduction
On Friday, May 27th, the U.S. Election Assistance Commission (EAC) was made aware that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) had drafted an advisory based on a coordinated vulnerability disclosure (CVD) provided to them by a security researcher related to the EAC certified Dominion ImageCast X component. CISA has noted nine specific vulnerabilities disclosed by the researcher in its advisory and included additional steps states and local elections administrative jurisdictions can take to mitigate these vulnerabilities.
EAC Findings and Resources
The EAC has reviewed the draft CISA advisory and concurs with their suggested mitigations and notes that most of these mitigations follow generally accepted best practices for securing election systems, maintaining strong chain of custody, and performing pre- and post-election audits as previously published and endorsed by the EAC: https://www.eac.gov/election-officials/election-security-preparedness.
Additionally, the EAC’s review of the CISA advisory and underlying security researcher’s report has not identified any non-conformities with the Voluntary Voting System Guidelines (VVSG) under which this component was certified. Help America Vote Act of 2002, 52 U.S.C. §§ 20922(5), 20971(b)(1) (2022). De-certification actions against this system are not being pursued. The EAC stands ready to accept and expedite processing of any software patches made available by the voting system manufacturer to further protect against exploitation of any identified vulnerabilities.
What is a Coordinated Vulnerability Disclosure?
Coordinated vulnerability disclosures, or CVDs, are mechanisms used to allow security researchers to analyze the security of a system or application and report actionable findings to manufacturers and other interested parties with the goal of improving security through patches or other mitigations while adding accountability and transparency to the process. These processes may be formal or informal and initiated by researchers or manufacturers. The EAC supports its registered voting system manufacturers’ participation in CVD programs. The EAC will seek to establish a CVD program for voting systems in the future and is also available to accept CVD reports from researchers if they are not able to reach a manufacturer themselves.
Next Steps
The EAC will continue to keep jurisdictions updated on available security patches related to this and future CVD advisories. As soon as the CISA advisory is available, please review and implement the recommended mitigations to ensure your systems are fully protected. While this advisory is specific to the Dominion ImageCast X component, other versions or components of this or other manufacturers’ systems may be impacted by similar vulnerabilities that have yet to be discovered.
With the implementation of VVSG 2.0, the EAC will require that all voting system certification testing include penetration testing as part of the suite of tests each system undergoes. Penetration testing will give the EAC’s voting system test laboratories deeper insight into potential vulnerabilities so they can be mitigated by manufacturers prior to certification. Similarly, we expect that manufacturers will continue to improve their in-house security testing capabilities during their own system development processes. In the end, no security testing is perfect and new techniques are continually being developed to exploit security weaknesses. CVD programs will play a key role in helping to secure America’s voting systems now and into the future.
The EAC is dedicated to supporting election officials as they work to administer secure elections and we appreciate your attention to this issue and future updates.
Sincerely,
Mark A. Robbins
Interim Executive Director
U.S. Election Assistance Commission