EAC Commissioners Issue Joint Statement on Released Report on Dominion ImageCast X Component
Washington, DC – A report was released June 14 that details vulnerabilities related to the U.S. Election Assistance Commission-certified Dominion ImageCast X component. Regarding the findings on this report, Chairwoman Christy McCormick, Vice Chair Ben Hovland, Commissioner Donald Palmer, and Commissioner Thomas Hicks issued the following joint statement:
“The U.S. Election Assistance Commission (EAC) works diligently to ensure the security and accuracy of America’s elections, as envisioned in the Help America Vote Act of 2002. Last year, the EAC issued guidance for election officials on mitigating potential vulnerabilities, including some identified in the recently released report. Additionally, the EAC certified fixes for the vulnerabilities identified in the report. The EAC is dedicated to supporting election officials as they work to administer secure elections and transition to VVSG 2.0 in the years ahead.
In recent testimony before the U.S. Senate Committee on Rules and Administration, the EAC noted efforts to implement a voluntary Coordinated Vulnerability Disclosure (CVD) program to address the evolving cybersecurity threat landscape across the election community.
Working alongside other federal partners, the need to quickly identify and respond to vulnerabilities to our voting systems is critical. In the end, no security testing is perfect and new techniques are continually being developed to exploit security weaknesses. CVD programs will play a key role in helping to secure America’s voting systems now and into the future.”
With the adoption of VVSG 2.0, the EAC requires that all voting system certification testing include penetration testing as part of the suite of tests each system undergoes. Penetration testing will give the EAC’s voting system test laboratories deeper insight into potential vulnerabilities so they can be mitigated by manufacturers prior to certification. Similarly, the EAC expects that manufacturers will continue to improve their in-house security testing capabilities during their own system development processes.