US Capitol building

Four US senators, members of the US Senate Select Committee on Intelligence, sent a letter on Wednesday to Election Systems and Software (ES&S), the largest voting machine vendor in the US, asking for clarifications on why the vendor is trying to discourage independent security reviews of its products.

The four senators who signed the letter are Kamala D. Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME), and James Lankford (R-OK).

Senators take notice of ES&S dismissive attitude

The senators sent the letter to ES&S following the conclusion of the Voting Village at the DEF CON 26 security conference held in Las Vegas at the start of the month, where security researchers found several security vulnerabilities in the company's products.

"We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing," the letter reads.

"Many of the world’s leading electronics and software companies have opened their arms to the research community, maintaining active presences at the largest security research conferences and inviting 'white hat' hackers to probe their products to identify how they can improve product security," the letter continued.

ES&S has been critical of security research

At DEF CON, security researchers found vulnerabilities in the voting machines of other vendors. Only ES&S is mentioned in the senators' letter because of the company's dismissive approach to external security research.

Days before DEF CON's Voting Village challenge took place, ES&S sent a letter to its customers —US states— playing down the importance of the hacks and research that would be discovered at the event, claiming that the "voting village environment does not operate under the same conditions, rules, and regulations as your polling place."

View image on TwitterView image on TwitterView image on Twitter

In advance of the @VotingVillageDC tomorrow, ES&S sent a message to customers today with their comments about the hacking village and the security of their machines. I've pasted their memo below, with some annotation from me.

The National Association of Secretaries of State (NASS) joined ES&S in its criticism of DEF CON's Voting Village.

Senators want answers by next week

Now, the four US Senate Select Committee on Intelligence members are asking ES&S to answer a few questions regarding its stance on independent security audits, a stance the senators don't seem to understand.

1.    Will ES&S commit to allowing election agencies to arrange independent, qualified, good faith cybersecurity tests of ES&S election systems and share results with the public? Further, will ES&S work with agencies to conduct these tests? If not, why not?
2.    Will ES&S commit to providing election agencies with ES&S election systems at a reasonable cost, before entering into a long-term contract with ES&S, so that they can arrange independent cybersecurity testing? If not, why not?
3.    Will ES&S commit to providing independent, qualified, good faith cybersecurity researchers with ES&S election systems at a reasonable cost so that the researchers can conduct cybersecurity testing and share their results with the public? If not, why not?

The four senators have asked for a response until next week, Wednesday, August 29. We will update this article with the company's response, if made public.

Last month, ES&S admitted in a letter to Senator Ron Wyden (D-OR) that they installed remote-access software on election-management systems the company sold over a period of six years, a big no-no in term of those devices' security.