Joint Industry Statement on Election Technology Supply Chain Security
Please note: The Interos-published report at the heart of this story states “Interos recognizes the extreme sensitivity of election security matters and has contacted the affected company.” Hart InterCivic has never been contacted by Interos and therefore our system is not the one analyzed in their report. To learn more about how Hart specifically manages supply chain and manufacturing security, click here.
The companies that provide the election equipment and technology used in U.S. elections place the highest importance on supply chain security, and proactively take proven, best-practice measures to ensure the sanctity of Americans’ votes:
- All U.S.-registered voting systems manufacturers provide extensive product sourcing information to the U.S. Election Assistance Commission (EAC) and state election offices as part of the certification/testing process. We also work closely with U.S. election officials and other government partners to test and certify our systems for security, accuracy, and reliability in each and every election.
- Voting systems are routinely subjected to rigorous review, analysis, testing and certification by election authorities at the federal, state, and local levels. Once the system software is certified, any changes would prompt a new round of testing by government authorities. This process helps to ensure that product vulnerabilities are discovered and addressed before any systems are placed into use.
- Voting systems manufacturers work individually and collectively to define reasonable levels of security and associated controls for our supply chains, including requiring sub-contractors and vendors to meet or exceed standards as part of the terms and conditions of our established business agreements. We also employ tools and resources to technically and operationally mitigate risk across the lifecycle of products, from design through disposal.
Interos, a company that sells supply chain management services, recently released a marketing report on the security of the election industry supply chain without conducting any research into the protocols and safeguards currently employed by the industry. The only conclusive statement in the release is that “none of [Interos’] findings indicate that the studied machines are compromised in any way.”
Further, the practice of assessing risk based solely – or even primarily – on the geography of a supplier’s corporate locations is a practice that has been widely discredited. Supply chain risks and threats exist regardless of where a company is located, or where its products are manufactured or assembled. As National Risk Management Center (NRMC) Director Bob Kolasky noted in recent testimony on this subject before Congress, “sources of material influence” must be evident.
The election industry welcomes the guidance of cyber and supply chain security experts and, in many instances, have taken significant steps to implement improved policies as a result of hearing from such experts, such as coordinated vulnerability disclosure programs. However, we caution reliance on the findings of a report that purports to expose risks in supply chain practices yet notes that researchers “did not study the exact origin of individual parts or manufacturing location[s].”
Dominion Voting Systems
Election Systems & Software
Unisyn Voting Solutions