In some ways, Oregon senator Ron Wyden’s office has acted as a de facto government watchdog for election-security vulnerabilities in everything from election software to voting machines to voting apps to social networks. After the Mueller Report showed that hackers had at least attempted to break into election systems in all states, election security has become the senator’s signature issue. When I spoke to him last week he had just come from the Senate floor, where Republican senators, led by Mitch McConnell, had refused, once again, to even discuss three pieces of election-security legislation. One of the bills had Wyden’s name on it. He was fired up.
Fast Company: When you proposed a discussion of your election-security bill today, was it again [Tennessee Republican] senator Blackburn who shut it down for the Republicans?
Senator Ron Wyden: Yes, Marsha Blackburn objected to both Senator Warner’s proposal and my efforts to pass the Securing America’s Federal Elections Act (SAFE), which largely incorporates my earlier bills [requiring] hand-marked paper ballots and [risk-limiting] audits and cybersecurity standards. [Minnesota Democrat] Amy Klobuchar and I are the sponsors of it in the Senate.
I was struck by the fact that the Republicans will accept no—repeat, no—cybersecurity standards. And I pointed out that right now, today, you can have a voting machine with an open connection to the internet, which is the equivalent of stashing American ballots in the Kremlin. And the Republicans objected and then sat down, and I said, “You all won’t even have a conversation about the seriousness of this problem?” I mean it’s one thing to have a different view of how you would tackle election security, but they just use their raw power to go, “Nothing to fear. All done.” And I was just slack-jawed by that. I used a specific example of a fundamental cybersecurity standard, and they just said, “Nope, not interested.” So we’re going to keep bringing this up. It’s our intention to bring this up again and again and again.
Senator Ron Wyden
What we will see in terms of foreign interference in 2020 is going to make 2016 look like small potatoes.”
FC: The narrative right now is that Mitch McConnell does not want this conversation to take place, and he doesn’t want anything done, because his party might end up benefiting from the insecurity of our elections. I mean, is there another way to interpret this?
RW: It’s making a mockery out of what needs to be done. I’m on the Intelligence Committee. I’m not going to get into anything classified, but I’ll tell your readers point-blank that as of today, what we will see in terms of foreign interference in 2020 is going to make 2016 look like small potatoes. This is a national security issue! If we were being attacked by the Russians or any other superpower, we wouldn’t say, “Let’s send the county law enforcement folks,” even as we so appreciate them and think they’re terrific.
Somehow the Republicans just don’t even see this as a fundamental national security issue. And nobody’s talking about the federal government taking over elections, but why shouldn’t the federal government give some tips to local folks so they don’t buy an insecure voting machine that they’re going to use this Election Day?
FC: I thought of you, Senator, when I saw the news of the meltdown of the app used to count caucus results in Iowa.
RW: We contacted them three times before the vote, and the top security guy at the DNC. And we couldn’t get anybody to say that this app had been tested. We couldn’t get any information about audits.
There are really four touchstones. Testing and audits are key. Certainly you want to know about [app] design issues. And then you want to know how people are trained, because we saw a lot of stuff coming out of Iowa later that apparently people had trouble downloading the information and this kind of thing. I think this just shows once again that you really need to have this testing and auditing and you need to pay attention to what the National Academy of Sciences says. And that is that they don’t believe that these high-tech kinds of approaches are ready for prime time.
“It’s not about freezing innovation”
FC: Do you think that with the right kind of outside security audits, a voting app that relied on the advanced security features in the smartphone might be a possibility in the future to increase participation?
RW: The scientists say no. I always tell people if you can find some ways to examine ideas and approaches that aren’t going to hurt people, I’m always interested in that. It’s not about freezing innovation, but it’s about how will you use it and what experts are saying now is “Don’t go there.” [Mobile voting startup] Voatz claims everything has been examined and considered, but they haven’t been willing to give up any information that backs up their position.
FC: I understand you’re not going to talk about anything classified, but just given the variety of the possible threats to this election, from disinformation to hacks, I wonder if there are parts of it that are particularly worrisome to you as we get closer to election time.
RW: Let me give you my biggest ones. The total lack of cybersecurity standards is especially troubling. I mean that’s what I said on the floor of the Senate an hour ago. How can it be that the Republicans say that you can just let voting machines have an open connection to the internet? It should just be a no-brainer. But the lack of cybersecurity standards leads local officials to unwittingly buy overpriced, insecure junk. Insecure junk guarantees three things: a big payday for the election-tech companies, long lines on Election Day, and other hostile foreign governments can influence the outcome of our election through hacks.
We are 274 days away from the 2020 election and Mitch McConnell has yet to take any concrete steps to protect our federal elections from hacking or foreign interference. https://t.co/oAZf3yfEbJ
— Ron Wyden (@RonWyden) February 3, 2020
FC: What are your thoughts about voting machine companies and their work with the government to close security vulnerabilities in their machines?
RW: Let’s talk about ES&S, because they’re the biggest. These people think that they’re plain old above the law. They won’t even answer the most straightforward questions if Congress asks. I was the first to write them a letter asking them about really complicated issues. Like “Do you have a specialist on hand for cybersecurity?” Boy, complicated stuff! And they have lied repeatedly to the Congress, to me, and to the press about the extent of their involvement with the preinstalled software [that connects to the internet] in their voting machines. And they sure are powerful. One of their big influential people is high up in Georgia state government. It doesn’t get much better than that. I mean, these people have a lot of clout. They can make a lot of money. And they’ll just stonewall. ES&S refused to release a study of their machines by the Idaho National Labs to me after they went out and bragged about it publicly.
UPDATE: An ES&S spokeswoman writes in an email responding to this story that her company has replied to all of Senator Wyden’s letters and has invited him to visit ES&S headquarters in Omaha. The spokeswoman adds that ES&S has had a VP of Systems Security since 2018.
“Election security starts at the top”
FC: Given that the DHS (Department of Homeland Security) and the EAC (Election Assistance Commission) don’t really have the power of law behind them to mandate things like standards and audits, do you think they are still doing things now that are going to help election security in this election?
RW: To me, election security starts at the top, with the Trump administration. And you know, Donald Trump played this down from the beginning. You get the feeling that they get the message from the top. There’s no question that they know what the attitudes are of the president and his key staff. You see that all through the government. And they know what happens if they don’t comply. Telling the truth carries a big price, whether it’s on election security or anything else.