Quote:

---

Ongoing Vulnerabilities

Despite the progress on communication and improvements to the security of our election process, the Committee remains concerned about a number of potential vulnerabilities in election infrastructure.

Voting systems across the United States are outdated, and many do not have a paper record of votes as a backup counting system that can be reliably audited, should there be allegations of machine manipulation. In addition, the number of vendors selling machines is shrinking, raising concerns about supply chain vulnerability.

Paperless Direct Recording Electronic (DRE) voting machines––machines with electronic interfaces that electronically store votes (as opposed to paper ballots or optical scanners)––are used in jurisdictions in 30 states and are at highest risk for security flaws. Five states use DREs exclusively.

Many aspects of election infrastructure systems are connected to and can be accessed over the internet. Furthermore, systems that are not connected to the internet, such as voting machines, may still be updated via software downloaded from the internet.

These potentially vulnerable systems include some of the core components of U.S. election infrastructure, including systems affiliated with voter registration databases, electronic poll books, vote casting, vote tallying, and unofficial election night reporting to the general public and the media. Risk-limiting audits are a best practice to mitigate risk.

Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target for malicious cyber actors. State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors, and while the Election Assistance Commission issues guidelines for security, abiding by those guidelines is currently voluntary.

---