Voting-Machine Parts Made by Foreign Suppliers Stir Security Concerns

The findings are likely to fan worries about whether voting-machine vendors are doing enough to defend themselves against foreign interference ahead of the 2020 U.S. elections, which U.S. intelligence officials say hostile powers could try to disrupt.

Voting-machine vendors assailed the research, which Interos conducted independently, saying the report failed to note existing safeguards, such as testing done at the federal, state and local levels, and the vendors’ internal protocols.

One widely used electronic voting machine was found to contain components from suppliers with locations in China and Russia. Researchers categorized the suppliers by three different tiers, according to where they are in the supply chain.

Suppliers with locations in:

Company election-machine manufacturer buys from

Suppliers Tier 1 companies buy from

Suppliers Tier 2 companies buy from

Note: Interos sought to map all suppliers, but there may be others

The report comes as U.S. lawmakers and national-security officials increasingly have sounded alarms about supply-chain risks. Although supply chains that span the globe are common in the tech industry, Russia and China pose concerns because of how, according to U.S. officials, they press companies for access to technology within their borders.

Washington lawmakers have specifically cited voting machines as an area of concern, among such other products as telecom equipment made by Chinese firm

Huawei

and antivirus software from Russia-based Kaspersky Lab.

A spokesman for the Russian embassy in Washington said that Kaspersky is “a private company with offices in the U.S.” and called allegations of Russian interference in U.S. elections a “witch-hunt.” The Chinese embassy in Washington did not immediately reply to a request for comment.

The report examined one voting machine as a case study. In that machine, around 20% of the components in the supply chain that Interos was able to identify came from China-based companies, including processors, software and touch screens, according to the Interos research. Those components weren’t necessarily made in China, as the suppliers may have several locations globally, and the Interos data doesn’t necessarily cover the entire supply chain, the researchers noted.

Researchers declined to name the particular model of voting machine they examined, or its maker, citing the sensitivity of the issue. They said only that it is “widely used” in the U.S. Three voting machine vendors, Election Systems & Software LLC, Dominion Voting Systems Corp., and Hart InterCivic Inc., said they didn’t think it was one of their products.

“Technology is created in different parts of the world, and you may not be able to avoid working with those businesses,” said

Jennifer Bisceglie,

founder and CEO of Interos, in an interview. “But just asking those questions” can help companies mitigate risk in sensitive countries, she said.

Voting-machine vendors faulted the methods used by researchers.

The researchers didn’t conduct “any research into the protocols and safeguards currently employed by the industry,” said a joint statement from five main vendors—Election Systems & Software LLC, Dominion Voting Systems Corp., Hart InterCivic Inc., Smartmatic USA Corp., and Unisyn Voting Solutions Inc.

The vendors added: “Further, the practice of assessing risk based solely—or even primarily—on the geography of a supplier’s corporate locations is a practice that has been widely discredited.”

Ms. Bisceglie defended the research and noted that the Interos report doesn’t claim that a voting machine had been compromised.

“All the report was trying to do was trying to elevate the conversation around the fact that every company and every country is hyperconnected,” she said.

The researchers said they traced the supply chain by sifting through reams of publicly and commercially available data, such as import and export records and SEC filings, using an artificial-intelligence platform developed by Interos.

The vendors said that since 2016, they have stepped up their security measures amid urging from security experts and congressional lawmakers, after U.S. intelligence agencies said they discovered a sweeping Russian hacking and social-media campaign aimed at the 2016 U.S. presidential election.

According to the vendors’ statement, such measures include “rigorous” testing by government experts; requiring suppliers and subcontractors to meet certain security standards; and disclosing details about their supply chains to U.S. authorities.

In 2018, a bipartisan Senate Intelligence Committee report cited “concerns about supply-chain vulnerability” for voting machines, saying that it is a particular concern because only three companies make most of the country’s voting machines.

In addition, cybersecurity researchers who scrutinized voting machines at the Defcon computer security conference in recent years also issued warnings about supply-chain risks.

Some states have added new measures recently.

Lawmakers in Indiana passed a law requiring that voting-system vendors disclose certain foreign ties, among other security measures. In North Carolina, officials asked vendors to provide details about their ownership and vetted that information with the federal Department of Homeland Security.

In 2018, the FBI said that a Russian oligarch had business ties to a vendor that provided election-related services for the state of Maryland, though the vendor said the oligarch wasn’t directly involved in its elections operations, according to the Brennan Center for Justice, a nonpartisan think tank. The company cut ties with the Russian investor after Maryland lawmakers criticized the arrangement, the center said. 

Comments are closed.