US Election Vendors Have Almost Zero Oversight, 'Severe' Cybersecurity Risk, Report Warns

Only three private vendors control more than 80 percent of U.S. voting systems across the country and the federal government has almost zero oversight power, a new election report warns.

The Brennan Center for Justice issued a report about the vulnerability of U.S. voting equipment and election vendors who control an overwhelming majority of the country's electoral process.

The report cautions that the federal government has more authority to regulate colored pencils than it does to enforce regulations on the nation's election infrastructure. The Brennan Center warns that voting technology vendors have "little financial incentive" to prioritize election security and guard against cyber attacks or foreign interference ahead of the 2020 presidential election.

The report repeatedly urges Congress to set up a federal certification process for election vendors instead of allowing states to circumvent voting technology standards. And the findings corroborate several recent reports that lawmakers, who themselves were elected using these very same vendors and machines, have little to no incentive to implement election safety standards.

"The ability of a foreign power to exploit the vulnerabilities of a vendor in a single county in Pennsylvania could have extraordinary repercussions for the country," the report released Tuesday reads. "Ultimately, the best course of action would be for Congress to create a uniform framework for election vendors."

The federal certification program proposed by the Brennan Center's report would empower the Election Assistance Commission (EAC) to conduct independent oversight of vendors outside of "partisan political manipulation."

The three companies, Dominion, ES&S and Hart InterCivic, control and oversee a vast majority of all U.S. voting machines. And as a September 2018 New York Times report indicated, this select few dominates the $300-million-a-year voting machine industry.

"More than 80 percent of voting systems in use today are under the purview of three vendors," the report warns. "A successful cyberattack against any of these companies could have devastating consequences for elections in vast swaths of the country."

Lawrence Norden, a co-author of the report, conceded in an interview with the Associated Press that it's too late for any changes to take effect prior to the 2020 election next November. But adding to the report's claim that the EAC has a "history of controversy and inaction," Norden said he doubts lawmakers would take any action even if it could help secure the 2020 election.

"Even if (Congress) had the will, it couldn't be passed in time," said Norden, director of the Election Reform Program at the Brennan Center. "This is another security vulnerability that Congress hasn't addressed."

In 2002, Congress passed the Help America Vote Act, which allocated $3.9 billion to help the federal government ensure election security. But as former EAC Chairman Deforest Soaries told ABC News in 2008, he and other election officials "begged Congress" to allow them to research voting machines before sending the equipment to all 50 states. However, Congress said no.

"Politicians don't care. Washington believes that the machines can't be that bad because, after all, it produced them," Soaries said in the segment which re-aired last Sunday on HBO's Last Week Tonight with John Oliver. "So if they won the race, how bad can the machine be?"

The Brennan Center report illustrated the powerlessness of federal authorities to oversee election vendors, saying that through the standards of the Consumer Product Safety Commission, the federal government has more authority to regulate colored pencils than to secure America's election infrastructure.

Speaking with the BBC on Tuesday, 2016 Democratic candidate Hillary Clinton continued to warn voters and politicians that "Russia, in particular, is determined to try to shape the politics of Western democracies. Not to our benefit, but to theirs."

The report concludes that the "severe underinvestment in cybersecurity" must be remedied by congressional action and the federal government must start a uniform certification process.