officials. There also is no indication that any
election system was compromised as part of the
hacking campaign that exploited an update of
network management software from a company
called SolarWinds. It was the largest cybersecurity
breach of federal systems in U.S. history.
Despite that, election systems are vulnerable
to the same risks exposed by the SolarWinds
hack, the report said. It describes the risk of
such an attack, in which hackers might infiltrate
the hardware or software used in election
equipment. Even if voting results aren’t affected,
such an attack could lead to confusion and
undermine confidence in U.S. elections.
The nation’s decentralized system of election
administration means voting technology varies
from state to state and even county to county,
providing multiple ways for malicious actors
to gain access. The systems generally rely on
components from third-party suppliers or
use commercial, off-the-shelf hardware. Most
also use proprietary software that may not be
subjected to rigorous security testing.
“It’s a complex mix of parts and suppliers,
which creates very real supply chain risks,” said
Eddie Perez, global director of technology
development at the OSET Institute, a nonprofit
election technology research corporation.
The use of foreign suppliers for voting technology
and related supply chain security has long been a
concern. During a congressional hearing last year,
executives with the three major voting machine
vendors faced repeated questioning from
lawmakers about the sources of the parts used to
manufacture their voting machines, what steps
they have taken to secure their products from