Page:Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election Volume 1.pdf/44

This page has been proofread, but needs to be validated.

COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY

(U) State 5 used paper-hacked voting in only about hair its machines and DRE voting machines without paper backup in the other half.^[1]
(U) Some states are moving to a hybrid model—an electronic voting machine with a paper backup, often in the form of a receipt that prints after the voter submits their vote. For example, State 12 uses some DREs, but all equipment is required to have a paper trail, and the paper ballot is the ballot of record.^[2] State 12 also conducts a mandatory state-wide audit.^[3] Similarly, State 13 uses some paper-based and some electronic machines, but all are required to have a paper trail.^[4]

(U) The number of vendors selling voting machines is shrinking, raising concerns about a vulnerable supply chain. A hostile actor could compromise one or two manufacturers of components and have an outsized effect on the security of the overall system.

"My job," said Ms. Monaco when asked whether she was worried about voting machines themselves getting hacked, "was to worry about every parade of horribles. So I cannot tell you that that did not cross my mind. We were worried about who, how many makers. We were worried about the supply chain for the voting machines, who were the makers? … Turns out I think it's just Diebold—and have we given them a defensive briefing? So to answer your question, we were worried about it all."^[5]
Mr. McCabe pointed out that a small number of companies have "90%" of the market for voting machines in the U.S. Before the 2016 election, briefed a few of the companies on vulnerabilities,^[6] but a more comprehensive campaign to educate vendors and their customers is warranted.

(U) Voluntary Voting System Guidelines

(U) Part of the voting reform implemented under The Help America Vote Act of 2002 was a requirement that the Election Assistance Commission create a set of specifications and requirements against which voting systems can be tested, called the Voluntary Voting System Guidelines (VVSG). The EAC adopted the first VVSG in December 2005. The EAC then tasked the Technical Guidelines Development Committee, chaired by the National Institute of Standards and Technology (NIST) and including members from NASED, with updating the guidelines. In March 2015, the EAC approved VVSG 1.1; in January 2016, the EAC adopted

↑ (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 5], December 1, 2017.
↑ (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 12], December 1, 2017.
↑ (U) Ibid.
↑ (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 13], December 1, 2017.
↑ (U) SSCI Transcript of the Interview with Lisa Monaco, Former Homeland Security Advisor, held on Thursday, August 10, 2017, p. 31.
↑ SSCI Transcript of the Interview with Andy McCabe, Deputy Director of the FBI, held on Wednesday, February 14, 2018, pp. 220-221.

44
COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY

[1] (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 5], December 1, 2017.

[2] (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 12], December 1, 2017.

[3] (U) Ibid.

[4] (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 13], December 1, 2017.

[5] (U) SSCI Transcript of the Interview with Lisa Monaco, Former Homeland Security Advisor, held on Thursday, August 10, 2017, p. 31.

[6] SSCI Transcript of the Interview with Andy McCabe, Deputy Director of the FBI, held on Wednesday, February 14, 2018, pp. 220-221.

[1]

[2]

[3]

[4]

[5]

[6]