Earlier this month Sen Warner (D,VA) introduced S 1500, the Strengthening
Election Cybersecurity to Uphold Respect for Elections through Independent
Testing (SECURE IT) Act. The bill would require the Election Assistance
Commission (EAC) “to provide for the conduct of penetration testing as part of
the testing and certification of voting systems and to provide for the
establishment of an independent security testing and coordinated vulnerability
disclosure pilot program for election systems. No funding is authorized in this
legislation.
Moving Forward
Warner is a member of the Senate Rules and Administration
Committee to which this bill is assigned for consideration. This means that
there may be sufficient influence to see the bill considered in Committee. I do
not see anything in the bill that would engender any organized opposition. I
suspect that the bill would receive some level of bipartisan support. But again,
as with most bills introduced in the Senate, this bill is not ‘important’
enough to be considered in the Senate under regular order. I also believe that
there would be enough opposition to this bill to prevent it from being
considered under the Senate’s unanimous consent process.
Commentary
One major item missing from this bill is the definition of the
term ‘penetration testing’. NIST has a full page of
potential definitions of the term. I think the most appropriate for this
context would be the definition taken from NIST SP 800-137 under
Penetration Testing. I would modify that definition slightly and add it in a
new paragraph §231(e)(3):
“(3) In this section the term ‘penetration
testing’ means a test methodology in which the researcher, using all available
documentation (e.g., system design, source code, manuals) and working under
specific constraints, attempt to circumvent the security features of an election
system as that term is defined in §297.”
For more details about the provisions of this bill,
including additional commentary about the penetration testing requirements –
see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/s-1500-introduced
– subscription required.