Review - S 1500 Introduced – Election System Cybersecurity Testing

Earlier this month Sen Warner (D,VA) introduced S 1500, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would require the Election Assistance Commission (EAC) “to provide for the conduct of penetration testing as part of the testing and certification of voting systems and to provide for the establishment of an independent security testing and coordinated vulnerability disclosure pilot program for election systems. No funding is authorized in this legislation.

Moving Forward

Warner is a member of the Senate Rules and Administration Committee to which this bill is assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything in the bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support. But again, as with most bills introduced in the Senate, this bill is not ‘important’ enough to be considered in the Senate under regular order. I also believe that there would be enough opposition to this bill to prevent it from being considered under the Senate’s unanimous consent process.

Commentary

One major item missing from this bill is the definition of the term ‘penetration testing’. NIST has a full page of potential definitions of the term. I think the most appropriate for this context would be the definition taken from NIST SP 800-137 under Penetration Testing. I would modify that definition slightly and add it in a new paragraph §231(e)(3):

“(3) In this section the term ‘penetration testing’ means a test methodology in which the researcher, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an election system as that term is defined in §297.”

 

For more details about the provisions of this bill, including additional commentary about the penetration testing requirements – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1500-introduced - subscription required.