Connect with us

Hi, what are you looking for?



HR1 Bill Includes Provisions to Improve U.S. Election Security

The Democrat-controlled House of Representatives has unveiled its first Bill: HR1, dubbed the ‘For the People Act’. It has little chance of getting through the Republican-controlled Congress, and even less chance of being signed into law by President Trump.

The Democrat-controlled House of Representatives has unveiled its first Bill: HR1, dubbed the ‘For the People Act’. It has little chance of getting through the Republican-controlled Congress, and even less chance of being signed into law by President Trump.

Nevertheless, HR1 lays down a marker for current Democrat intentions; and it is likely that some of the potentially bi-partisan elements could be spun out into separate bills with a greater chance of progress.

One of these is likely to include the section on election security. This has been a major issue since the meddling by Russian-state hackers in the 2016 presidential election, and the subsequent realization on how easy it would be for interested parties (both foreign hackers and local activists) to influence election outcomes.

This was highlighted in the 2018 mid-term election in Georgia. Concerns began in late August 2016, when security researcher Logan Lamb discovered registration details for 6.7 million Georgia voters were being held in a publicly accessible database. This data included voter histories and personal information of all Georgia voters, tabulation and memory card programming databases for past and future elections, instructions and passwords for voting equipment administration, and executable programs controlling essential election resources.

Richard DeMillo, director of Georgia Tech’s Center for 21st Century Universities, told SecurityWeek, “If I were a hacker trying to affect an election in this state, that’s where I would start. Because once you have access to those databases, you can, for example, on election day send people to the wrong polling stations. I actually think that this is a line of attack that people haven’t looked at which has to do with simply changing contact information for voters.”

What made the situation worse was that when the database was eventually taken down, the log details were deleted. As a result, it is impossible to discover whether anyone other than Logan Lamb also accessed the database.

In the months leading up to the midterm elections, both the Coalition for good Governance and a group of Georgia citizens sued the Secretary of State Brian Kemp to force a return to paper-based voting. Their concern was that the 27,000 Diebold AccuVote DRE touchscreen voting units do not produce a paper audit trail. Given the ease with which such machines can be hacked and manipulated, the litigants argued that the accuracy of the vote could not be verified.

The court case failed, although the judge demonstrated sympathy towards the plaintiffs’ arguments.

Advertisement. Scroll to continue reading.

Three weeks before the election, five Georgia citizens went back to court to prevent Georgia officials from using “frivolous and arbitrary excuses to reject far too many mail ballots”. The fear was that in a tightly-fought election — as the Georgia race was for the midterms — it would take relatively few rejected votes to decide the outcome.

Two days before the election it was reported that the online voter registration database was unsecured and vulnerable. “For such an easy and low hanging vulnerability to exist, it gives me zero confidence in the capabilities of the system administrator, software developer, and the data custodian,” Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy. 

And even after the election, the arguments rumble on. On November 24, the Coalition filed a new lawsuit calling for a new election. It argued that lower voting for the Lieutenant Governor position “is a likely result of the touchscreen voting system malfunctions, and that the un-auditable system does not permit a reliable determination of the vote count.”

The then Secretary of State for Georgia, and the man in charge of the elections, stood for and won the election for Governor of Georgia. Part of the court arguments against him can be ascribed to political bias by the plaintiffs — but that doesn’t change the facts of their concerns. With no paper audit trail from the voting machines, it is impossible to audit the election and confirm that nothing untoward happened with the votes.

It is against this background that part of HR1 contains a number of provisions designed to improve election security. This includes a requirement that any paperless voting systems are replaced, and will provide new grants to help states enhance election security. It will also place an obligation on election system vendors to report cybersecurity breaches.

While this will not become law in its current form within HR1, there are hopes that it will provide a bipartisan template for a future bill to improve the security of American elections.

Related: US Election Integrity Depends on Security-Challenged Firms 

Related: Microsoft Disrupts Election-Related Domains Used by Russian Hackers 

Related: U.S. Sanctions Russians for Hacking, Election Interference 

Related: Securing the Vote Against Increasing Threats 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...