It’s been a tough week for the incumbent commercial voting system vendors, with the leading vendor caught in some embarrassing admissions of using vulnerable antique remote-access software in their voting system product, after having previously denied exactly that. Also, Senator Wyden and others are on the Congressional record as criticizing vendors for lack of responsiveness to inquiries, and another vendor responded with tit-for-tat PR attempting to publicly correct the Senator. Another vendor was acquired by a private equity firm, while some other public watchdog groups are raising concerns about Russian investment in equity firms with a stake in companies that have access to voting systems.
I have several colleagues in the election integrity community whose previous irritation with these vendors has tipped over into contempt over the vendors’ recent public behavior: making misleading statements to Congress, state legislators, voting system customers, and more that has stoked a rash of outrage.
Other colleagues caution against demonizing these vendors. Perhaps the most sage of these latter colleagues aptly put it:
“Vendors are in the business to sell products. They will develop the products that they think will sell profitably.”
I agree. These vendors behave in a perfectly sensible and predictable and (sometimes) appropriate way, given the current model where election officials are required to purchase voting system products from vendors. The vendors have a fiduciary responsibility to the shareholders to turn a profit. If they don't, then they cease to exist—and the majority have not, with a decade of voting company shutdowns, mergers, and acquisitions leading to the current tri-opoly of ES&S, Hart-Intercivic, and Dominion Voting Systems. It’s a tough business.
This same colleague said:
“It is up to the decision-makers in state legislatures and election offices to make known what products they want, and what they are willing to pay for.”
Here I also agree with others who have pointed out that the vendors have significant influence with some legislators and are hardly disinterested in their use of it with some legislators who (in retrospect) may have been unduly credulous. But self-serving government relations activity is also a predictable behavior of for-profit companies selling to governments, particularly companies in a stressed and stressful market.
I sympathize with the outrage, but my advice against demonizing and antagonizing these vendors is based on the goal of behavior modification. Like it or not, voting system vendors are key players in U.S. elections. It’s in everybody’s interest if their behavior is more honest, more helpful; if they become actively engaged in election Critical Infrastructure sector activities, as the vendors of some of the most tempting targets for our nation-state adversaries’ cyber-operations.
Increased antagonism will likely drive their behavior in the opposite direction, reinforcing unhelpful behavior that contributes to polarization and politicization of the important policy decisions about elections. So, despite some very unedifying behavior by these vendors, I still suggest that we don't antagonize the hardworking people at these companies, and temper our interactions with pity for the crazy little business that they are in; and even more so, having that business transformed so that now these companies being vendors of Critical Infrastructure (CI) assets with nation-state cyber-adversaries – something that none of them ever anticipated, or have the capacity to respond to. There's less that a 1,000 of these people working at the top 3 companies together! No wonder they seemed stressed out. We might wish that these people become less of an irritant in policy discussions and CI activities, but we shouldn't expect any corporate different behavior than any other niche-market for-profit product company.
For myself, I share the misgivings about some of the less savory public behavior, but I decided long ago not to get my blood pressure up about behavior that's completely predictable, not amenable to fundamental change, and is not a real force for change anyway. I decided instead that we at the OSET Institute can work-around these 1,000 people to make some change that they cannot. I've been pleasantly surprised about occasional cordiality at the one-on-one level with several of these people.
Lastly, I want to respond directly to several observations that it is crazy that the integrity of democracy should depend in part on these companies, that they shouldn’t be allowed to have this critical role that they can’t fill, that there must be a better way. Everyone I know in election-land would seriously question a decision to:
- Require that US elections depend on computing equipment, and that
- The equipment must be purchased from for-profit vendors, and that
- The available funding for such purchases remain on the bleeding edge of barely able to support the vendors existence, and that
- After years of barely profitable business, we should expect the vendors to suddenly become cyber-security and CI protection experts.
But nobody made that choice; that's the history that "just grew." That non-decision is not going to be changed by any government in a top down manner, in the foreseeable future.
But it will and is getting changed by the activity of a wide range of people – election officials, advocacy groups, technologists, and more – who are working quietly in government service work, or in the garage, to nudge the change. It pays off; it took a decade of advocacy (and some help from Russia) to finally get the country on the path to eradicate undetectable hackable paperless voting machines. There’s lots more to do. But as Margaret Mead said: "Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has."
PS: I have particularly invited comments here from the EI community colleagues I’ve referred to here, so readers can get a first hand account of a range of attitudes about voting system vendors and their role in U.S. elections.