HR 6315 Introduced – Election System Pentests
Earlier this month Rep Valadao (R,CA) introduced HR 6315, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would amend the Help America Vote Act of 2002, by adding to the existing election system certification system a requirement to conduct 3rd party penetration testing of such systems. It would also establish a voluntary elections system vulnerability disclosure program. No new funding is authorized by the legislation.
HR 6315 is essentially the same as HR 7447, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act, that was introduced by Rep Spanberger (D,VA) in February 2024; Valadao was a cosponsor of that bill. No further action was taken on that bill in the 118th Congress.
Definitions
Subsection 3(e) of the newly proposed §297 provides the definitions of seven key terms used in Section 3 the bill. Two of the key terms (‘information system’ and ‘security vulnerability’) are defined by reference to existing statute definitions.
The most important key term for this new section is ‘election infrastructure’. This term is very broadly defined and specifically includes:
Electronic mail and other communications systems (including electronic mail and other systems of vendors who have entered into contracts with election agencies to support the administration of elections, manage the election process, and report and display election results) and
Other systems used to manage the election process and to report and display election results on behalf of an election agency.
Existing Certification Process
Section 2 of the bill would amend §231 of the Act (52 USC 20971) by adding a new subsection (e), Required Penetration Testing. The new subsection would require the Election Assistance Commission to “provide for the conduct of penetration testing as part of the testing, certification, decertification, and recertification of voting system hardware and software by accredited laboratories under this section.”
Pilot Program
Section 3 of the bill would add a new §297, Independent security testing and coordinated cybersecurity vulnerability disclosure pilot program for election systems, to the Help America Vote Act of 2002 (52 USC 21001 et seq). Subsection 297(a) would require the Commission to “establish an Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems (VDP–E)”. The voluntary pilot program would exist for five years and would include provisions for vetting (specifically including background checks) researchers who would participate in the independent security testing program.
The program would require participating researchers to:
Notify the vendor, the Commission, and the Secretary of any cybersecurity vulnerability they identify with respect to an election system, and
Otherwise keep such vulnerability confidential for 180 days after such notification.
Would require that vendors notified of a vulnerability classified a ‘high’ or ‘critical’ by NIST standards to:
Send a patch or propound some other fix or mitigation for such vulnerability to the appropriate State and local election officials, in consultation with the researcher who discovered it, and
Notify the Commission and the Secretary that such patch has been sent to such officials.
For election systems that have a current Commission certification, the Commission would be required to provide for an expedited certification review of the patch or fix. In the event that such a certification verification was not provided within 90 days, the fix would be considered to be certified. After 180 days from the date the Commission was notified of the vulnerability by the researcher, the Commission would be required to forward the vulnerability to CISA for inclusion in the database of Common Vulnerabilities and Exposures.
Safe Harbor
Subsection 297(d) provides for the voluntary participation of both vendors and researchers in the pilot program. Vendors would be prohibited from taking actions against participating researchers under 18 USC 1030 (Computer Fraud and Abuse Act) for “accidental, good faith violations of the program.” Similarly, the vendor would be prohibited from taking actions under 17 USC 1201 (Digital Millennium Copyright Act) for circumvention of technology controls. Paragraph (4) would exempt vulnerabilities reported in the pilot program exempt from disclosure under 5 USC 552 (Freedom of Information Act).
Moving Forward
Neither Valadao, nor his sole cosponsor {Rep Deluzio (D,PA)}, are members of the House Administration Committee to which this bill was assigned for primary consideration. This means that there is not sufficient influence to see the bill considered in Committee. I suspect that there would be some level of bipartisan support for the bill were it to be considered. What is not clear is if there would be enough to see the bill considered by the full House under the suspension of the rules process.
Commentary
While the proposed §231(e) uses the term ‘penetration testing’ it does not provide a definition of that term. I would suggest using the definition of that term found in NIST SP 800-115, Technical Guide to Information Security Testing and Assessment (pg F1):
“Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.”
This would be best accomplished by revising the proposed §231(e)(1) to read:
“(1) IN GENERAL.—Not later than 180 days after the date of the enactment of this subsection, the Commission shall provide for the conduct of penetration testing (as that term is defined in NIST SP 800-5, Appendix F) as part of the testing, certification, decertification, and recertification of voting system hardware and software by accredited laboratories under this section.”