Just three companies provide the majority of the equipment that Americans depend on to cast their votes. But election experts and some lawmakers say much more regulation is needed in an era of cyberattacks and foreign interference.
"The fact that we've not moved any election security legislation and the White House and the majority leader continue to fight, it means that it's very, very doubtful that these companies will have the kind of appropriate oversight they need before we go to the polls in November," says Sen. Mark Warner.
The concerns run the gamut from where vendors are buying their parts overseas to how they screen their personnel to keep out bad actors. Another question — who owns the companies — has repeatedly been raised after a vendor used by Maryland was linked to a Russian oligarch.
"The fact of the matter is, we don't even know how many vendors there are working on critical election infrastructure, and we don't know where they're working because the whole scene is so unregulated," says Larry Norden, director of the Election Reform Program at the Brennan Center for Justice.
The three largest election vendors promised more transparency at a congressional hearing earlier this year. And Nebraska-based Election Systems & Software told Newsy a lot has changed.
"In 2016, I can tell you that we didn't know who our Homeland Security contacts were," says Chris Wlaschin, ES&S' Vice President of Systems Security and chief information security officer.
ES&S says it's now working regularly with federal authorities, advocating for better security testing of election equipment, and doing personal and criminal background checks on its 480 employees and contractors.
"And then we monitor those background checks to make sure that if anything big changes, that we catch it."
Wlaschin says that like its biggest competitors, ES&S gets some of its components, including programmable logic devices, from China.
"Sometimes we're X-raying these components to make sure there's no malware or counterfeit components," he says. "We actually inspect them and then we put the software on them in Omaha. That doesn't happen overseas."
Experts and lawmakers say self-reporting is just not enough.
"When you have a completely unregulated market, it makes it very difficult for election commission officials to know where they should be buying their products from, who they can trust, who they can trust to maintain their systems," Norden says.
One federal agency — the Election Assistance Commission — has a voluntary program to certify voting system hardware and software, and it’s been criticized as outdated. And only a handful of state certifications exist for other items like electronic poll books to check in voters on election day.
Elections were seen as an administrative matter for states — until Russia’s assault on the 2016 election. After that, the Department of Homeland Security designated elections critical infrastructure to national security.
"Without either a federal certification process or some requirements that vendors have to comply with, mostly we're going to have to take them at their word," Norden says. "And I'm not saying that their word isn't good. It's just impossible for us to know."
"I don't think we've seen significant improvement," Sen. Warner tells Newsy. "There have been certain actions. They've been a bit more transparent. But just as we've seen with the cases of Facebook and Twitter and Google, they've improved some of their tactics. But they're a long way from being where they need to be."