For decades, the companies that dominated the U.S. voting machine industry operated in relative anonymity. Now, lawmakers want answers and transparency.
The CEOs of the three companies that make more than 80 percent of the country's voting machines testified before Congress Thursday for the first time, marking a new and bipartisan effort to ensure the security of the 2020 election.
The three companies, Election Systems & Software (ES&S), Dominion Voting Systems and Hart InterCivic, are almost entirely unregulated. But in recent years, policymakers and election advocates have begun to question who owns the companies, how they make their machines and whether they could be susceptible to remote hacking.
Zoe Lofgren, D-Calif., chair of the congressional subcommittee that oversees federal elections, said in her opening remarks that they need more information from the companies.
"Despite their outsized role in the mechanics of our democracy, some have accused these companies with obfuscating, and in some cases misleading election administrators and the American public," said. "There is much work to do, and much for Congress to learn about this industry."
The hearing touched on a wide range of issues from the security of the machines and the prospect of independent review to lobbying and voter registration databases. While there are certification standards for voting machines, the companies themselves are lightly regulated and must disclose little information.
Because voting machines themselves aren't designed to be continuously connected to the internet, they're thought to be less vulnerable to remote hacking that could change election outcomes. But some voting systems do send tabulations via modem, and the recent revelation that the machines do have the ability to connect to the internet was a subject of concern for Lofgren.
All the vendors confirmed that some of its machines have wireless modems in order to send unofficial results.
"That's something we may want to look into further," Lofgren said.
Security measures for protecting the 2020 presidential vote are top of mind for policymakers after Russian interference in the 2016 election prompted the federal designation of election systems as "critical infrastructure."
The vendors agreed to support future legislation that would require additional disclosures around their supply chain, cybersecurity practices, cyber incident reports, employee background checks and screening, and corporate ownership.
The federal government's control over national elections is relatively limited because states are tasked with collecting votes. Rep. Rodney Davis, R-Ill., ranking member of the subcommittee, said the House still has a key oversight role.
"Instead of getting into a winded debate today between paper versus electronic or state versus federal, let's instead focus our efforts on areas within our federal reach that need improvement, areas where we may come to a bipartisan agreement," Davis said.
Despite the interference warnings from the intelligence community, President Donald Trump has rejected any scrutiny of the administration of the 2016 election — except for his own unproven allegations of voter fraud — as an attempt at invalidating the results.
But after a contentious year in which no proposed election security improvement bills were passed, the hearing Thursday provided evidence of bipartisan interest in the importance of election security procedures.
A key question posed to voting machine makers has been how they make their machines and where the parts come from. Lofgren cited a recent report by a supply chain analysis firm, Interos, that an unnamed "widely used" voting system vendor had been found to use parts from China-based companies and suppliers with locations in China or Russia.
"Do you have components in the supply chain that come from Russia or China?" Lofgren said.
ES&S CEO Tom Burt said one of its "programmable logic devices" is from an American company that uses a factory in China. Later, he noted that Texas Instruments makes one of its chips and that ES&S's business is too small to get the supplier to change its global supply chain.
Dominion CEO John Poulos said that all of his company's machines were manufactured in the U.S. and that his company was not the subject of the Interos report. Hart's CEO said their company contained components from China but not from Russia.
In response to direct questions from Rep. Mark Walker, R-N.C., and Rep. Pete Aguilar, D-Calif., the three CEOs denied knowledge of any kind of cyber intrusions into their voting systems.
"We have never received any evidence or even commentary that these systems have been hacked," Burt said.
“We’ve had no breaches to report,” he told Rep. Aguilar, later in the hearing.
The other two CEOs responded similarly.
Though no evidence has shown that a single vote was tampered with in the 2016 election, the scanning and probing of different elements of the voting process by groups connected to Russia showed that security measures need to be scrutinized in an industry where most machines on the market follow 15-year-old federal security standards.
The privately held ES&S, Dominion and Hart InterCivic voiced their commitment to customizing solutions for individual jurisdictions, improving security, working with federal agencies and vetted outside partners, and providing as much transparency as possible.
Eddie Perez, global director of technology development for the Open Source Election Technology Institute, a nonprofit research organization, said that there is still a shroud of secrecy around voting machine companies. (NBC News has collaborated with OSET since 2016 to monitor technology-related election and voting issues.)
"The private companies that support election technology in the industry are not regulated, not as companies," Perez said. "They are private, with much information about their business and operational practices kept totally private."
The vendors praised Congress for its recent appropriation of $425 million in additional funding to the federal Election Assistance Commission to be distributed to states to improve election security, which could include buying new equipment.
The companies stressed the heightened levels of cooperation and communication with the Department of Homeland Security and other government partners. The vendors noted they sent their latest machines to the Idaho National Labs to be tested by "hackers" looking for exploits to fix. And they've worked to establish a new industry group that would evaluate vulnerabilities and coordinated on publicly disclosing them.
"We urge you to continuing work with election officials to help remove additional barriers that exist for modernizing their infrastructure," Poulous said.