The Associated Press reports three privately held companies sell and service more than 90 percent of the nation's election systems, yet they are subjected to little oversight and regularly prioritize customer convenience over product security.
The three companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — face little public accountability and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.
They face scant federal oversight yet effectively run elections, directly or through subcontractors, in much of the nation — especially where tech expertise and budgets are thin. No federal authority accredits the vendors or vets them.
High barriers to entry and low profits discourage the very innovations that could enhance security, experts say.
"They cobble things together as well as they can" because building truly secure systems would likely erase their profits, said University of Connecticut election-technology expert Alexander Schwartzman.
Executives of all three of the top vendors refused to discuss their companies' finances and have resisted exposing their products to the scrutiny of independent researchers and Congress.
The vendors all insist none of their systems has been hacked and have resisted independent testing.
But authorities say serious election mischief may have gone unnoticed, and hackers could theoretically wreak havoc at multiple stages of the election process. They could alter or erase lists of registered voters to sow confusion, secretly introduce software to flip votes, scramble tabulation systems or knock results-reporting sites offline with denial-of-service attacks.
On July 13, U.S. special counsel Robert Mueller indicted 12 Russian military intelligence operatives for, among other things, infiltrating state and local election systems.
In July, ES&S told The Associated Press that it allows independent, open-ended testing of its corporate systems as well as its products. But the company would not name the testers and declined to provide documentation of the testing or its results.
Dominion's vice president of government affairs, Kay Stimson, said her company has also had independent third parties probe its systems but would not name them or share details.
Hart InterCivic, the No. 3 vendor, said it has done the same using the Canadian cybersecurity firm Bulletproof, but would not discuss the results.
ES&S hired its first chief information security officer in April. None of the big three would say how many cybersecurity experts they employ.
In the absence of centralized federal oversight, some states are being more proactive in focusing on election security than others.
California, New York and Colorado are among states that tend to keep a close eye on the vendors. States with cozier relationships have in the past let them use remote-access software to do maintenance on election systems, a widely discredited security faux pas.
And ES&S continues to sell vote-tabulation systems equipped with cellular modems, a feature experts say hackers could potentially exploit, entering election management modules and tamper with vote counts.
A few states ban such wireless connections. Maryland recently got rid of them and Alabama forced ES&S in January to remove them from machines.
Said John Bennett, the Alabama secretary of state's deputy chief of staff who worked the issue: "It seemed like there was a lot more emphasis about how cool the machines could be than there was actual evidence that they were secure."