A Progress Update on Reinforcing American Voting Systems
While experts are relieved to see some states finally taking cyber threats seriously, they say the nation as a whole still isn’t where it needs to be to prevent future interference by foreign or domestic forces.
Nearly a year after the 2016 presidential election, many Americans have been forced, some for the very first time, to look critically at their voting protections, and recognize that US balloting systems are not nearly as impregnable as they once thought.
Clearly, the US intelligence reports about Russia hacks provided a long-overdue wake up call for this issue. The good news: some progress has been made in some jurisdictions in the last year. The bad news: that progress hasn’t been as widespread or comprehensive as the problem would seem to demand.
“I think we’re moving in the right direction,” said Larry Norden, of NYU’s nonpartisan Brennan Center for Justice. “I’m heartened by the fact that, for instance, we’re seeing, in both House and Congress, bipartisan proposals to invest in increased election system security.”
Norden described “a general trend of [jurisdictions] moving to systems with paper ballots,” and enacting post-election auditing to confirm their election results.
Verified Voting president Barbara Simons said the fact that any state remains entirely paperless is “just embarrassing,” let alone five (Georgia, New Jersey, South Carolina, Louisiana, and Delaware).
Others seemed more dubious. “I am always skeptical that the concerns will fade away as they have sometimes in the past, such as the concern with long lines after 2012,” said Luther Weeks, executive director of the Connecticut-based election-activist group CTVotersCount. “Yet, I believe there will be steady progress — it is unlikely that any new voting systems will be purchased that do not have paper ballots.”
However, said Weeks, the extent of that progress may be limited due to the “huge challenge” imposed by “low budgets, distributed management…and fear of federal control.”
Election consultant Pam Smith agreed that there has “definitely [been] a pattern towards more secure elections” across the country.
Some states appear to be ahead of the game. Virginia, for example, recently earned praise for decertifying all its touchscreen, paperless Direct Record Electronic (DRE) voting machines ahead of the termination date required by its own legislation.
Other states are still playing catch-up. After hackers breached Kennesaw State’s Center for Election Systems, which houses Georgia’s voter rolls, creates its ballots and tests its voting machines, Smith said Georgia was subject to “a lot of pressure to not wait until their voting system is literally unusable.” Now, she says, “it seems clear” that the state’s shift to paper is inevitable.
Smith also indicated that Delaware could be on the same path. And as paper-based voting becomes more normalized, “there may even be a ‘shame’ factor for battleground states that long resisted this trend,” said Maryland-based election activist Mary Kiraly. She points to Georgia and Pennsylvania as examples.
Still, Barbara Simons, president of the activist group Verified Voting, said the fact that any state remains entirely paperless is “just embarrassing,” let alone five (Georgia, New Jersey, South Carolina, Louisiana, and Delaware).
Simons described another eight, including Pennsylvania — a key battleground in the 2016 election — as “partially paperless.” She estimates 80% of Pennsylvania’s voters still use hackable paperless systems.
“If we can find $57 billion to increase our military budget, we should be able to find the teeny, teeny fraction of that amount that we need to make our election secure.”
NYU’s Norden said the machines used in these paperless systems are “among the oldest machines in the country.” You don’t need to be an expert to recognize that adding security risks associated with outdated systems to unverifiable election results opens the doors wide for hackers.
“Security involves prevention, detection, and recovery. When it comes to counting and totaling votes, paper ballots make all three clearly possible,” said Weeks. “Attacks on registration systems and mail-in voting can be much harder to prevent and detect, and almost impossible to recover from, after election day.”
Doug Kellner, Co-Chair of the New York State Board of Elections, believes that upgrading voting systems that are still vulnerable to hacking attacks should be the country’s number one priority.
But in New Jersey, a state Kellner described as “a prime target for new verifiable voting equipment,” it seems the problem can’t just be legislated away.
“New Jersey is an interesting situation,” said Simons. “They actually passed legislation calling for paper ballots, but they never funded it.” Lawmakers have since introduced a similar bill with the hope that it will fare better this time around.
The New Jersey situation is not an anomaly, either. In fact, Norden said, ”One of the things that we have documented at the Brennan Center is that there are a number of states where election officials are saying they need new voting equipment because their equipment has aged out, [but the] legislature has rejected funding to replace that equipment.”
Simons considers this inexcusable. “The fact of the matter is, when you think of all of the things that we in the country and many states spend money on, you would think that the security of our democracy would rank up pretty high in priority,” she said. “I mean, the idea that our elections are potentially at risk of being hacked by foreign entities should have every American up in arms.”
“This is a national security issue, and the government just approved, I think, a $57 billion increase in the military budget? I mean, if we can find $57 billion to increase our military budget, we should be able to find the teeny, teeny fraction of that amount that we need to make our election secure.”
In addition, Norden called for increased funding for “thorough threat assessments, upgrad[ed] IT structure, [and] post-election audits.”
Colorado is gearing up for the country’s first statewide election supplemented with a risk-limiting audit (RLA), an American Statistical Association-endorsed technique considered to be the gold standard of election verification by many experts.
As the various levels of government hierarchy squabble over funding — Is this a local, state, or federal responsibility? All of the above? — fears remain that the general public will lose interest in the issue in the years between presidential elections, as they have done in the past.
Though budgeting shortfalls may hit local agencies the hardest, money problems extend way up the ladder. The federal Election Assistance Commission (EAC) — tasked with helping keep US elections fair and verifiable — managed to survive a Republican-led shutdown attempt earlier this year. But its budget is the lowest in a decade; the agency’s sub-$10 million allocations for 2018 represent a 44% decrease from 2008.
And Norden worries that more cuts may be coming: “There’s still lots of talk about cutting back on [the EAC] budget, which I also think would not be a good idea given the centrality they play in setting standards for voting systems including voting system security, and the centrality they could play in sharing information among election officials.”
Weeks also expressed concern that the Trump administration might still defund the commission, or “pack it with Republicans who believe only in mass voter fraud.”
There is also the issue of the EAC’s vacant commission seat: While the agency is meant to be headed by four commissioners, currently, only three of those spots are filled. But this is still nowhere near as bad as it was a few years ago; prior to 2014, all four seats sat unoccupied for a staggering two election cycles. One can see why this might be an issue given the agency’s critical role in administrating a process which has been called the most complex function of a modern state “short of going to war.”
Despite all this, Norden believes the EAC is safe for the time being. “I think enough people recognize the moment that we’re in and the central role that they can play, that I feel better than I have in a while that they should continue to function.”
In other areas, experts have reason to be optimistic: Colorado is gearing up for the country’s first statewide election supplemented with a risk-limiting audit (RLA), an American Statistical Association-endorsed technique considered to be the gold standard of election verification by many experts.
Analyzing a statistically-determined number of ballots, RLA auditors compare selections made on paper ballots to the results that were scanned into the vote tabulating systems. If they are satisfied that the variation between the two is insufficient to alter the contest’s outcome, the audit ends right there. If not, more ballots are added to the analysis group and the audit continues.
Rhode Island recently passed its own RLA law, and others have passed similar audit-mandating laws that, while not as highly-regarded as the RLA, will at least demand paper-based verification.
Meanwhile, there are vulnerabilities in the system that, Norden says, get too little attention: “When people think about security of voting systems, they’re very focused on the voting machine itself, but there’s lots of other things…whether it’s election-night reporting or the registration system that says whether or not a person’s allowed to vote in the first place, that we also have to [enact] security around.”
Although the public-at-large may not be aware of the extent of these vulnerabilities, hackers certainly are. This was recently confirmed by the Department of Homeland Security which found Russian hackers had targeted 20 state voter registration systems (the agency originally put the number at 21, but has since backtracked on their evaluation that Wisconsin’s system was among those targeted).
Unfortunately, it’s much more difficult to assess the security of registration systems than of voting machines.
“The public interacts with the voting machines, so we all know what machines we’re voting on and whether or not they have paper records,” said Norden. “With registration, what is happening is not a matter of, necessarily, public record. So it’s harder to know.”
“A good forty states have registration systems that date back at least a decade,” Norden added, “Which means, in many cases, they’re using software like Windows XP or Windows 2000 that may not be supported by the vendor anymore and that creates security risks.” One bit of good news: Norden indicated that some of these states are preparing to upgrade their registration systems.
Unfortunately, as with most things involving technology, new vulnerabilities are an ever-present danger.
“While we had this big win in paper ballots, we still have to worry about Internet voting,” said Smith. “There’s somebody who, every year, introduces Internet voting legislation.”
In light of all the news about hackers infiltrating banks and other institutions with mountains of resources at their disposal, Smith cannot understand how anybody could possibly trust Internet voting to be secure: “The very notion that local election officials would be able to protect themselves, when they are underfunded and under-resourced, is almost laughable.”