Ensuring the integrity and security of the election process is essential for the functioning of democracy in the U.S., and is a shared responsibility among many officials.
Local election administrators are in charge of the nuts and bolts of election administration, and play a key role in elections security. Each state’s chief elections official—usually, but not always, the secretary of state—has responsibilities, too, especially in regard to safeguarding voter records for statewide voter registration databases. State cybersecurity officials have recently been called on to improve elections security. And legislators set policy regarding elections security, whether cybersecurity or physical security.
On March 23, 2018 President Trump signed the Consolidated Appropriations Act of 2018 into law, which included $380 million in Help America Vote Act (HAVA) grants for states to make election security improvements. In order to receive the grant funds states must provide at least a 5 percent match within two years of receiving the federal funds and submit a state plan detailing how the funds are to be used. Every state received a base of $3 million, with the remaining funds disbursed using the voting age population formula described in Sections 101 and 103 of HAVA. This means that states received anywhere from $3 million to $34 million, depending on the population of the state (see this chart for state by state details). See the EAC’s page on 2018 HAVA Election Security Funds for additional information on the amount of grant funding provided by state, and other FAQs.
Given the focus on this area in recent years, it’s also important for policymakers to understand the security mechanisms already in place in elections, and to consider security as a key aspect of any new election-related legislation. Confidence in elections is based on the perception of the process, and it’s important for everyone—from legislators to the media to the public—to know the safeguards that are already in place, or that may be beneficial to implement for the future.
Legislators can use the power of their offices to encourage consideration of security at all times. If a bill comes up addressing early voting, e-poll books, vote centers, or any other topic, questions about costs, savings, turnout and convenience come quickly to mind. “What will this bill mean for elections security?” is the new all-purpose question.
More specifically, legislators can propose and promote bills that tackle procedural issues that are the building blocks of security.
This page summarizes elections processes and procedures, and identifies options that are in place in some states that legislators around the nation can consider to further improve elections security. These are provided in four categories: before an election, during an election, after an election and ongoing.
Before an Election
Testing and certification of voting systems. States play a key role in testing and certifying voting systems. Most states’ certification requirements rely to varying degrees on Voluntary Voting System Guidelines (VVSG) promulgated by the U.S. Election Assistance Commission (EAC). The most recent guidelines were approved in 2015. Vendors employ federally accredited independent laboratories to test the software, hardware, firmware and operating systems involved with their voting systems against these guidelines. This testing involves source code review—to ensure no extraneous or malicious code exists in the system—and the casting of hundreds of thousands of ballots to assess the accuracy and fault tolerance of the system. State testing authorities may run additional tests to ensure that every vote is captured as intended by the voter and accurately tabulated. States can review their voting system requirements to see if they refer to outdated or irrelevant voting equipment. For example, Rhode Island did this in 2015 in the bill that allowed the state to purchase new voting equipment, and took out language that did not pertain to newer technologies (SB 999). More information can be found on NCSL’s webpage on Voting System Standards, Testing and Certification.
Pre-election testing. Nearly all election jurisdictions engage in testing of their systems and ballots before every election. Statutes sometimes require this kind of “logic and accuracy testing,” and even when they do not, it is a common process conducted by local election officials. Logic and accuracy testing is generally conducted in public and serves dual purposes. First, it demonstrates that the voting system is able to accurately and completely tabulate the ballot and report results. Second, the public nature of it increases voter confidence. In Arkansas, for example, statute requires election officials to “conduct logic and accuracy testing by having all election media tested to ascertain that the voting system has been correctly configured and will correctly tabulate the votes cast for all offices and on all measures” no later than seven days before an election (Ark. Code Ann. § 7-5-515).
Secure physical storage. Between elections, equipment is stored in a secure location. Good security procedures may include security cameras, logs of who enters and exits, controlled access and redundancy measures so that no one is ever alone with the equipment. While legislation on storage requirements is rare, storage is a key issue for local or state officials. Proper storage also extends the life of elections equipment. See the U.S. Election Assistance Commission’s paper on 10 Things to Know About Managing Aging Voting Systems for more.
Contingency planning. A key aspect of running secure elections is having a contingency, or recovery, plan. What’s the plan in case of a hurricane or fire? What’s the plan if e-poll books fail on Election Day? What’s the plan if there is an attack on the voter rolls that inaccurately deletes significant numbers of voters from the rolls? An election official’s goal is always to recover as quickly as possible to prevent a disruption to voting. Contingency planning often happens at the local level, but can be a state initiative as well, as was the case in 2015 in Minnesota.
Training. Election officials, poll workers, and IT staff are trained in the proper maintenance, deployment and use of their voting systems. Increasingly, training also includes cybersecurity, to prevent employees from falling prey to phishing attacks and to encourage the adoption of two-factor password authentication, real-time monitoring of websites for unusual activity and keeping a log of all changes made in an online system. Among its recommended resources, the EAC links to a cybersecurity training through the Federal Virtual Training Environment that is available at no charge to government personnel.
During an Election
Chain of custody. Election officials have procedural systems to check who has done what, and when. These systems include strict chain-of-custody rules that prevent voting system components from falling out of custody, undetected. For example, when ballots are moved there is often a “chain of custody” requirement where poll workers or officials who are touching ballots are required to log what they did—how many ballots moved from room to room, or were taken to a polling place or post office. Movements of equipment are recorded as well. Procedures such as these allow officials to track election-related materials and provide a chronological record that can be reviewed should a problem or inconsistency arise. Arkansas enacted HB 1792 in 2017 to address chain-of-custody requirements.
Physical security measures. In addition to logging movement of election materials, physical measures exist that keep equipment and election materials safe, such as tamper-proof seals, creating “zero reports” on voting equipment to ensure that no votes were cast prior to the opening of the polls, and officials working in bipartisan teams. See the chapter in the EAC Election Management Guidelines on Physical Security for more information.
Redundancies and backups. Vote totals are backed up on redundant storage devices within voting equipment and e-poll books may be backed up with paper poll books. These built-in redundancies are designed to keep elections running smoothly in case of disasters. Disasters could be natural, such as fires and floods, or cyber disasters, when foreign or domestic bad actors attempt to tamper with election equipment or otherwise disrupt the election. For more on the cyber aspect, see the EAC’s document on Cyber Incident Response Best Practices.
Tampering with voting equipment as a crime. Almost all states list election fraud as a crime (often a felony) and many also specifically criminalize tampering with voting equipment. If an individual is able to tamper with a voting machine, stuff a ballot box, or otherwise cheat, it is a prosecutable offense, often accompanied by hefty fines and jail time. See NCSL’s webpage on State Statutes Prohibiting Tampering With Voting Systems for more information.
Provisional ballots. Provisional ballots, as required by the federal Help America Vote Act, are cast by voters whose eligibility is in question. Provisional ballots serve at least two purposes: to provide a fail-safe option for a voter who otherwise might not be able to vote, and to ensure that voters don’t cast two ballots. If the poll book indicates that a voter already received an absentee ballot and the voter shows up at the polls wanting to vote, he or she would be the asked to vote a provisional ballot. Shortly after Election Day, election officials would check to make sure the voter hadn’t already cast the absentee ballot before opening the provisional ballot envelope and counting the provisional ballot. This is one way to prevent a voter from casting two ballots. See NCSL’s webpage on Provisional Ballots for more information.
Paper Ballots. Some say the use of paper ballots is integral to election security because they provide a physical trail that can be followed if there is any question about the outcome of an election, or more generally, for audits. In the 2000’s many states updated their voting systems, choosing either paper ballots and scanners, or Direct Recording Electronic (DRE) systems. DREs are efficient, able to handle high-volumes of voting, work well for people with disabilities, and provide felxible options for early voting and vote centers. However, some DREs do not create a paper trail or record and therefore it is not possible to perform a post-election audit to verify that the equipment tabulated the votes correctly. With a heightened concern about cybersecurity and security in general, electronic voting equipment systems are in the spotlight. Could they be susceptible to possible intrusions and alterations by “bad actors?” Common practice does not have these voting machines connected to the internet, and therefore any intrusions would have to be accomplished on an in-person, one-at-a-time level. Note, too, that physical security measures such as tamper-proof seals, cameras in equipment storage areas and pre-election logic and accuracy testing make intrusions difficult. Requiring paper ballots or a paper trail/record can alleviate many of these concerns. In any audit or recount, paper ballots allow election officials to match every recorded vote with a physical ballot. If any questions arise, paper ballots serve as the ultimate fail-safe. To learn more, visit NCSL’s pages on Post-Election Audits and Voting Systems Standards, Testing and Certification.
After an Election
Ballot reconciliation. Some states require ballot reconciliation at in-person polling places—an accounting for all ballots, those that were voted, spoiled in some way and set aside, or never voted. By requiring a tally or reconciliation, the chance of ballots being misplaced and left uncounted drops. Reconciliation can work for electronic votes, too—if the voter files say 100 people came in to vote, and only 99 votes are recorded, can these be reconciled by a log of irregularities? It’s not unheard of for a voter to leave before actually casting a ballot—an anomaly that can be logged. The EAC’s 6 Tips for Conducting Election Audits contains a section on ballot accounting and reconciliation.
Post-election audits. Post-election audits check that voting systems properly counted ballots. Audits involve manually checking a representative sample of paper ballots to confirm that counting software has functioned correctly. Risk-limiting audits, which examine a statistically significant sample of ballots based on the margin of victory, are the state-of-the-art approach. See NCSL’s webpage on Post-Election Audits for information on state requirements.
Referring election crimes for prosecution. State laws on election crimes vary, but in general they fall into the following categories: absentee voter fraud, fraudulent voting (i.e. voting while knowingly ineligible), voting more than once, tampering with an election machine (see NCSL’s page on this for more information), malfeasance on the part of election officials, voter impersonation, undue influence or coercion, fraudulent registration, buying or selling votes, and voting in the name of another. Election crimes are often a felony, and can carry large fines or imprisonment. Suspected crimes are referred to the relevant prosecutor authority, at either the state, county or local level.
Securing voter registration data. Legislators can ask questions about security processes that election officials have for securing voter registration data, and encourage them to follow best practices. Statewide voter registration databases are not connected to the casting and counting of ballots, and don’t threaten the outcome of an election, but their security matters nonetheless. Stolen, deleted or modified data are all concerns. These actions could create chaos on Election Day as voters try to check in and find that they are no longer on the voter rolls, an incentive to safeguard this information. For more, see the NCSL's Legisbrief on Securing Voter Registration Systems and the EAC’s Checklist for Securing Voter Registration Data.
Cross-state data matching. Some states participate in database matching programs that compare information on who voted between states to potentially catch double voters. Cases that are found can be referred for prosecution, depending on state law. This can occur as a one-time check after an election, or can be part of an ongoing effort to “clean up” voter rolls and ensure that they are accurate and inclusive. More information can be found on NCSL’s webpage on Voter List Accuracy.
Protecting individuals’ voter information. Legislators can also examine state policies for protecting voter information, and what voter information is made available to campaigns and the public. States may redact voter’s Social Security numbers and date of birth, for example, or put restrictions on who is able to request a voter list. Ask NCSL for more information.
Invest in security. Hiring cybersecurity consultants or more IT staff, or sending IT staff for professional training, may be useful. Investing in cybersecurity training for state and local officials may pay off too. States can also consider the Department of Homeland Security (DHS)’s offer of assistance. Last year, DHS designated elections as “critical infrastructure.” States may or may not appreciate this new designation: Some consider it a federal usurpation of state responsibilities. The National Association of Secretaries of State is on record opposing the designation. And yet, along with this designation comes the option of assistance from DHS to audit state systems for cybersecurity vulnerabilities and more. The U.S. Election Assistance Commission has a white paper, U.S. Election Systems as Critical Infrastructure, which explains the designation and the technical options available. See this slide show from DHS’s Geoffrey Hale.
Compliance Audits. Often overshadowed by post-election audits, compliance audits serve as another measure to insure the integrity of election procedures and processes. Compliance audits review the processes and procedures utilized by election officials throughout the election process. A compliance audit could include:
- Examining the chain of custody of voted ballots by reviewing signature logs
- Checking tamper-proof seals and seal logs on voted ballots containers and voting equipment when transporting to and from storage
- Comparing the number of votes cast in a precinct to signatures recorded in the precinct poll book. Then documenting and investigating any discrepancies.
The overall goal of a compliance audit is to test the procedures and processes to find systemic issues or failures within the system. If the underlying processes and procedures are found to be secure, it adds further validity and assurance that the result is correct. For additional information, visits NCSLs page on Post-Election Audits.
California AB 1044 required anyone requesting voter registration information (the voter list) to take a training course regarding data security before getting access to the data.
Florida SB 7066 included a requirement that minimum security standards established by the department of state must include chain of custody procedures and security for transporting and storing ballots.
Indiana SB 558 included a variety of updates to election procedures, including requiring multi-factor authentication for the statewide voter registration database and requiring voting system vendors to disclose information about foreign nationals who may control or have an ownership interest in the vendor.
Indiana SB 570 contained a variety of security updates, including a requirement that electronic voting machines must contain a paper trail before December 31, 2029 and that voting system vendors must report information related to system malfunctions. It required the establishment of proficiency standards that individuals must meet in order to access the statewide voter registration file. It also contained a variety of physical security procedures for polling locations, electronic poll books and voting systems. It would keep information that would jeopardize a voting system or voter registration system confidential.
Oklahoma SB 261 authorized the secretary of the state election board to promulgate rules and procedures for security measures as may be necessary to protect the voting devices, election system or voter registration system from cyber security threats or physical security threats. It also required county commissioners to implement security measures at the county election board to ensure the county election board office is adequately protected from physical intrusions or attacks and to provide cybersecurity for county-owned computer systems operated by the county election board. County officials would need to immediately inform the state election board of any intrusions or cyberattacks and the secretary of the state election board can declare an election emergency in cases of election interference, massive equipment failure or a verified security threat.
Texas HB 1421 required the secretary of state to adopt rules defining classes of protected election data and establishing best practices for identifying and reducing risk to the electronic use, storage, and transmission of election data and the security of election systems. It also required training on cybersecurity to be provided to local election officials, and a communication plan for any breaches in election data.
Virginia HB 2178 required the state board of elections to promulgate security regulations and standards for the voter registration system and supporting technologies. Local boards are also required to develop and annually update written security plans and procedures. It also established a work group prior to adopting security standards, and a standing advisory group of local government IT professionals and general registrars to assist and consult on updates to security standards.
- California AB 3075 established the Office of Elections Cybersecurity to coordinate efforts between the Secretary of State and local elections officials to reduce the likelihood and severity of cyber incidents that could interfere with the security or integrity of elections in the state, and to monitor and counteract false or misleading information regarding the electoral process that is published online or on other platforms and that may suppress voter participation or cause confusion and disruption of the orderly and secure administration of elections.
- California AB 1678 required the secretary of state to adopt regulations describing best practices for storage and security of voter registration information. It also required a person or entity who has received voter registration information to disclose a breach in the security of the storage of the information to the secretary of state, and made it a misdemeanor to cause to be distributed or to distribute misleading or false voting information to a voter.
- Illinois SB 2651 established a cyber navigator program to support election authorities' efforts to defend against cyber breaches and detect and recover from cyber attacks. The bill required that at least half of the state's HAVA funds be used for the program. It also required local election officials to submit information, every two years, on the voting equipment used, the age and functionality of that equipment, and a formal letter containing a description of the status of the equipment, the perceived need for new equipment and the costs associated with obtaining new equipment.
- Indiana SB 327 included several security-related changes. It permitted counties to apply for reimbursement for expenditures made to secure and monitor facilities where voting systems and electronic poll books are stored, enhanced physical security requirements for voting equipment, restrictions on disposal and sale of old voting equipment, and reporting requirements for jurisdictions that discover tampering with electronic poll books or the statewide voter registration database.
- Iowa HB 2252 added an option for one of the Iowa Board of Examiners for voting systems be trained in cybersecurity. Existing language required one of the examiners be trained in computer programming and operations. New language added "or cybersecurity."
- Kansas SB 56 created the Kansas Cybersecurity Act. It established an information security office and chief information security officer to ensure compliance with cybersecurity laws, rules and regulations and coordinate cybersecurity efforts between executive branch agencies. It specifically requires all executive branch agency heads to notify the cheif information security officer of any breaches or unauthorized exposures of data within 48 hours, and also requires notifying the secretary of state if the breach involves election data.
- Louisiana HB 601 prohibited state and local election officials from disclosing specific information regarding the state voter registration database, election management system, or voting equipment, and any information contained within those systems that may impair the security of the systems or integrity of the information maintained within them.
- Maryland SB 281 added the state administrator of elections (or designee) to the Maryland Cybersecurity Council.
- Maryland HB 1331 required the state administrator of elections to sumbit a report to the Department of Information Technology within 7 days after becoming aware of a security violation involving an election system.
- See NCSL wepbage on Post-Election Audits for recent enacted legislation on that topic.
- Article’s from NCSL’s newsletter The Canvass:
- Additional NCSL Resources
The Department of Homeland Security (DHS) offers a variety of free cybersecurity resources for state and local election officials as part of the critical infrastructure designation.
- The U.S. Elections Assistance Commission (EAC) is a clearinghouse for election administration information and best practices, and has multiple security and cybersecurity resources.
The Defending Digital Democracy Project of the Belfer Center at the Harvard University Kennedy School of Government created three guides for state and local election officials.
The Center for Internet Security has resources on best practices for protecting elections infrastructure.
National Institute for Standards and Technology (NIST)