Election Security | Cybersecurity: What Legislators (and Others) Need to Know

Read on to learn more about voter confidence and ways to address the effect of misinformation campaigns on voter perceptions.

Overview

Since cybersecurity in elections thrust itself into the public eye prior to the 2016 presidential election, many state, local and federal officials saw that the greatest threat to the process was not that votes would be changed or that an election would be influenced by bad information. It was that voters would not have enough confidence in the system to get out and vote. The foundation of our democracy is based on voters being confident that when they vote, their ballots are counted as cast.

In an interview for the September 2016 issue of NCSL’s elections newsletter, The Canvass, EAC Chairman Tom Hicks said, “Voter confidence is of the upmost importance, and conversations that are not based on credible threats and that occur too close to elections can unnecessarily reduce this confidence.”

The concept of “voter confidence” has been studied and measured in some form since the controversial 2000 presidential election. In the summer of 2018, the Massachusetts Institute of Technology’s Election Data and Science Lab released voter confidence survey data from before and after the 2016 election. The survey asked respondents “How confident are you that your vote will be/was counted as you intended?” The results:

1. Voter confidence was higher after the election than before.
2. Voters are more confident that their votes are counted as intended in their own county or locality than confident that votes are counted accurately in other parts of the country.
3. If the candidate the voter supported won, those voters are more confident that their vote was counted accurately.
4. For those same voters, the larger the margin of victory, the more confident supporters were that their vote was counted accurately.

Credit: MIT Election Data and Science Lab

Concrete steps that state legislators can take to increase voter confidence may seem elusive. As noted in the MIT report: “It's common to justify election reforms by arguing they will increase voter confidence in the electoral system. However, there's little evidence that election administration has a direct effect on voter confidence. The major exception to this statement is that voters who experience problems at polling places tend to be less confident than voters who don’t.”

It’s not all doom and gloom, though. Research conducted by the MIT team and others shows, “Where election administration has some influence on voter confidence is on how voters experience the process and whether that experience is positive. … Voters tend to be more confident when they don’t wait a long time to vote, when they encounter polling place officials who seem competent, and when they vote in person rather than by mail. Some of these factors certainly can be affected by state policies, but more often, they are influenced by local administrators' decisions about how to allocate resources to polling places and how rigorously they train poll workers.”

The Risks

If malicious actors want to impact public confidence in the American election system, they don’t have to gain access to a voter registration system or manipulate vote tallies. Instead, they can sow confusion and discord with a tweet or social media post, or a full-on influence campaign.

Stories are spread via social media faster than ever these days, whether true, false or somewhere in between. Social media companies can delete fake accounts, and Congress is considering what other measures might be available to reduce false and misleading information. The one point of agreement: This is not an easy problem to fix.

The biggest risk to election administration is that voters will begin to believe an inaccurate or misleading story about where or how to vote, or how votes are tabulated, and soon voter confidence in the legitimacy of the election is at risk.

These campaigns can send people to the wrong location, thus denying citizens their right to vote. Or they can negatively impact voters’ perceptions of the election system as a whole. It may be easier to damage trust than it is to rebuild it. Voter confidence is a key to democracy’s success; our nation operates on trust. It is “trust but verify,” though.

Mitigations

If misleading information is the problem, then communicating accurate information from official sources is a good response.  

When legislators, the media and the public know elections are run under careful procedures that are intended to stop (or at least minimize) risk from outside intrusions and manipulations, then confidence is deservedly high. Legislators can use the power of their offices to share with constituents what they know about existing levels of security, and therefore spread the word that elections are designed to provide reliable results.

Steps State Legislators Can Take

• Watch your words. Language and the use of correct words is integral to relaying accurate information. Terms such as “cyberattack” or “hack” can be imprecise and convey an inability to define what exactly happened. “Distributed denial of service (DDoS) attack” or “scan” are specific and known threats. Learn more about common election security terms from the Center for Democracy & Technology.
• Know your election officials. Do you know who your local and state election officials are? Do you have their contact information? These individuals will serve as your elections experts and can provide you with accurate and up-to-date information that can be conveyed to the media and constituents.
• Know your elections systems. State election systems are really a system of systems. What’s the difference between a voter registration system, election management system, election voting equipment and election night reporting system? Speak with your local or state officials to learn more about these systems and how they interact in your state.          
• Have a plan for effective, positive communication. States are very likely to have an established communication plan in the event of an election-related incident. Find out what it is and get on the distribution list so you can provide the most accurate and timely answers, as well.
• Review the Election Cyber Incident Communications Coordination Guide put out by the Belfer Center’s Defending Digital Democracy Project for more ideas.

Read on to learn about technology involved in voter registration and where these systems might be vulnerable.

Overview

Voter registration is the gateway to well-run elections. Because of this, the registration process and management of voter lists are always on legislators’ and administrators’ minds. The 2016 attempts by bad actors to intrude into state voter registration systems simply increased this interest. 

The states’ registration systems are where data on the nation’s 200 million registered voters are stored, and therefore these systems can be targets for cyberattacks. Indeed, voter registration is the most public-facing part of a full elections system. While any disruptions to voter registration may be disruptive to an election, they won’t change vote totals or the outcome of an election.

Statewide Voter Registration Systems

In 49 states, an eligible citizen must be registered to vote. 

Even though details on how voter registration systems are created and maintained varies among the states, they can be divided into two main models:

• Top-Down. In top-down systems, the state election office handles much of the voter registration functions and pushes voter registration information down to the local or county level.

• Bottom-Up. In bottom-up systems, local- or county-level election officials handle voter registration responsibilities for their jurisdiction and send their information up to the statewide system.

Each has its own security advantages. Top-down systems can minimize the attack surface, making it easier to defend since there are fewer access points for malicious actors. In bottom-up systems, counties have their own copy of the voter list so there are multiple backups if the central one is attacked. See this breakdown from the U.S. Election Assistance Commission (EAC) on which type of system your state has.

Regardless of the system in place, voter registration is the first interaction most voters have with the election administration. For more information on voter registration, see NCSL’s Voter Registration page.

How Voters Get Registered

Voters are added to statewide voter registration systems in a variety of ways. Nationwide, the most common method for new voters to register, or for existing voters to update their addresses, is through the state department of motor vehicles (DMV).

After the 1993 enactment of the National Voter Registration Act (NVRA), also known as Motor-Voter, in most states the DMV and other state agencies were required to offer citizens the chance to register to vote while interacting with the agency. As technology progressed, not only did the voter registration process get digitalized, so too did the system to transmit that information directly from the DMV to the state voter registration system.

States fall on a spectrum of how automated this process is. At one end of the spectrum, it is a manual process where DMVs provide applicants with paper forms that are then sent to local or state election officials to be keyed into the voter registration system. In other states, the DMV sends the voter information to the election authority digitally.

The states that have embraced even more automation include those with Automatic Voter Registration, although other states have automated the process as well. Automatic or automated voter registration involves the electronic sharing of information between DMVs and state election offices to verify new voters for eligibility (citizenship, age and residency), compare that to the information already in the statewide voter registration database and, if there is no existing registration, add the applicant to the voter rolls.

Other common state agencies that may send records, whether physical or digital, to the voter registration system could include social service agencies as required by the NVRA, the departments of health (for death records), corrections/courts (for felony convictions) or the departments of revenue.

Increasingly, Americans are registering online. In 2002, Arizona was the only state that had initiated online/paperless voter registration. As of 2018, 38 states and the District of Columbia have online voter registration systems, making this policy one of the fastest-moving elections policy trends in the last 20 years.

Online voter registration follows essentially the same process as traditional registration, but instead of filling out a paper application, the voter fills out an online form, which is submitted electronically to election officials. In most states, the application is reviewed electronically; if the request is confirmed to be valid, the new registration is added to the state’s voter registration list. In most states, online voter registration systems are an option for people who have state-issued driver’s licenses or identification cards, although a few states provide online access for other potential voters, as well. In all states, paper registration forms are available for anyone, including those who cannot register online.

Electronic Poll Books

As states explore new technologies to facilitate the voting process, the use of electronic poll books (e-poll books) is becoming increasingly prevalent. Traditionally a paper poll book, a list of eligible voters in the district or precinct is kept in each voting location. An e-poll book, usually a tablet or desktop computer, replaces the paper list and can provide other functions, such as updating voter information on the spot. To learn more about what e-poll books can do and things to consider, visit NCSL’s Electronic Poll Books page.

For examples of state e-poll book requirements, visit the U.S. Election Assistance Commission page on E-pollbook Requirements.

The Risks

Since voter registration systems are the way that the list of eligible voters for each polling place is generated (either on a paper poll book or an e-poll book), an attack on a state’s voter registration system could wreak havoc at polling places on Election Day. With access to the voter registration list, a malicious actor wanting to disrupt an election could delete voters from the list, or change voter information, and therefore prevent eligible voters from voting. Done on a large scale, it could disenfranchise many voters, create long lines, and generally sow confusion and mistrust.

Because of the amount of data kept in voter registration systems, and because these systems sometimes connect with other networks, voter registration systems can be a target of cyberattacks. The goal could be to disrupt Election Day, or it could be to get information on a large number of people. Any large data sources are vulnerable in this way—businesses and other governmental entities such as Target, the Office of Personnel Management and Equifax, have all had their data systems breached. If malicious actors can get access to personally identifiable information by getting access to a statewide voter registration system, they may be able to use this information for other criminal activities.

Mitigations

Outlined below are general cybersecurity practices that many states are using to protect and defend their voter registration systems against potential cyberattacks. Most of these are managed administratively and do not require legislation. Still, policymakers benefit from understanding the choices their election officials are making.

Access Controls. “Access” refers to the ability of an individual to enter a system and retrieve or change data, particularly sensitive information. For voter registration systems, local election officials are likely to have access to create new registrations or to change names, addresses, party affiliations, etc. on existing registrations. Authorized technology providers are likely to have access to the background code to make updates. All these are normal activities and happen on a regular basis. However, it is doubtful that a local election official would need to access the background code. Establishing access controls and giving varying degrees of access to individuals based on their roles, and perhaps for different time frames, is an easy step toward securing voter registration systems and data.

Passwords. To gain access, users have passwords. Although there are varying requirements, most require a minimum number of characters, the use of varied characters types (letters, numbers and symbols) and frequent password updates. Many also prevent the use of common passwords, such as “password.”

Multi-factor Authentication (MFA). Multi-factor authentication is another method to help secure access to a system. MFA generally requires that an individual use not only a password, but also another authentication method (hence, “multi”). An everyday example would be withdrawing money from an ATM. You not only need your physical card (the first factor), but you also need your passcode (the second factor). The same principle applies while accessing a computer system. The factors might be a combination of a password, a code sent to the email or phone associated with the account, a fob, or a number determined from a “bingo card” that cycles or changes at given intervals (for example, today your password is found in box “A3”).

Logging and Monitoring Activity. Many voter registration systems maintain an internal log that tracks not only what changes are made, but who made them and when. An audit log can help identify if there is unusual activity and who may be performing those actions. It can be established to provide alerts in cases of unusual activity. Some things that may be monitored are:

• Successful and unsuccessful login attempts.
• Unauthorized or abnormal database queries. In 2016, the Illinois voter registration was compromised by an SQL injection. This means the attackers exploited a search feature on the website and were able to input a command code to gain access the system. SQL injections use malicious code to manipulate your database into revealing information. (Illinois’ existing detection system found the SQL injection, and staffers were able to take appropriate action. No voter records were changed.)
• Traffic patterns. Although a spike in internet traffic to a voter registration system in not inherently bad—it could be a voter registration drive, for example—it could also be the work of intruders.
• Albert sensors. Because elections have been deemed critical infrastructure by the federal government, states and local jurisdictions have increased access to resources, such as low-cost Albert sensors. These are intrusion detection systems that can identify and report malicious activity to users and are provided by the Department of Homeland Security.

Training. Often, humans are the weak link in cybersecurity. By training election officials and staff in basic cybersecurity, it is possible for those individuals to identify and avoid potentially damaging actions, such as phishing.

Regular Back-Ups. Data in a voter registration system, or any system, must be backed up regularly, and that back-up copy must be stored separately from the rest of the voter registration system. Plans to restore the system in the event of a successful intrusion are vital. Backed-up data must be tested regularly to ensure it is complete, uncorrupted and usable.   

Provisional Ballots. Also referred to as “challenge ballots” or “affidavit ballots” in some states, provisional ballots are required by the federal Help America Vote Act of 2002 (HAVA) and can also act as a “backup” measure. When there is uncertainty about a voter’s eligibility—the potential voter’s name is not on the voter roll, a required identification document isn’t available or other issues—the election official is required to offer the voter a provisional ballot instead of a regular ballot. Provisional ballots ensure that voters are not excluded from the voting process due to an administrative error. They provide a fail-safe mechanism for voters who arrive at the polls on Election Day and whose eligibility to vote is uncertain. 

In the age of potential cyberattacks, provisional ballots have the added advantage of providing a mechanism to vote for those who have been affected by an attack on the voter registration system. If their names have been deleted, or their information changed by a cyberattack, they still have the option of casting a provisional ballot.

In nearly all states, after being cast, the provisional ballot is kept separate from other ballots until after the election. A determination is then made as to whether the voter was eligible, and therefore whether the ballot is to be counted. Generally, a board of elections or local election officials will investigate the provisional ballots within days of the election.

States vary greatly in how provisional ballots are handled and in the number that are issued and rejected, and both the processes and the data are tracked by the U.S. Election Assistance Commission (EAC). States can have as few as 100 provisional ballots cast statewide, or as many as 100,000. For more on provisional ballots, visit NCSL’s webpage on Provisional Ballots.

Communicating with Other States. After the 2016 election, the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) was created as a subset of the already existing Multi-State Information and Sharing and Analysis Center operated by the Center for Internet Security. The EI-ISAC helps election authorities by sharing, at no cost, information on potential cyber incidents, threats and vulnerabilities so that they can help support and defend each other. It also provides threat intelligence, monitoring, trainings and other services to help beef up the cybersecurity know-how of election officials. At least some jurisdictions in all 50 states are participating, and all jurisdictions are encouraged to join.

Some states also participate in programs that compare voter information between states, such as the Electronic Registration Information Center (ERIC), to help keep voter lists up to date. While not addressing cybersecurity, participation helps keep voter rolls clean, by flagging records of voters who may be registered in more than one state. Clean rolls reduce the risks of double voting and the use of provisional ballots in cases where the rolls are not accurate. It also seeks to identify voters who are not already on the rolls to engage them in the process.

Steps State Legislators Can Take

• Ask state election officials how their voter registration systems are structured. Are they top-down? Bottom-up? A hybrid of the two?
• Ask state elections officials about existing prevention, detection and mitigation strategies.  Include questions about how they back up their data, and how they test the back-ups.
• Examine policies around security for online voter registration systems. Because online voter registration offers a way for the public to interact, it can be a target for bad actors. Security policies may appear in statute but may also be established through administrative policies implemented by the state election or technology office.
• Examine state policies for protecting the personal information of voters. What voter information is made available to campaigns and the public? States may redact voter’s Social Security numbers and date of birth, for example, or put restrictions on who is able to request a voter list (see NCSL’s webpage on Access to and Use of Voter Registration Lists for more information).
• Ask about security for data exchanges between your state’s election authority and other state agencies. Automating the transferal of data is more secure than typing in information from a hand-written form. What security measures are in place around that process?
• Consider joining an interstate voter list comparison program. Joining the Electronic Registration Information Center will provide your state with information about people who are registered in more than one location, so your state can take follow-up action.  
• Look at policies that create back-up options for voters. If there was a large-scale attack or disaster, would your state be prepared for a large number of voters to cast provisional ballots? How are those ballots processed and counted in your state? States that have same-day voter registration may be able to accommodate voters more easily in this situation (See NCSL’s webpage on Same-Day Voter Registration.)
• Consider what your state does to periodically “audit” the voter registration system. This ranges from examining the log of changes made to voter registration files to monitoring the system for evidence of unusual activity. Installing Albert sensors, available for a minimum cost from the Department of Homeland Security, can help.
• Consider statutory requirements or a testing and certification process for e-poll books. The federal government sets voluntary guidelines for voting equipment, but that does not cover voter registration systems. A few states have established their own requirements.
• Think about election security during the appropriations process. Does your state election office have the staffing, technological expertise and resources necessary to meet today’s cybersecurity challenges? Generally, funding for elections is a local responsibility, but states are providing assistance more often than in previous decades. (See NCSL’s The Price of Democracy: Splitting the Bill for Elections.)
• For additional information, see the Center for Election Innovation & Research report on how states are protecting their statewide voter registration systems.

Read on to learn more about policies and practices states undertake to secure their elections equipment. When most people think of election technology, they think of the equipment used to cast and tabulate votes. Regardless of the specific equipment in question, the testing, certification and security of all election equipment is vital.

Overview

The technology used in elections is ever-expanding (see NCSL’s Elections Technology Toolkit for more information). This section provides a primer on types of voting equipment, some considerations for this equipment (accessibility needs, human readability, a paper audit trail), and testing and certification. In terms of mitigations, post-election audits are presented in some detail.

Types of Voting Equipment

The Help America Vote Act (HAVA) of 2002 required that states replace older lever and punch-card voting machines and provided states with funding to upgrade their election equipment. While a few small jurisdictions hand-count ballots, most jurisdictions now use two types of technology for tabulating votes: optical (or digital) scanners to count paper ballots, or Direct-Recording Electronic (DRE) machines.

There are also ballot-marking devices that provide an electronic interface for voters with disabilities to mark a paper ballot. More on each of these options follows below.

Direct-Recording Electronic (DRE) Voting Machines. Voters can directly vote on a DRE by touching a screen, pushing buttons or otherwise manually interacting with the equipment. A DRE records the individual votes and vote totals directly into computer memory and does not use a paper ballot. Some DREs come with a voter-verified paper audit trail (VVPAT), a permanent paper record showing all votes cast by electors on that machine. Voters who use DRE voting machines with paper trails can review a paper record of their vote before casting it, although no receipt is provided to them. The VVPAT can be used as the vote of record for counts, audits and recounts.

Optical/Digital Scanners (for paper ballots). Paper ballots marked by the voter are scanned and tabulated on a precinct-based optical scan system in the polling place (a “precinct count system”) or collected in a ballot box to be scanned at a central location (a “central count system”). Most older optical scan systems use infrared (IR) scanning technology and ballots with timing marks on the edges to accurately scan the paper ballots. Newer systems may use “digital scan” technology that takes a digital image of each ballot during the scanning process. Some vendors may use commercial-off-the-shelf (COTS) scanners along with software to tabulate ballots, while others use proprietary hardware.

Ballot Marking Devices (BMD).  With a ballot marking device, the voter makes his or her selections in a manner similar to on a DRE, by touching a screen or otherwise interacting with the device. The BMD does not record the voter’s choices in its memory. Instead, when the voter is done, the marked ballot is printed. The resulting printed paper ballot is then counted using an optical or digital scan machine. BMDs are useful for people with disabilities but can be used by any voter. Some systems produce a full ballot exactly like a ballot marked by hand. Others produce smaller print-outs with the voter’s selections for review and bar codes or QR codes that are read by the scanner. 

Hand count. A handful of small jurisdictions in the United States hand count all paper ballots. Others hand-count some paper ballots, such as absentee or provisional ballots.

Accessibility Requirements

The Americans with Disabilities Act of 1990 requires that polling places be accessible to all. HAVA requires at least one accessible voting device in each polling place that permits voters with disabilities to cast their votes privately and independently. DREs meet these federal requirements. Paper ballots typically do not provide the same ability for voters with disabilities to vote privately and independently, either because of manual dexterity, reduced vision or other disabilities that make paper hard to use.

These voters may need assistance from another person and can bring an assistant of their choice to a polling place. However, federal law is clear that polling places in paper-based jurisdictions must provide at least one accessible option, likely either a ballot marking device or a DRE. All voters—those with and without disabilities--may choose to use them.

The Risks

There have always been risks associated with voting. Everyone has heard stories of ballot boxes conveniently “forgotten,” or “stuffing” a ballot box, or “rigging” a heavy, old lever voting machine. If voting machines are not connected to the internet, a malicious actor presumably cannot remotely access them, but many researchers have shown they can hack into a machine if they can gain physical access to it. All this means that the physical security features and procedures that election officials have always had in place still have a prominent role in protecting elections. And yet, there are new concerns as well:

• If the equipment tabulating votes doesn’t have a paper audit trail, in the event the equipment is compromised in some way, it could go undiscovered.
• If federal guidelines and state standards aren’t up to date, there are opportunities for sub-par or insecure systems to be marketed to location jurisdictions.
• A newer concern surrounding ballots and ballot design is ensuring that ballots are “human readable.” Some newer voting equipment, usually ballot marking devices, print a paper ballot that contains not only the voter’s selections, but also a barcode or QR code associated with the voters selections. The vote tabulator scans the bar code to count the vote. Security analysts point out that because humans can’t read bar codes, they can’t verify whether their votes are being recorded as intended. The National Academies of Science 2018 report, Securing the Vote: Protecting American Democracy, recommends that elections should be conducted with human-readable paper ballots.

There are policies that election authorities and legislatures can take to address these issues, though.

Mitigations

Testing & Certification

State statutes outline testing and certification standards, and, in most states, local jurisdictions select and purchase voting systems by selecting from options that have been approved at the state level.

That approval includes a testing process to ensure a voting system meets state standards, which oftentimes rely on voluntary federal standards. Voting system vendors are responsible for ensuring that their systems are tested—often through a federally accredited Voting Systems Test Laboratory or VSTL—to the required standards. Once testing is complete, approval is issued at the state level and local jurisdictions may purchase the system. More information on state requirements and the extent to which they rely on federal voluntary standards can be found on NCSL’s webpage on Voting System Standards, Testing and Certification.

Logic & Accuracy Testing

Nearly all election jurisdictions engage in testing of their systems and ballots before every election. Statutes sometimes require this kind of “logic and accuracy testing,” and even when they do not, it is a common practice for local election officials.

Logic and accuracy testing is generally conducted in public and serves dual purposes. First, it demonstrates that the voting system accurately and completely tabulates the ballots and reports the results. Second, when the public is invited to watch “L and A testing,” voter confidence increases. Before an election, election officials create a “test deck” of ballots (a stack of all ballot styles with different iterations of marked ballot selections) that are run through tabulators to ensure races are being accurately recorded and tabulated.

To learn more about logic and accuracy testing, read the “Pre-Election Logic and Accuracy Testing and Post-Elections Audit Initiative” report from the Indiana Election Division and Ball State University to the U.S. Election Assistance Commission.

Secure Physical Storage. Between elections, equipment is stored in a secure location. Good security procedures may include security cameras, limiting access to certain locations, logs of who enters and exits secured areas, a requirement that bipartisan teams perform certain tasks, and redundancy measures to preserve accurate vote totals.

While legislation on storage requirements is rare, storage is a key issue for local or state officials. Proper storage also extends the life of elections equipment. See the U.S. Election Assistance Commission’s paper on 10 Things to Know About Managing Aging Voting Systems for more. At polling locations, physical measures exist that keep equipment and election materials safe, such as tamper-proof seals, creating “zero reports” on voting equipment to ensure that no votes were cast prior to the opening of the polls and officials working in bipartisan teams. See the chapter in the EAC Election Management Guidelines on Physical Security for more information.

Regardless of whether ballot counting is done on a DRE or through a scanner, one common practice is to “air gap” voting equipment. An air gap is the intentional, physical isolation of equipment or systems from other systems or networks. In practice, this means that voting equipment is not connected to the internet. Combined with proper physical security practices, the ability to access and tamper with voting equipment becomes very difficult. 

Chain of Custody. Election officials have procedural systems to check who has done what, and when. These systems include strict chain-of-custody rules that prevent voting system components from falling out of custody, undetected. For example, ballots often have a “chain of custody” requirement, calling for poll workers or officials who are moving ballots to log what they did—how many ballots were moved from room to room, taken to a polling place or post office, counted, etc. Movements of equipment are recorded as well. Procedures such as these allow officials to track election-related materials and provide a chronological record that can be reviewed should a problem or inconsistency arise.

Backups of Vote Tallies. Vote totals are backed up on redundant storage devices within voting equipment, and e-poll books may be backed up with paper poll books. These built-in redundancies are designed to keep elections running smoothly in case of disasters. Disasters could be natural, such as fires and floods, or cyber disasters, when foreign or domestic bad actors attempt to tamper with election equipment or otherwise disrupt the election.

Ballot Reconciliation. Some states require ballot reconciliation at in-person polling places. A reconciliation is an accounting for all ballots, including those that were voted, spoiled in some way and set aside or never voted. By requiring a tally or reconciliation, the chance of ballots being misplaced and left uncounted drops. Reconciliation can work for electronic votes, too—say 100 people came in to vote, and only 99 votes were recorded—can these be reconciled by a log of irregularities? It’s not unheard of for a voter to leave before actually casting a ballot—an anomaly that can be logged. The EAC’s 6 Tips for Conducting Election Audits contains a section on ballot accounting and reconciliation.

Tampering with Voting Equipment as a Crime. Almost all states list election fraud as a crime and many also specifically criminalize tampering with voting equipment. If a person tampers with a voting machine, stuffs a ballot box or otherwise cheats, it is a prosecutable offense, often accompanied by hefty fines and jail time. See NCSL’s webpage on State Statutes Prohibiting Tampering With Voting Systems for more information.

Post-Election Audits

A post-election audit checks that the equipment and procedures used to count votes during an election accurately counted votes. While the phrase "post-election audits" can be used to mean a variety of election validation efforts, as a term of art it refers to checking paper ballots or records against the results produced by the voting system to ensure accuracy.

Credit: NCSL, Dec. 21, 2018

A post-election audit typically requires a paper audit trail, which may include voter-marked paper ballots, voter-verified paper audit trails produced by direct-recording electronic voting machines (DREs) or paper ballot records produced by ballot-marking devices. There are several variations of post-election audits used in states.

Traditional Post-Election Audits. Most audits look at a fixed percentage of voting districts or voting machines and compare the paper record to the results produced by the voting system. Even in a landslide election, they will count the same number of ballots as they would in a nail-biter election. Some states have a process by which some or all of the audit can be conducted electronically. This may be done with the assistance of a computer or a tabulation device other than the one that was initially used to tabulate results. And, some traditional post-election audits use a "tiered" system, which means a different number of ballots are reviewed, depending on the margin of victory.

Risk-Limiting Audits. In recent years, researchers have developed statistically based audit techniques that cut down on the number of ballots to be audited, while also providing statistical confidence that the election result is correct. As defined in Washington, “a ‘risk-limiting audit’ means an audit protocol that makes use of statistical principles and methods and is designed to limit the risk of certifying an incorrect election outcome." If the margin is larger, fewer ballots need to be counted. If the race is tighter, more ballots are audited.

For risk-limiting audits, the U.S. Election Assistance Commission notes that not only is a paper trail a requirement, but so too is a proper chain-of-custody process and the ability to trace individual ballots. Without a paper record, the ability to compare a physical ballot to an electronically counted vote is impossible.

Procedural Audits. States may have a process for ensuring that the correct process and procedures were followed during the election. This is referred to as a “procedural audit” and may be conducted instead of or in addition to a post-election audit. Procedural audits vary in their scope and comprehensiveness, but almost always include a ballot accounting and reconciliation process. This isn’t a check that the software in the voting machine is working correctly, but rather a check on the human processes.

For more information on each of these audit options, as well as detailed information on what state laws on post-election audits contain, see NCSL’s webpage on Post-Election Audits.

Steps State Legislators Can Take

• Review state voting system requirements. Are they up to date and relevant? Many state statutes reference outdated equipment or are so specific they constrict the number of choices when it is time to replace equipment.

• Require a paper ballot or paper audit trail. As states replace old equipment, or set new standards for local jurisdictions to follow when replacing old equipment, most are choosing to require a paper ballot or a paper trail that can be audited.

• Review state requirements for the testing of voting equipment. What is your state’s process for testing and certifying equipment? Are logic and accuracy tests required before each election to ensure each unit is accurately counting votes?

• Provide funding for the replacement of outdated voting equipment. Some states traditionally pay for all equipment; others have begun to split the cost with local jurisdictions or provide some kind of support, such as training on new equipment. (See NCSL’s The Price of Democracy: Splitting the Bill for Elections.)

• Require a post-election audit. Well over half the states do have a post-election audit of some kind, to help assure the election outcomes are as the voters intended. In the case of a cyberattack, this capability is even more important. (See NCSL’s Post Election Audits page.)
• Ask your local election officials for a tour of their election facilities. This provides an opportunity to learn about storage for equipment, physical security mechanisms, chain of custody processes and backup plans.

Read on about security issues when it comes to voting online and the ways in which the Internet is currently being used to facility ancillary elections processes.

Overview

In general, the idea of conducting elections entirely via the internet is not something states are considering now or in the foreseeable future. Recently, there have been discussions of using blockchain technology to support internet voting, but there are issues with this (discussed below) that make it unlikely states will go in this direction.

States use the internet for other aspects of the voting process, though. The most common is online voter registration (discussed under the Voter Registration section), although election night reporting and election management systems also rely on the internet. Each of these internet contact points presents some cybersecurity risk, while often reducing other risks and increasing efficiency and accuracy. All businesses and government enterprises must find ways to balance the advantages of internet data processing and storage with cybersecurity protocols. These concerns are not unique to elections.

Below are some of the areas where the internet is used to assist with voting.

Voter Portals

Some states have begun to create election web portals. These web portals are a convenience for voters and may allow them to register to vote (see the section above on Online Voter Registration), change or edit their address or party affiliation, find their polling place, or even request and receive an absentee ballot.

Military and Overseas Voters

The Military and Overseas Empowerment Act (MOVE Act), passed in 2009, requires states to provide blank absentee ballots to military and overseas voters (UOCAVA voters) in at least one electronic format starting at least 45 days before an election. These ballots can be sent to voters via an email attachment, fax or online delivery system. The MOVE Act was enacted because UOCAVA voters often face unique challenges in obtaining and returning absentee ballots within traditional state deadlines. Imagine, for instance, the difficulty of getting an absentee ballot back to a county clerk from a remote military base in Afghanistan.

The federal requirement to accommodate these voters is limited to sending blank ballots to the voters; these are to be printed and returned via conventional mail. Many states have gone beyond the federal requirement to allow UOCAVA voters to submit their voted ballots electronically, as well. See NCSL’s webpage on the Electronic Transmission of Ballots for more information.

Remote Marking Devices (largely for voters with disabilities)

Voters with disabilities may experience significant problems with casting a traditional ballot independently and privately as the Help America Vote Act of 2002 requires. As people age, it becomes harder to see print or to hold a pen steady to mark a paper ballot. At some point, all of us are likely to benefit from technologies that make it easier to mark a ballot.

While voters with disabilities can be accommodated in a variety of ways, “remote ballot marking” is the latest. Remote ballot marking allows a voter, usually someone with a disability that makes voting in traditional ways difficult, to receive a ballot electronically, often via a web-based system. Because the act of marking the ballot on a computer or other device is just that—marking the ballot—some call a remote ballot marking device nothing more than a fancy pencil. The marked ballot is printed and sent back to election officials for counting.

Remote ballot marking is not internet voting. Instead, it uses the internet to transmit a blank ballot to a voter, and to facilitate the act of marking the ballot. But, because data is being transmitted between an election authority and an outside source, it is another point of vulnerability.

The Center for Civic Design, along with the National Institute of Standards and Technology, Verified Voting and usability experts, issued a draft document on Principles and Guidelines for Remote Ballot Marking Systems in 2016. The report identified one of the benefits of remote ballot marking systems as voters being able to use their own, familiar assistive technologies at home, rather than requiring disabled voters to go to a polling place to use a specialized accessible voting machine that must provide all assistive features and hardware for any possible disability. Remote ballot marking systems don’t negate the need for these specialized machines at polling places; at least one per polling location is required by HAVA. They do provide another option for voters who find it impossible to travel to a polling location, or just appreciate the added convenience.

The Risks

Many cybersecurity experts are concerned that any Internet connection at all provides a point of vulnerability for voting. This is particularly a risk with any voted ballots that are returned using the internet but is relevant for any of the uses noted above.

An online voter information portal can be the subject of a DDOS attack, which would cause confusion on Election Day as voters try to find their polling place. It could also potentially provide an “attack vector,” or a way for a malicious actor to get into a larger system, such as the voter registration system, if it provides a direct link and is not sufficiently secured.

Since electronic ballot transmission and remote ballot marking involves a voter’s home system, security is out of the hands of election officials. There is also a possibility for a DDOS attack where attackers disrupt the online delivery or return system by overloading it and prevent communications (i.e. ballots) from getting through. Authenticating voters (i.e. ensuring they are who they say they are and that they qualify for an absentee ballot) remotely is also an issue. Electronic transmission does not allow a voter to verify if the ballot received matches the one sent, and, without a paper record, a cyberattack may be undetectable.

Because election officials can identify the person who sent a ballot back via electronic transmission, ballots are not fully anonymous. Procedures are in place to minimize this risk, including asking voters who return ballots as email attachments to acknowledge that the secrecy of their ballot cannot be fully maintained.

See this document from the National Institute of Standards and Technology for more detailed information. Security Best Practices for the Electronic Transmission of Election Materials for UOCAVA Voters.

Blockchain technology is a shared, verified, but anonymous public ledger of transactions that can be inspected by anyone. It is a system that no single person or entity owns or manages. For cryptocurrencies, those transactions may be the purchase of goods or transfer of funds, in which case the public ledger is helpful. In terms of voting, those transactions could be votes cast. Maintaining the secrecy of the ballot poses special problems. More information on blockchain can be found in the Center for Democracy & Technology’s Election Cybersecurity 101 Field Guide Glossary. 

The first state-based test of this technology came about during the 2018 West Virginia primary election. The pilot program allowed deployed military members from several West Virginia counties to cast their ballots through an app using blockchain. Deeming the pilot during the 2018 primary election a success at providing voting for this specific population, the West Virginia secretary of state opened the technology to deployed military voters in all 55 counties for the 2018 general election. In the end, 144 voters from 30 different counties cast ballots through the app.

Many security experts are wary of the use of blockchain in voting, most notably the insecurity of the internet at large and the devices that would be used by voters. Joe Hall, from the Center of Democracy & Technology states, “The phones we use, the desktop computers we use, the networks in between them, the servers on the other side, every single one of those things is fundamentally insecure.” These experts do not claim internet voting, whether through blockchain or some other technology, will never happen, but that now is not the time.

Proponents of the technology argue that blockchain has not been compromised and is being used for more and more data exchanges. Opponents say every technology is vulnerable and it is only matter of time until blockchain is compromised, too.

Mitigations

Internet voting is not a secure technology at this point. There is no way to mitigate the risks other than to not offer it. However, states can weigh the difficulties that specific voter populations, such as overseas voters and voters with disabilities, have in voting and decide that the risks are worth assuming to provide access to voting for those who might otherwise not be able to vote. 

Steps State Legislators Can Take

• Find out if your state allows electronic ballot transmission. Ask state and local election officials what security mechanisms surround your state’s system.
• Consider other accommodations for special groups. Military voters can get assistance from the Federal Voting Assistance Program. Include representatives of groups for people with disabilities in all discussions about voting.
• Ask state and local election officials what security mechanisms surround voter portals.
• Look at policies for accommodating special groups, such as military and overseas voters or voter with disabilities, and weigh the trade-offs between security and access.

Everyone wants to get results as quickly as possible on election night. Read on for information on how those results are compiled and disseminated, and what risks that process might entail.

Overview

Election night is a televised spectacle, with wall-to-wall coverage starting well before the polls close. According to one report, 36.1 million people tuned in to watch the reporting of the 2018 midterm elections. As soon as polls close, election workers across the nation swiftly work to accurately and correctly tabulate race results. Unofficial results are provided within minutes or hours of the polls closing.

Those results are as advertised: unofficial. Results become official weeks later—and any changes from the election night results beg the question from candidates, the media and the public: Why? The answer is that the counting of provisional ballots, absentee ballots and overseas ballots takes time. And in some states, even the receipt of everyday absentee ballots after the close of polls is OK, so long as they are postmarked by Election Day.

Election night reporting systems work to process and communicate unofficial election results to the public, usually via a website or social media. Generally, election night reporting is a centralized process. Individual precincts funnel their results to a central reporting location at the county or municipal level, which then funnels the combined results to the state, if required.

Depending on the state, election night results are handled in many different ways. Results may be posted for the public to see on the state website, local websites or a combination of the two. States also vary on how results are transmitted. Some jurisdictions hand-deliver reports to a central location and others allow jurisdictions to send results by phone, email or fax. Some states may provide a secure website or portal for jurisdictions to directly upload results.

The Risks

While any malicious changes to the election night reporting process will not affect the final results and therefore won’t affect the outcome of the election, they could easily cause confusion. The perception of weakness in one part of the election system can call into question the security and integrity of the system as a whole, leading to reduced confidence in our systems.

Mitigations

Election night reporting systems are often self-contained and have no connection to the actual tallying of votes. The websites mainly serve as public-facing information centers. However, recent events have shown that these websites could be targets for malicious actors. For example, during the Knox County, Tennessee primary in early 2018, a distributed denial of service attack (DDoS) on Election Day took offline the Knox County Election Commission website that displayed results. No results were changed. Election officials responded by providing printed results.

For more on election night reporting security, see the State and Local Election Cybersecurity Playbook (page 40) produced by the Defending Digital Democracy program at Harvard’s Belfer Center.

Steps State Legislators Can Take

This is not an area where legislation is common. How to secure election night reporting systems has been, so far, an administrative choice. Still, legislators can understand the process and, in their roles as community leaders, can help with messaging.

• Understand that election night unofficial results are unofficial. These early results are provided as a convenience for candidates and the public, so they can get a good idea of who won. It takes time for final numbers to come in. Results are not official until after a state certifies the election, which is typically two to four weeks after Election Day.
• Know who to contact. If you receive questions from constituents or the media about what appears to be changing outcomes, do you know who may have the answers?
• Set the record straight. Work with your local and state election officials to not only get the real information, but also help ensure that the public and media know what information is accurate and what the full post-election timeframe is.
• Assure the public. Public confidence in the election system is vital. Reminders that election night results are unofficial, and explanations about the post-election standard procedures, help.

Read on to learn how election officials are dealing with the prospect of a hurricane, tornado, wildfire, large snowstorm or cyberattack disrupting Election Day. Recently, the prospect of a large cyberattack has brought the issue of what happens in an emergency and what contingency plans are in place to the forefront.

Overview 

Contingency planning is not new to elections, but thinking of it in the context of potential cybersecurity breaches is a modern concern. Contingency planning is a form of risk management in the event that an election does not go off as initially planned. For example, what happens if the power goes out at a polling location on Election Day due to a storm or from a cyberattack? Or an election night reporting website crashes from a distrusted denial of service (DDOS) attack? Or, days before a presidential election, a hurricane crashes into the East Coast? Or, when the polls open, the data in the electronic poll books proves to be corrupted?

The Risks

Election officials spend months planning an election, including what would happen if there were to be an emergency on Election Day. Yet, they can’t possibly predict the emergencies, cyber or otherwise, that could disrupt an election. Many states have adopted laws that could apply to floods, hurricanes, earthquakes, fires, active shooters or even military invasions and cyberattacks.

Since this is an area where the three branches of government tend to overlap, statutory and state constitutional questions are likely to arise. Additionally, the responsibilities of local, state and even federal authorities may not be clearly defined until an emergency happens. For more information of state emergency statutes and the possible role of the executive branch in an emergency impacting an election, visit NCSL’s Election Emergencies webpage.

Mitigations

Hurricane Sandy in 2012 prompted the National Association of Secretaries of State to form a task force on emergency preparedness in 2013, which was updated in 2017. The task force outlined general strategies that could prove useful to states:

• Work closely with other state agencies, especially those that handle state emergencies.
• Provide contingency plans, procedures or materials to local election officials.
• Develop a comprehensive communication plan and plan for instances where traditional communication may not be possible.
• Develop a comprehensive plan to be able to communicate voting information to voters impacted by the situation.
• Review state laws and policies that could allow the postponement of an election or provide for alternative election methods in the case of an emergency.

Table Top Exercises (TTX). Another training opportunity, one new to the elections field, is “table top exercises.” Table top exercises are drills that simulate any potential election issue, ranging from “hacks” and misinformation campaigns, to natural disasters, to testing the response of election officials. Participants play various roles, such as a local election official, community activist, reporter, state official and IT professional. These simulations provide officials with an opportunity to practice responding to a tough Election Day scenario, with the intent to develop better contingency plans. You can read more about contingency planning in our contingency planning section below.

Steps State Legislators Can Take

• Require Formal Contingency Plans. States and localities should have formal plans in place in case of emergencies. In terms of policy, this could mean looking at state laws for options if there is a natural or man-made disaster on Election Day. Does your state permit the relocation of polling places in such circumstances? Could the election be postponed or rescheduled if absolutely necessary? Who has the power to make such a determination?
• Review the Use of Provisional Ballots. As discussed in previous sections, provisional ballots are given to voters when there is uncertainty about a voter’s eligibility. In the event of a hurricane, eligible voters who were displaced by the storm may be looking to cast a ballot. A determination will need to be made as to whether the voter is eligible to vote, and therefore whether the ballot is to be counted.
• Consider Same-Day Registration. Same-day registration (SDR) allows any qualified resident of the state to register to vote and cast a ballot all in that day. If the voter registration system is inaccessible, perhaps due to a power outage, a person could fill out a registration form, provide documentation of eligibility, usually proof of residency and ID, and still cast a ballot. While same-day registration is rarely, if ever, adopted because it could be useful in the case of an emergency, this is an indirect effect.

Legislators are policymakers. Election officials are policy implementers. Their expertise is remarkable (as is their commitment to democracy). They’re happy to share what they know, but it may help for legislators to have questions prepared to get an election security conversation started. Try these:

• What physical security measures do you use to secure election equipment and materials? The answer might be that equipment is locked up with tamper-proof seals; that there is a log or record of all activity relating to voting equipment; that bipartisan teams are required for virtually all work; that the numbers of ballots handed out is reconciled with the number of ballots actually cast, to help prevent errors such as a missing ballot box that turns up later in someone’s trunk.
• Do you partner with other local, state or federal stakeholders to further secure the elections process? Understanding and communicating relevant information to local, state and federal stakeholders raises the awareness of current threats and situations. By sharing information, it is possible to improve responses.  
• What cybersecurity training are election officials and staff provided? Many states and local jurisdictions require or offer training for their staff. The training can range not only in topic, but also in frequency. A cyber-aware workforce is hard to trick by phishing.
• How and when is your equipment tested? Nearly all election officials do “logic and accuracy testing” before an election, which means they run every piece of equipment through its paces before Election Day. Many do post-tests, too, to show that the equipment is still functioning properly at the close of business. Ask if there is also a post-election audit performed (which may or may not be required by law).
• What measures are you taking to protect voters’ data? While statewide voter registration databases are not related to the casting and counting of ballots, and therefore don’t threaten the outcome of an election, their security matters. First, states must do all they can to prevent personal data from being stolen. And, second, if that data could be modified or deleted by a hacker, voter check-in could be a mess on Election Day. It’s likely the systems manager has a modification log for the registration database that can provide clues to any data integrity problems. Again, your state cybersecurity director may have something to say about this.
• What contingency plans do you have? Contingencies are not just for security breaches, of course. Every election office needs a backup plan, and maybe a backup for that.
• What can we, as legislators, do to help?

NCSL Webpages

• Access to and Use of Voter Registration Lists
• Automatic Voter Registration
• Budgeting for Cybersecurity
• Election Emergencies
• Election Legislation Database
• Election Security: State Policies
• Elections Technology Toolkit<
• Electronic Poll Books
• Electronic Transmission of Ballots
• Online Voter Registration
• Post-Election Audits
• Provisional Ballots
• Same Day Voter Registration
• State Statutes Prohibiting Tampering with Voting Systems
• Voting Equipment
• Voter Registration
• Voting Systems Standards, Testing and Certification

• Funding Elections Technology

Articles from NCSL’s newsletter The Canvass

• Remote Ballot Marking: Risks and Rewards, June 2018
• Federal Funds and Difficult Decisions, May 2018
• Cybersecurity for Elections: Everyone’s Responsibility, November 2017
• Election Security: A Priority for Everyone, July 2017
• Security and Elections: What Legislators Need to Know, September 2016

Additional NCSL Resources

• LegisBrief on Securing Voter Registration Systems
• LegisBrief on Blockchain Technology
• Cybersecurity Task Force
• LegisBrief: 10 Tips for Using a Task Force to Modernize Elections
• LegisBrief: Funding the Next Generation of Elections Technology

The Department of Homeland Security (DHS) offers a variety of free cybersecurity resources for state and local election officials as part of the critical infrastructure designation.<

• DHS Election Infrastructure Security Resource Guide
• DHS Election Infrastructure Security Funding Consideration
• Securing Voter Registration Data
• Best Practices for Continuity of Operations (Handling Destructive Malware)

The U.S. Elections Assistance Commission (EAC) is a clearinghouse for election administration information and best practices and has multiple security and cybersecurity resources.

• DHS Cybersecurity Services Catalog for Election Infrastructure
• U.S. Election Systems as Critical Infrastructure
• Video on American Elections: Understanding Cybersecurity
• Incident Response Best Practices
• Many other resources can be found on the page dedicated to Election Security Preparedness.

The Defending Digital Democracy Project of the Belfer Center at the Harvard University Kennedy School of Government created three guides for state and local election officials.

• The State and Local Election Cybersecurity Playbook
• The Election Cyber Incident Communications Coordination Guide
• The Election Incident Communications Plan Template

The Center for Internet Security has resources on best practices for protecting elections infrastructure.

• A Handbook for Elections Infrastructure Security
• Elections Infrastructure Multi-State Information Sharing & Analysis Center (EI-ISAC)

Center for Democracy & Technology

• Election Cybersecurity 101 Field Guide – Glossary<
• Election 101 Field Guide: DDos Attack Mitigation

National Institute for Standards and Technology

• Framework for Improving Critical Infrastructure Cybersecurity

Council of State Governments

• Election Cybersecurity Initiative Guide

Vote at Home

• Voting at Home Across the States 50-state survey

Center for Election Innovation & Research

• Voter Registration Database Security