Compilation of election returns and validation of the outcome that forms the basis of the official results by a political subdivision.
Elections security. Now that’s a concept everyone can get behind.
But what does elections security mean when it comes to legislating? Therein lies the rub. Elections security isn’t something that can be switched on or off. It is hard to consider on its own. Instead, elections security is a key consideration of any elections policy choice (automatic voter registration, voter ID, early voting, technology upgrades…on and on).
As if that’s not complicated enough, responsibility for elections security is shared among many actors. Local election administrators are in charge of the nuts and bolts of election administration. Each state’s chief elections official (usually, but not always, the secretary of state) is responsible for safeguarding voting and voter records for statewide voter registration databases and beyond. State cybersecurity officials are increasingly prominent in ensuring elections security. And, not surprisingly, legislators play leading roles by setting policy.
First, legislators can make “security” one of their key questions, no matter what elections bills are up for consideration. If a bill comes up addressing early voting, electronic poll books, vote centers, or any other topic, questions about costs, savings, turnout and convenience come quickly to mind. “What will this bill mean for elections security?” is the new all-purpose question. (For more questions, see the sidebar.)
Second, legislators can propose and promote bills that tackle procedural issues that are the building blocks of security. The Canvass asked experts to address these questions in an earlier edition, Security and Elections: What Legislators Need to Know. Here, we divide procedural approaches to improving security into two main categories: physical security and cybersecurity.
While Cybersecurity gets all the press, we'll start with physical security.
Ballot reconciliation. Some states require ballot reconciliation—an accounting for all ballots, those that were voted, spoiled in some way and set aside, or never voted. By requiring a tally or reconciliation, the chance of ballots being misplaced and perhaps not counted drops. Reconciliation can work for electronic votes, too—if the voter files say 100 people came in to vote, and only 99 votes are recorded, can these be reconciled by a log of irregularities? It’s not unheard of for a voter to leave before actually casting a ballot—an anomaly that can be logged. Ask NCSL if you’d like to see what each state does.
Chain of custody. It’s always good practice to have a procedural system to check who has done what, and when. “Chain of custody” requirements come into play when there are any movements or actions relating to ballots, poll books, equipment and just about anything else (except maybe boxes of “I Voted” stickers). It’s common practice to log everything, and to require bipartisan teams to work together in this process. Arkansas enacted HB 1792 this year to address chain of custody.
Secure physical storage. Between one election and the next, elections equipment has to be kept somewhere. Is that warehouse secured? Is there a log of who enters and exits? Are security cameras used? Is the warehouse climate controlled to delay deterioration of the equipment? Are unmarked ballots secured too? While legislation on storage requirements is rare, it’s a key issue with local or state officials. See the U.S. Election Assistance Commission’s paper on 10 Things to Know About Managing Aging Voting Systems for more.
Contingency planning. What’s the plan in case of a hurricane or fire? Minnesota enacted a requirement for elections-specific contingency planning in 2015. Hurricane Sandy famously disrupted voting in the 2012 election in New Jersey, and the Garden State’s emergency measures were later found to violate other state laws.
One last thing: laws and rules are only useful if operationalized.
It’s not hyperbole to say that any database or computer system can be the target of cyber attacks. The “Wannacry” ransomware attacks in May added a new word to our vocabularies, and last year’s attacks on servers for the Democratic National Committee are still fresh. Also, the Department of Homeland Security reports that voter registration systems—not vote counting systems—in at least 21 states were probed by hackers in 2016. Even when equipment that counts votes is not connected to the internet, many peripheral systems that support the management of elections are connected, and can be the target of attacks.
The good news is that there appears to be no reason to think election outcomes were changed last year. And yet a good outcome in 2016 isn’t assurance that things will go well this fall, when governors in New Jersey and Virginia and legislators in three chambers (New Jersey Senate, New Jersey House and Virginia House) are elected, or in the 2018 midterms. When determined malefactors are busy, it’s tough for a state to stay a step ahead, and even harder for counties.
What to do? First, recognize that protecting against cybersecurity intrusions isn’t something to be checked off a list, it’s an on-going effort. Next, review what secretaries of state have had to say on this, by reviewing the current resolutions established by the National Association of Secretaries of State (NASS). And then, read on:
Follow best practices. While legislators aren’t expected to be IT experts (nor are the editors of The Canvass!), they can encourage administrators to follow best practices and stay on top of advances in the field of cybersecurity. Words and phrases such as “authentication,” “real-time audit logs,” “cryptography,” “firewalls” and “remote access control” don’t have to be understood and used just by the experts. For more, see the U.S. Election Assistance Commission’s Checklist for Securing Voter Registration Data.
Review what personal information for voters is required or held private. If your state requires the full Social Security number to be provided, would switching to just the last four numbers work just as well? Tennessee lawmakers are considering that question with HB 130, and Virginians are doing the same with SJR 226.
Consider audit laws. 33 states have some kind of post-election audit law on the books. Audits can provide a post-event review to see if ballots were accurately counted. Colorado is moving ahead with risk limiting audits (required by law in 2013, going into effect this year), which provide statistical assurance that the right candidate won the race.
Review state requirements for voting technology. It’s possible out-of-date language is hampering the adoption of appropriate technology for your state’s voting system. This is most likely when statutes are written so precisely that they limit choices. Statutes can address desired outcomes (accurate elections, accessibility for people with disabilities) instead of specifying what kind of equipment is to be used. There is one thing states might want to specify, said network security analyst Ron Bandes, president of VoteAllegheny, a non-partisan election integrity group in Pennsylvania, at NCSL’s Future of Elections June conference. That is that any hardware and applications to be used must provide a log of all important events. That way, any untoward activities can be pinpointed. For more on state requirements in terms of testing and certification, see the slide show, State Statutes and the Certification Process, from former NCSL elections staffer Katy Owens Hubler, now of Democracy Research.
Invest in security. Hiring cybersecurity consultants or more IT staff, or sending IT staff for professional training, may be useful. Of course, these actions have a price tag.
Consider the Department of Homeland Security (DHS)’s offer of assistance. Last year, DHS designated elections as “critical infrastructure.” States may or may not appreciate this new designation: some consider it a federal usurpation of state responsibilities. The National Association of Secretaries of State is on record opposing the designation. And yet, along with this designation comes the option of assistance from DHS to states to audit for cybersecurity vulnerabilities and more. The U.S. Election Assistance Commission has a white paper, U.S. Election Systems as Critical Infrastructure, which explains the designation and the technical options available. See this slide show from DHS’s Geoffrey Hale.
Canvass articles often end with “A Final Thought.” Here, we have two.
First, while states can do a lot to secure elections, they can’t do it all. In most parts of the nation, elections are run at the local level. Thus, if a county doesn’t have good security, it becomes the weak link for the whole state. “Unfortunately, the biggest security risks for state election systems are local election offices and vendor systems,” said Virginia’s state election director, Edgardo Cortés, when he spoke at NCSL’s Future of Elections meeting. Virginia has addressed this concern by providing training for local election officials.
Second, while everyone should be concerned with elections security, concern can be communicated without alarming voters. They need to know that states (and locals) are doing what they can, that safeguards and backup plans are in place, and that election officials are happy to do show-and-tells for constituents. In other words, while work to secure our elections systems goes full steam ahead, the message is Keep Calm and Carry On.
For election geeks nationwide it’s an exciting day when the report and data from the biannual Election Administration and Voting Survey (EAVS) becomes available. Those of us who study elections look forward to and celebrate its release. The survey is administered by the U.S. Election Assistance Commission (EAC) and contains a wealth of data on how elections are administered across the states. Since elections in the U.S. are decentralized—states and even local jurisdictions run elections in their own ways—this is the most comprehensive data set on those quirks and differences. As required under the Help America Vote Act of 2002, the EAC has been administering the survey after every federal election cycle since 2004. That means EAVS provides an historical record of how elections are run nationally.
The Election Administration and Voting Survey 2016 Comprehensive Report addresses things like turnout data, voter registration statistics, pre-election voting, military and overseas voting, the number of precincts and polling places nationwide, poll worker demographics, and the number of provisional ballots cast. Responses rates are available in the appendix.
Some highlights from the report:
Also helpful for legislative research is the Statutory Overview, which asks states to answer questions about various election-related statutes and definitions. It includes state responses on things such as: early voting laws; provisional ballots; how results are reported; and voter registration systems.
This year, information from the Statutory Overview survey was included throughout the comprehensive report linked above (rather than as a stand-alone report), but those who enjoy statutory research might like to delve into the state-by-state details as well.
--by Katy Owens Hubler, former NCSL staff
Calling all electioneers: Boston is the place to be August 6-9, for NCSL’s largest annual event, Legislative Summit. (New Englanders might want to take advantage of the daily rate and come just for the day on Monday, when most sessions are clustered together.) Here’s the line-up of sessions on elections:
Wow. The Canvass is nine years old and becoming a veritable time machine. Remember when the MOVE Act was enacted, allowing easier access to voting for military and overseas voters, and creating chaos with election calendars? That’s in the rearview mirror, and well-documented in early editions of The Canvass. But many of the issues from “way back when” are still issues for today: voter ID, voter registration, voting equipment. See the chronological index or the topical index for a walk down memory lane or for still-pertinent information.
And, stay in touch.