NCSL’s The Canvass

Election Security: A priority for everyone

Word cloud image of elections security. Elections security. Now that’s a concept everyone can get behind.

But what does elections security mean when it comes to legislating? Therein lies the rub. Elections security isn’t something that can be switched on or off. It is hard to consider on its own. Instead, elections security is a key consideration of any elections policy choice (automatic voter registration, voter ID, early voting, technology upgrades…on and on).

As if that’s not complicated enough, responsibility for elections security is shared among many actors. Local election administrators are in charge of the nuts and bolts of election administration. Each state’s chief elections official (usually, but not always, the secretary of state) is responsible for safeguarding voting and voter records for statewide voter registration databases and beyond. State cybersecurity officials are increasingly prominent in ensuring elections security. And, not surprisingly, legislators play leading roles by setting policy.

But how?

First, legislators can make “security” one of their key questions, no matter what elections bills are up for consideration. If a bill comes up addressing early voting, electronic poll books, vote centers, or any other topic, questions about costs, savings, turnout and convenience come quickly to mind. “What will this bill mean for elections security?” is the new all-purpose question. (For more questions, see the sidebar.)

Second, legislators can propose and promote bills that tackle procedural issues that are the building blocks of security. The Canvass asked experts to address these questions in an earlier edition, Security and Elections: What Legislators Need to Know. Here, we divide procedural approaches to improving security into two main categories: physical security and cybersecurity. 

While Cybersecurity gets all the press, we'll start with physical security. 

Physical Security

Ballot reconciliation. Some states require ballot reconciliation—an accounting for all ballots, those that were voted, spoiled in some way and set aside, or never voted. By requiring a tally or reconciliation, the chance of ballots being misplaced and perhaps not counted drops. Reconciliation can work for electronic votes, too—if the voter files say 100 people came in to vote, and only 99 votes are recorded, can these be reconciled by a log of irregularities? It’s not unheard of for a voter to leave before actually casting a ballot—an anomaly that can be logged. Ask NCSL if you’d like to see what each state does.

Chain of custody. It’s always good practice to have a procedural system to check who has done what, and when. “Chain of custody” requirements come into play when there are any movements or actions relating to ballots, poll books, equipment and just about anything else (except maybe boxes of “I Voted” stickers). It’s common practice to log everything, and to require bipartisan teams to work together in this process. Arkansas enacted HB 1792 this year to address chain of custody.

Secure physical storage. Between one election and the next, elections equipment has to be kept somewhere. Is that warehouse secured? Is there a log of who enters and exits? Are security cameras used?  Is the warehouse climate controlled to delay deterioration of the equipment? Are unmarked ballots secured too? While legislation on storage requirements is rare, it’s a key issue with local or state officials. See the U.S. Election Assistance Commission’s paper on 10 Things to Know About Managing Aging Voting Systems for more.

Contingency planning. What’s the plan in case of a hurricane or fire? Minnesota enacted a requirement for elections-specific contingency planning in 2015. Hurricane Sandy famously disrupted voting in the 2012 election in New Jersey, and the Garden State’s emergency measures were later found to violate other state laws.

One last thing: laws and rules are only useful if operationalized. 

Cybersecurity

Image of world map with laptop. Pad lock on the laptop screen. It’s not hyperbole to say that any database or computer system can be the target of cyber attacks. The “Wannacry” ransomware attacks in May added a new word to our vocabularies, and last year’s attacks on servers for the Democratic National Committee are still fresh. Also, the Department of Homeland Security reports that voter registration systems—not vote counting systems—in at least 21 states were probed by hackers in 2016. Even when equipment that counts votes is not connected to the internet, many peripheral systems that support the management of elections are connected, and can be the target of attacks.

The good news is that there appears to be no reason to think election outcomes were changed last year. And yet a good outcome in 2016 isn’t assurance that things will go well this fall, when governors in New Jersey and Virginia and legislators in three chambers (New Jersey Senate, New Jersey House and Virginia House) are elected, or in the 2018 midterms. When determined malefactors are busy, it’s tough for a state to stay a step ahead, and even harder for counties.

What to do? First, recognize that protecting against cybersecurity intrusions isn’t something to be checked off a list, it’s an on-going effort. Next, review what secretaries of state have had to say on this, by reviewing the current resolutions established by the National Association of Secretaries of State (NASS). And then, read on:

Follow best practices. While legislators aren’t expected to be IT experts (nor are the editors of The Canvass!), they can encourage administrators to follow best practices and stay on top of advances in the field of cybersecurity. Words and phrases such as “authentication,” “real-time audit logs,” “cryptography,” “firewalls” and “remote access control” don’t have to be understood and used just by the experts. For more, see the U.S. Election Assistance Commission’s Checklist for Securing Voter Registration Data.

Review what personal information for voters is required or held private. If your state requires the full Social Security number to be provided, would switching to just the last four numbers work just as well? Tennessee lawmakers are considering that question with HB 130, and Virginians are doing the same with SJR 226.

Consider audit laws. 33 states have some kind of post-election audit law on the books. Audits can provide a post-event review to see if ballots were accurately counted. Colorado is moving ahead with risk limiting audits (required by law in 2013, going into effect this year), which provide statistical assurance that the right candidate won the race.

Review state requirements for voting technology. It’s possible out-of-date language is hampering the adoption of appropriate technology for your state’s voting system. This is most likely when statutes are written so precisely that they limit choices. Statutes can address desired outcomes (accurate elections, accessibility for people with disabilities) Ron Bandes portraitinstead of specifying what kind of equipment is to be used. There is one thing states might want to specify, said network security analyst Ron Bandes, president of VoteAllegheny, a non-partisan election integrity group in Pennsylvania, at NCSL’s Future of Elections June conference. That is that any hardware and applications to be used must provide a log of all important events. That way, any untoward activities can be pinpointed. For more on state requirements in terms of testing and certification, see the slide show, State Statutes and the Certification Process, from former NCSL elections staffer Katy Owens Hubler, now of Democracy Research.

Invest in security. Hiring cybersecurity consultants or more IT staff, or sending IT staff for professional training, may be useful. Of course, these actions have a price tag.

Consider the Department of Homeland Security (DHS)’s offer of assistance. Last year, DHS designated elections as “critical infrastructure.”  States may or may not Geoff Hale portrait. appreciate this new designation: some consider it a federal usurpation of state responsibilities. The National Association of Secretaries of State is on record opposing the designation. And yet, along with this designation comes the option of assistance from DHS to states to audit for cybersecurity vulnerabilities and more. The U.S. Election Assistance Commission has a white paper, U.S. Election Systems as Critical Infrastructure, which explains the designation and the technical options available. See this slide show from DHS’s Geoffrey Hale. 

Two Final Thoughts 

Canvass articles often end with “A Final Thought.” Here, we have two.

Edgardo Cortes portrait. First, while states can do a lot to secure elections, they can’t do it all. In most parts of the nation, elections are run at the local level. Thus, if a county doesn’t have good security, it becomes the weak link for the whole state. “Unfortunately, the biggest security risks for state election systems are local election offices and vendor systems,” said Virginia’s state election director, Edgardo Cort├ęs, when he spoke at NCSL’s Future of Elections meeting. Virginia has addressed this concern by providing training for local election officials.

Second, while everyone should be concerned with elections security, concern can be communicated without alarming voters. They need to know that states (and locals) are doing what they can, that safeguards and backup plans are in place, and that election officials are happy to do show-and-tells for constituents. In other words, while work to secure our elections systems goes full steam ahead, the message is Keep Calm and Carry On. 

Sidebar: Sample Questions Legislators Can Use When Talking About Security to Election Officials

Image of a chalkboard with a question mark drawn on it.

  •  What physical security measures do you use? Expect to hear about tamper-proof seals on equipment, logs that record all activities relating to voting equipment, bipartisan teams for virtually all work and ballot reconciliation procedures that show all ballots are present or accounted for.
  • How about cybersecurity measures? Answers might include encryption, authenticating passwords, intrusion detection software, data backups and more.
  • Do you use computer science specialists? If they’re not on staff, they can be hired on a consulting basis.
  • What testing do you do? Nearly all election officials do “logic and accuracy testing,” which means they run every piece of equipment through its paces before Election Day to ensure that every machine is counting ballots precisely as it should. Many do post-tests, too, to show that the equipment is still functioning properly at the close of business. Ask if post-election audits are used as well.
  • How are vote totals backed up? Expect to hear that the vote counting machine stores the tally in a couple of places—in addition to on a removable storage device.
  • How do you guard against hacking? Probably you’ll learn that the equipment people vote on is not connected to the internet in any way. Do ask if the internet plays any role in vote casting, vote counting, or in the transmission of vote totals. Your state may have a cybersecurity commission or director—have they reviewed all elections systems?
  • Is your equipment kept up-to-date based on service bulletins coming from the vendor? These bulletins are akin to recalls for cars—they can be ignored, but at your peril.
  • What measures are you taking to protect voters’ data?  While statewide voter registration databases are not connected to the casting and counting of ballots, and therefore don’t threaten the outcome of an election, their security matters. First, states must do all they can to prevent personal data from being stolen. And, second, if that data could be modified or deleted by a hacker, voter check-in could be a mess on Election Day. Probably the systems manager has a modification log from the database that can provide clues to any data integrity problems. Again, your state cybersecurity director may have something to say about this.
  • What contingency plans do you have? Contingencies are not just for security breaches, of course. Every election office needs a backup plan, and maybe a backup for that.

Bookmark This 

Image of the cover of the US Election Assistance Commission Report, 2016For election geeks nationwide it’s an exciting day when the report and data from the biannual Election Administration and Voting Survey (EAVS) becomes available. Those of us who study elections look forward to and celebrate its release. The survey is administered by the U.S. Election Assistance Commission (EAC) and contains a wealth of data on how elections are administered across the states. Since elections in the U.S. are decentralized—states and even local jurisdictions run elections in their own ways—this is the most comprehensive data set on those quirks and differences. As required under the Help America Vote Act of 2002, the EAC has been administering the survey after every federal election cycle since 2004. That means EAVS provides an historical record of how elections are run nationally.

The Election Administration and Voting Survey 2016 Comprehensive Report addresses things like turnout data, voter registration statistics, pre-election voting, military and overseas voting, the number of precincts and polling places nationwide, poll worker demographics, and the number of provisional ballots cast. Responses rates are available in the appendix.

Some highlights from the report:

  • 41 percent of all votes cast in the 2016 election were cast before Election Day, either through mail ballots or by in-person early voting.
  • From 2012 to 2016, there was a 75 percent increase nationally in the use of electronic poll books in elections.
  • The EAVS measures turnout by the number of Americans who voted as a percentage of the civilian voting age population (CVAP). 140,114,502 Americans voted in the 2016 General Election, which is 63 percent of the national CVAP.
  • More than 77.5 million voter registration applications were received between 2014 and 2016.
  • State motor vehicle offices remain the most common place where individuals register to vote (32.7 percent of all registrations) but online registration (17.4 percent of the total) has increased dramatically over the past four years as a source of registrations.
  • Voting equipment used to cast and count ballots vary, with 42.5 percent of responding jurisdictions using optical scan voting machines, 20.8 percent using Direct-Recording Electronic (DRE) machines, 21.9 percent using a hybrid that combines these two options, and 15.3 percent use another method of counting votes.
  • Nationwide, there were 178,217 individual precincts and 116,990 physical polling places. In addition, jurisdictions operated more than 8,500 early voting locations in the days leading up to the election.
  • Election officials continue to face challenges recruiting poll workers, and the poll worker population remains skewed toward older Americans, with 24 percent of poll workers ages 71 and older and another 32 percent ages 61–70.

Also helpful for legislative research is the Statutory Overview, which asks states to answer questions about various election-related statutes and definitions. It includes state responses on things such as: early voting laws; provisional ballots; how results are reported; and voter registration systems.  

This year, information from the Statutory Overview survey was included throughout the comprehensive report linked above (rather than as a stand-alone report), but those who enjoy statutory research might like to delve into the state-by-state details as well.

--by Katy Owens Hubler, former NCSL staff

 

Elections at NCSL's Legislative Summit, August 6-9

The NCSL Legislative Summit Logo with the skyline of Boston in the background

Calling all electioneers: Boston is the place to be August 6-9, for NCSL’s largest annual event, Legislative Summit. (New Englanders might want to take advantage of the daily rate and come just for the day on Monday, when most sessions are clustered together.) Here’s the line-up of sessions on elections:

  • International Perspectives on Election Systems (Monday, Aug. 6, 8:45 to 10 a.m.)
  • What’s Cooking in the States on Elections Policy? (Monday, Aug. 6, 10:10 to 11:20 a.m.; Commissioner Tom Hicks from the U.S. Election Assistance Commission and Secretary of State Wayne Williams from Colorado are panelists)
  • Data Delivers for Elections (Monday, Aug. 6, 12 to 1:15 p.m., with MIT’s illustrious Charles Stewart III)
  • Primary Permutations and Politics (Monday, Aug. 6, 1:30 to 2:45 p.m.)
  • Elections and Redistricting: Breakfast (Tuesday, Aug. 7, 7:30 to 8:45 a.m.; hear legislators describe their favorite elections innovations)
  • Voter Confidence (Tuesday, Aug. 7, 2:30 to 3:45 p.m., with EAC Commissioner Christy McCormick and Tennessee Secretary of State Tre Hargett and others)

Worth Noting

  • If at first you don’t succeed… The Maine Legislature is considering a compromise option to remedying the problems highlighted by a Maine Supreme Court advisory opinion on the constitutionality of the ranked choice voting ballot measure approved by voters in 2016. The bill could lead to some offices being elected by ranked choice voting, and others by traditional winner-take-all.
  • Election Integrity (1) Colorado will become the first state in the nation to require risk-limiting audits, instead of standard post-election audits.
  • Election Integrity (2) The National Association of Secretaries of State (NASS) met in Indianapolis this month to discuss, among other things, ongoing issues in election administration. The organization resolved to strive for three different goals: strengthening election cybersecurity, calling on the federal government to recognize the privacy right voters have in their addresses, and calling on the federal government to assist states in maintaining accurate voter rolls.
  • Election Integrity (3) According to a leaked report reported by Time Magazine, the Obama Administration had developed secret plans to deploy the military to polling stations across the country in the event of a massive cyberattack on states’ election systems. Fortunately, it was not needed.
  • Election Integrity (4) The Presidential Advisory Commission on Electoral Integrity, led by Vice President Mike Pence, had its first meeting this month. The commission has been hotly debated in the press this month, with some groups supporting its existence as a necessary tool to fight rampant voter fraud which undermines democracy. Others have attacked the commission as a partisan ploy to encourage voter suppression.
  • Updates on Automatic Voter Registration NCSL has updated its automatic voter registration page. The key news: Rhode Island has become the eighth state (ninth jurisdiction, including D.C.) to enact it. Illinois’ governor has a bipartisan bill on his desk. For more on Illinois’ “getting to yes” process, see this slide show by Representative Ron Fortner (R-Ill.) prepared for (you guessed it) NCSL’s Future of Elections meeting.
  • Quick Legislative Report Over 140 bills regarding election crimes were introduced in 33 states in 2017. Twelve have become law. Find these bills and other elections bills from 2017 in NCSL’s Elections Legislation Database.
  • Ds and Rs unite on security A new initiative by Harvard’s Kennedy School of Government aims to identify tools and strategies which can be used to defend democratic processes and systems from cyberattacks. It is called Defending Digital Democracy, and is led in part by Robby Mook (former campaign manager, Hillary 2016) and Matt Rhoades (former campaign manager, Romney 2012). The group has enlisted the help of top liberal and conservative legal advocates, including Ben Ginsburg and Marc Elias.

From NCSL's Elections Team

A graphic that reads "From NCSL Elections Team"

Wow. The Canvass is nine years old and becoming a veritable time machine. Remember when the MOVE Act was enacted, allowing easier access to voting for military and overseas voters, and creating chaos with election calendars? That’s in the rearview mirror, and well-documented in early editions of The Canvass. But many of the issues from “way back when” are still issues for today: voter ID, voter registration, voting equipment. See the chronological index or the topical index for a walk down memory lane or for still-pertinent information.

And, stay in touch.

—Wendy Underhill