NCSL’s The Canvass

Federal funds and difficult decisions

It’s your birthday and you’re 10 years old. You get a nice card from your grandparents with $10 in it. You begin to think of all the cool ways you could spend your new “fortune.” However, you soon realize everyone else has plans for your money too. Your friends, your siblings, even your parents, start to make suggestions—but their desires don’t necessarily match your own.

States might be feeling something similar now. In March 2018 Congress passed the federal omnibus appropriations bill, which included $380 million for states to use to improve their elections systems. States quickly began to think about how best to put that money to use—and soon enough everyone else has plans for that money too.

The federal Help America Vote Act (HAVA) was passed in 2002 to help states improve voting systems and the voting process after issues were identified during the 2000 election. HAVA included substantial appropriations to the states to accomplish that goal, most of which was used long ago. The $380 million included in this year’s appropriations bill was the final chunk of promised HAVA money. Similar to the original disbursements, each state gets a base award of $3 million, with additional funds based on the voting age population of the state.

 

HAVA FUNDS BY STATE

State

Award

State

Award

Alabama

$6,160,393

Montana

$3,000,000

Alaska

$3,000,000

Nebraska

$3,496,936

Arizona

$7,463,675

Nevada

$4,277,723

Arkansas

$4,475,015

New Hampshire

$3,102,253

California

$34,558,874

New Jersey

$9,757,450

Colorado

$6,342,979

New Mexico

$3,699,470

Connecticut

$5,120,554

New York

$19,483,647

Delaware

$3,000,000

North Carolina

$10,373,237

Dist. of Columbia

$3,000,000

North Dakota

$3,000,000

Florida

$19,187,003

Ohio

$12,186,021

Georgia

$10,305,783

Oklahoma

$5,196,017

Hawaii

$3,134,080

Oregon

$5,362,981

Idaho

$3,229,896

Pennsylvania

$13,476,156

Illinois

$13,232,290

Rhode Island

$3,000,000

Indiana

$7,595,088

South Carolina

$6,040,794

Iowa

$4,608,084

South Dakota

$3,000,000

Kansas

$4,383,595

Tennessee

$7,565,418

Kentucky

$5,773,423

Texas

$23,252,604

Louisiana

$5,889,487

Utah

$4,111,052

Maine

$3,130,979

Vermont

$3,000,000

Maryland

$7,063,699

Virginia

$9,080,731

Massachusetts

$7,890,854

Washington

$7,907,768

Michigan

$10,706,992

West Virginia

$3,611,943

Minnesota

$6,595,610

Wisconsin

$6,978,318

Mississippi

$4,483,541

Wyoming

$3,000,000

Missouri

$7,230,625

 

 

As the chart above shows, nine states will receive the base amount of $3 million. At the upper end, California will receive just over $34.5 million. To receive these funds, states must provide a 5 percent match of the offered amount. Although these funds are finding a warm welcome, states now have the difficult choice of determining how to best spend the new money. And lots of suggestions on how to do so.

The funds are “for activities to improve the administration of elections for Federal office, including to enhance election technology and make election security improvements,” according to the U.S. Election Assistance Commission (EAC), the agency that will disburse the funds. The EAC explicitly outlines six possible uses for those funds (see below). They also require a 2- 3-page overview by states to demonstrate the activities that will be supported with the funds. Although the EAC has been clear on the uses of the money, other groups and individuals have also made recommendations ranging in cost and impact on election security.

“Secretaries of state are excited about these HAVA funds,” said Indiana Secretary of State Connie Lawson, president of the National Association of Secretaries of State (NASS). “But it is important for these groups to keep in mind that each state is unique and cannot complete all the recommendations being made.” According to Maria (Dill) Benson, NASS’s Director of Communication, the organization has heard that some states will be using the new funds to: migrate to a cloud system for data and backups, implement/conduct post-election audits, hire cyber security staff, upgrade election systems, and implement physical and cyber security upgrades.

So, what are all these recommendations floating around and what do they mean for states and elections? NCSL has pulled highlights and common factors from them:  

EAC

Center for American Progress

Open Letter* from Experts

Defending Digital Democracy**

Replace voting equipment w/paper verified record

Replace voting equipment w/paper verified record

Replace voting equipment w/paper verified record

Have a paper record

 

Post-Election Audits

Post-Election Audits

Post-Election Audits

Post-Election Audits

Cyber security training for officials

Cyber security training for officials

Cyber security training for officials

Create security culture

Upgrade election systems

Fortify existing systems

Upgrade election systems

Treat elections as interconnected

Implement best cyber practices

 

 

Implement cyber practices like two- factor authentication and managing system access

Fund other security activities

 

Prohibit wireless voting machines

 

*The open letter was sent to state election directors and was signed by over 40 individuals, urging states to utilize the funding for the best practices listed.

**Defending Digital Democracy, a program of the Belfer Center at Harvard University, published its cybersecurity playbook before the passage of the Appropriations Bill. 

Replace Voting Equipment—A common topic in elections, many states are working with voting equipment that was purchased with the original disbursement of HAVA funds over 10 years ago. Now, with heightened security concerns, many election security experts are once again urging states to require new equipment that either uses paper ballots or leaves a paper audit trail. Still, election systems are quite expensive. Louisiana has received three bids to replace its aging equipment, which is estimated to cost the state anywhere from $40 to $60 million. Pennsylvania is also looking to replace its voting equipment to the possible tune of $125 million. Even if these estimates are on the high end, that’s a tough price tag to swallow.

Post-election Audits—Post-election audits have been picking up steam over the past two years. Forty states and the District of Columbia have an audit process of one variation or another. For states without audits, the recommendation is to implement one. For those states that already require an audit, these reports suggest moving toward more robust systems. After Colorado debuted its statewide risk limiting audit (RLA) in 2017, RLAs are being held by many as a gold standard. RLAs require that a certain number of ballots be audited to statistically show that if a full recount was conducted, it would confirm the original results. Although impressive, RLAs are easier said than done.

Cybersecurity Training—Cybersecurity is not everyone’s forte and, unfortunately, humans are part of the problem. Transforming election staff to cyber informed election staff requires first and for most, that they are knowledgeable. For example, phishing, spear-phishing and whaling are all malicious attempts to obtain personal information to gain access to important systems. The ability to recognize that something may be suspicious takes an understanding of what to look for and the knowledge of how to proceed. Through that knowledge the office/staff can develop an attitude or cyber-secure culture, recognizing that they are a target. Lastly, proper behavior needs to be practiced and enforced, whether that’s through phishing tests, cybersecurity checklists, or two-factor authentication.

Many states have been offering training, which is good. However, it shouldn’t be a one-off test, but a continual process to strive to be better. As they say, the chain is only as strong as its weakest link.

Upgrade/Fortify Security Systems—Outside of the equipment for casting and counting ballots, many other technological components are involved in the election infrastructure. From servers housing voter data to the firewalls protecting the network, many moving pieces may need an upgrade or could be fortified.

Voter registration systems are vulnerable and have already been the target of attacks. The Senate Intelligence Committee released an interim report on May 8 noting that malicious, Russian-affiliated, cyber actors targeted at least 18 state’s election systems. In some states, they were able to gain access to elements of the election infrastructure and were in a position to alter or delete voter registration records—not that there is evidence any data was changed. Aside from more traditional data breaches like Equifax, the ability of a malicious actor to alter or delete voter records could cause problems if it were to occur on Election Day.

The Rhode Island secretary of state’s office released a report to the legislatures of their recommendations for the $3 million. Number one on their list is an upgrade to their central voter registration system. “We are taking measures right now, but that (central voter registration upgrade) will not happen until after 2018,” said Rhode Island Secretary of State Nellie Gorbea, noting that the project will take time.

Two other possible areas that may be ready for upgrade or fortification are electronic poll books (e-poll books), and establishing baseline security standards generally. E-poll books are usually a laptop or tablet, located at precincts, that allow poll workers to lookup voters, scan driver licenses, notify poll workers if someone has previously voted, and much more. These systems can be linked and communicate with each other over a network. The ability to keep this communication safe and secure is important to maintaining the functions of e-poll books. More so, of the roughly 33 states that have jurisdictions that use e-poll books, only eight states currently certify their e-poll books at the state level.

The piecemeal and state-by-state approach to American elections can be a strength, but here it may be a weakness. Because voting equipment and elections are done primarily at the local level, standardized security standards may not be present as each local jurisdiction buys different equipment with different standards. Standardized requirements can help better protect data and systems by closing potential security gaps and reducing risks through prevention or the mitigation of attacks.

Cybersecurity Staff/Training—Knowledgeable staff is just as important, if not more important, than equipment upgrades. From the state to the city level, there are many people who have a hand in elections, and each one could be a target. The ability to spot and properly handle these attempts and others, requires training for staff across all levels.

As for hiring cybersecurity experts, according to some reports, a global shortage of 3.5 million cybersecurity professionals is projected by the year 2021. The ability to hire and retain experienced staff to help direct security efforts and train other staff will be difficult and does not come on the cheap.

While all these recommendations are useful, $380 million won’t cover everything. As Indiana’s Secretary Lawson noted, each state will have different priorities.  In some states, projects may already be in the works and the money will go towards furthering those goals. Other states are reaching out to local election officials to determine how to best help their local counterparts.  In states with old equipment, replacing voting equipment may be the top priority—but in states that have done so recently, such as Rhode Island, upgrading voter registration systems may be at the top of the list.

Still, as with many things in life, it is often recommended to start small; $3 million, $5 million or $10 million dollars may not fulfill all the needs of state and local election officials, but it can fulfill some. The accomplishments of this money may not be the biggest, or sexiest projects, but may be those that have the greatest security impact for the least financial impact.  

It’s your 10th birthday and you just got $10. Who do you listen to?

Fantasy Elections Crisis at William & Mary Law School

This past April, election security experts from across the country descended on Williamsburg, Va., for the William & Mary Law School Election Law Society’s annual symposium. This year’s topic, Election Data Security: Testing Critical Infrastructure Design, was inspired by a hypothetical: how would a state respond if hackers penetrated and manipulated voter rolls on Election Day? The focus was on questions of ownership of voter data, federal intervention in state systems, and the Department of Homeland Security’s designation of election systems as critical infrastructure. 

William & Mary law students developed a scenario in which state and local governments grappled with the aftermath of a cyber-intrusion into voting systems. In the situation, voter rolls in the largest county in the fictional state of Flichigan (using Michigan’s Constitution and Virginia’s election code) were hacked prior to the 2018 primary election. Several hundred voters were deleted from the rolls, so when those voters showed up to vote, they were shocked to find their registration information was missing. While these voters were able to cast provisional ballots—Flichigan state and county officials eventually restored their registrations and counted their votes—the intrusion shook confidence in the state’s elections systems.

In response, the Flichigan secretary of state performed an audit of the state’s election infrastructure, found the intrusion and compromised files, and secured the infrastructure against future intrusion. One county registrar doubted the secretary of state’s assurance that all was well, and invited the Department of Homeland Security (DHS) to audit her county’s election data systems to assess their vulnerabilities. The secretary of state intervened and refused this request, arguing that he alone had the power to invite DHS to audit the state’s election infrastructure.

In the fictional court case tried at the symposium, the county registrar sued the secretary of state, arguing that the secretary’s post-election audit failed to address whether the election system was secure for the state’s impending general election. To remedy this perceived flaw, the registrar asked that DHS, pursuant to its recent designation of election systems as “critical infrastructure,” be allowed—whether invited by state or local officials—to audit the state and local election systems. The case involved balance of power issues within states, questions about whether state or local officials “owned” voter rolls, and questions of statutory interpretation of federal law.

“We wanted to test how state laws would respond to a breach of local voter registration data,”
said Rebecca Green, co-director of William & Mary’s election law program. “Particularly in states in which election administration is decentralized, who has control of and custodial responsibility for voter data? Who makes decisions about how best to secure it? Is a decentralized or top-down approach best? Our war game plunged into these questions head on.” In the end, the moot court sided with the secretary of state over the county registrar in a 2-1 ruling, while acknowledging that the law was not clear on whether voter data was owned by the state or local government.

Is there a lesson for legislators in the outcome?

By Ben Williams

From the Chair

Representative Zack Hudgins represents the 11th House District in Washington. The 11th is an urban district, nestled within King County, and spanning from southern Seattle through Tukwila and further east. According to a 2016 King County presentation, residents in King County speak over 170 different languages. The Tukwila School District in southern King County is, if not the most, one of the most diverse school districts in the country. Representative Hudgins serves as chair of the House State Government Committee. NCSL spoke with Representative Hudgins in mid-April.

Q: Washington recently passed a large election legislation packet, what would you like to share about that?

This year was a big year, and it centered around the Access to Democracy legislation package. This was really implementing policies we’ve seen in other states, such as automatic voter registration, same day registration, a voting rights bill and pre-registration for 16- 17-year-olds. These items are not new in and of themselves, but putting it all together, all at once, was new.

Q: What are the values you hold when working on elections policy?

I start from a place where I believe you get a better government from better citizen participation. It’s my underlying philosophy. From that, I want to break down structural barriers to improve participation in our democracy and that is where I have been focusing attention.

Q: Have you noticed any trends in the amount of or interest in election administration legislation in Washington?

Washington state had a lot of attention after the 2004 governor’s race (which included both a machine and manual recount). After that election, the state put in a lot of new reforms. But since then, there hasn’t been much movement. Now, many of those reforms have been around for a while, but this year has seen an increase in the attention to and demand in election legislation.

Q: What is your relationship with local election officials? How important is that relationship?

County auditors help develop and drive policy. We don’t always see eye to eye, especially around cost, but the legislature couldn’t enact policy without their input.

Q: What are you most proud of when it comes to elections in Washington?

I think we have a focus on maintaining integrity while emphasizing participation. We have done this through breaking down many of the barriers of access and I think the legislation passed this year has proven that.

Q: Is there anything else you would like to share about election administration in Washington with the readers?

I have to say, I took support from seeing these laws in place in other states for years. I saw those laws and said, “We could probably do that here.” States can and should look to each other for the best ideas. States do not have to independently create new ideas by themselves, but we can learn from each other about what may or may not work.

The Elections Administrator's Perspective

Regina Plettenberg is the clerk & recorder/election administrator/superintendent of schools of Ravalli County, Mont. Ravalli County is located in the western part of the state and boarders Idaho. Named after an Italian Jesuit priest, the county sits between the Sapphire Mountains and Bitterroot Mountains and is often called the Bitterroot Valley. NCSL spoke to Regina on May 2.

Q: How did you get into the business of elections?

In Montana, and elsewhere, election administrators wear many hats. I had a land background and had applied to the Clerk & Recorder’s Office for a position related to land. Because of a tricky ballot issue in a local election, I worked in the absentee center for a month and got hooked on elections. After that experience, I kept asking the clerk to let me do more and more elections.

Q: What are some unique issues your office faces? And how are you tackling these challenges?

Like a lot of the state, our absentee list has really grown. We are just over 50 percent of voters utilizing absentee voting. Because of this, we are essentially running an absentee election and traditional election. With this “hybrid system” in place, we’re moving from precinct level ballot counting towards a central ballot counting system. Although all-mail elections are allowed for municipal and school elections, state and federal elections are not permitted to be run as all-mail.

Q: Are you and your office doing anything different this year to prepare for the 2018 midterm elections?

Montana is an open primary state and this year the Green Party got enough signatures to be included on the primary ballot as well. However, this is being challenged in court and has caused some uncertainty about their place on the ballot.

Q: Do you regularly work with state legislators?

We do. I serve as the chair of our association’s legislation committee and I am at the capitol a lot. We often get involved when election bills are introduced and help answer questions from legislators. I was also at the interim committee meeting earlier this year (the Montana legislature does not meet every year). The committee is looking to replace the Americans with Disabilities Act (ADA) equipment and is exploring how to do that. Montana requires that all ballots be uniform and some current ADA voting machines do not meet this requirement. The ballot uniformity subject is an ongoing discussion and we are looking at possible solutions.

Q: What do you wish legislators knew about your work?

There are a lot of elections activities that are required to be completed on Election Day itself. However, as the absentee voting pool grows, the ability to meet these requirements on election days gets harder and harder. Looking at how other states handle all the requirements and when they handle them may be beneficial to Montana and local election officials.

Q: In regard to your office and staff, what are you most proud of when running elections?

Local election officials and their staff have to wear a lot of different hats. Elections is not a one or two-person operation and I have to cross-train all my staff. On Election Day, I am very proud that everyone comes together, utilizing the limited resources we have at hand, and run a very good election.

One Big Number

17. That is the number of jurisdictions (16 states plus the District of Columbia) that allow 17-year-olds to vote in a primary election if they will turn 18 by the general election. The earliest adopter was Ohio, in 1981, and the most recent was Utah, which did so in 2018. The number has slowly increased throughout that time. For all the details, see NCSL’s new webpage.

Earlier this year, the District of Columbia made waves after the introduction of the Youth Vote Amendment Act of 2018. This act would allow anyone who is 16 or older to vote in any DC election. Other jurisdictions have introduced or discussed similar legislation. But for now, it is still 17 at 17.

Worth noting

  • Cronkite News (Arizona PBS) published an article discussing the challenges facing Native American voters. Although they note that progress has been made, language, ID requirements and distance to voting locations, still prove to be challenges to Native Americans looking to vote.
  • In the May primary, West Virginia tested Voatz, a voting technology utilizing blockchain. The test allowed a small group of deployed and overseas military service members from two counties to pilot the program and determine its usability and feasibility. This is the highest profile use of blockchain technology in U.S. elections to date. Skepticism about the security and implementation of blockchain remains high.
  • The race in Virginia’s 94th district was perhaps one of the closest races in 2017 and captivated America’s election geeks when the winner was chosen by drawing a name out of a hat. However, a report by the Washington Post claims that over two dozen voters where assigned to the wrong district and should have voted in the 94th instead of the 93rd. 
  • The Senate Intelligence Committee released a declassified version of a classified assessment on Russia’s actions during the 2016 Presidential Election. The assessment was made by the CIA, FBI, and NSA and discusses the motivations, use of cyber tools and actives undertaken by Russia.
  • On May 1, primary day, the Knox County Tennessee’s election night reporting webpage fell victim to a distributed denial of service (DDoS) attack by malicious actors. Even though the attack had no impact on the outcome of the election, it did shut down the website for an hour. The attack demonstrates the ability of malicious actors to affect the status quo and potentially damage confidence in the election process, without affecting any votes themselves.
  • Jigsaw, a tech company owned by Google, has announced that Project Shield, their DDoS protection tool, will be available to any campaign, candidate, or political action committees for free. These groups are also becoming targets of malicious actors and this tool help protect elections.
  • New to NCSL’s election information is a completely revamped post-election audit page, a new page on 17-year-olds voting in primaries, a corresponding blog, and another blog on candidate names on ballots.

From NCSL's Elections team

A graphic that reads "From NCSL Elections Team"As we put this Canvass to bed, 12 states are still in regular session, and four are in special sessions. That means most states are out for the summer. For NCSL, summer is busy getting ready for Legislative Summit, July 30-Aug. 2, in Los Angeles. This is our biggest annual shindig, and we’ll have a tour of the Los Angeles elections facility, lots on election security and other related topics. Here’s the link to the elections and redistricting sessions, and the link to the registration page.  (I have it on good authority that the early bird rate can still apply for legislators and legislative staff, even though we’re past the deadline. Please come!

And as always, let us know what’s on your mind, elections-related or otherwise.

Dylan Lynch and Wendy Underhill