NCSL’s The Canvass

Cybersecurity for elections: everyone's responsibility

Clip art of elections securityRemember the 2016 election? Of course you do—it was a presidential election, and each of those is memorable in some way.

For this most recent election, what’s memorable—besides who won and lost—was the unprecedented level of skullduggery. Emails stolen. False stories planted. Foreign interference.

Yet for all the issues, the core of our election system held strong. “Bad actors” (a term of art amongst cybersecurity specialists) did not get into any voting systems and change any votes. They also didn’t change voters’ records or prevent voters from doing their civic duty. And they didn’t put a cyber wrench in anywhere to create a “denial of service” problem to cause long lines and confusion.  

Again—none of that happened in 2016, as far as we know.

What we do know from the Department of Homeland Security is that intrusions into voter registration systems (but not vote-counting systems) were attempted in at least 21 states. Even so, as far as we know no records were changed, added, deleted or copied. In fact, in almost all those states, there may have been a cyber “knock at the door” of registration systems, but existing cybersecurity procedures blocked those bad actors.

Could far worse happen? That’s what experts are asking—and trying to prevent.  The 2016 election provided a wake-up call for all states, all counties, all candidates, and all parties that election systems can be—indeed probably will be—targets for attacks. And that’s not ok. “I think we can 100 percent agree that American voters should decide our elections, and no one else,” says Matt Rhoades, campaign manager for Mitt Romney in 2012 and now one of the leaders of Defending Digital Democracy (DDD), a bipartisan effort to improve cybersecurity in the elections sphere.  

Starting with that cold assessment, NCSL has gathered short, medium and long-term thoughts about cybersecurity and elections from a legislative perspective. Stay tuned, because this topic is growing and changing.

Short term
Anyone who has anything to do with elections—and that includes legislators when they wear their candidate hatscan start using safety precautions that are already available. That means requiring strong passwords; asking their IT experts if Kaspersky software should be removed (the Department of Homeland Security issued a directive to government entities to do so), activating existing security software that may be built into your systems (the term “threat intelligence” is key); updating software as the vendor suggests; and training and encouraging staff to avoid phishing efforts. “From personal experience, I can say also don’t use personal email accounts!” said Robby Mook, the Hillary Clinton campaign manager in 2016, and a leader of DDD.

DDD has just released a Cybersecurity Campaign Playbook. Much of what it contains applies to any government office, including those that run elections.

One of the easiest ideas is to set an example. Cybersecurity sounds like spycraft, 007-style. And yet, human behavior is what makes the difference. Leaders (and legislators) can create a culture where security matters. If it is an expectation from the top, it is more likely to become standard operating procedure.

One last short term idea: ask your election officials to review existing contingency plans. Contingency plans often address what to do in the case of floods and fires—but a cyberattack may be an even more likely emergency. 

Medium term
In the medium term—say, before summer 2018—focus on statewide voter registration systems. These are an obvious target as demonstrated last year. These systems contain personal data that might be attractive to bad actors, even those with no interest in election outcomes. Most registration databases were developed in the mid-2000s, and many are due for upgrades. Some of these systems are “homegrown,” meaning that state staff built them; others are created by vendors. Money may be required for updates either way.

The idea is to ensure that data is protected when it is standing still (in a database) and when it is in transit (information being added or exported). Is each step done well, and are there redundancies at every point? Yes? Good.

Don’t know how? Administrators can call for help. It’s a computer science axiom that you can’t fix your own bugs, so go find someone who can find pitfalls for you. Help could come from the Department of Homeland Security. Any state or jurisdiction can ask DHS for a security audit, advice on how to monitor for intrusions, understanding what their “attack surfaces” may be, and, especially, offering ideas to build in resiliency. The advice is likely to suggest having multi-layered defenses and backing up back-up systems.

Google offers Protect Your Election software to all election administrators. It is free, and it provides “denial of service” protection against attackers who may try to flood a web portal with so many requests at the same time that the system goes down. States are even turning to students to get cyber assistance, and West Virginia is partnering with the National Guard for cyber improvements relating to elections and voter data.

More midrange ideas:

  • Begin requiring dual authentications—a physical fob as well as a password. Many private corporations already do so, and the military has long used “Common Access Cards” for security. As suggested by DDD, do not use texts to a cell phone, which are easily duplicated.
  • Think about testing protocols in the pre-election phase (chain-of-custody procedures and logic and accuracy testing) and protocols for the post-election phase, such as post-election audits.
  • Follow best practices. These may come from the election system vendors, the U.S. Election Assistance Commission (whose mission is to support elections in the states).

Long term
Running elections has been likened to running an IT shop often enough—and that becomes truer all the time. And where’s the action in IT? Security. 

Portrait of Senator Ivey-SotoThe responsibility for this often lies with the executive branch, often the secretary of state’s office. And yet legislators can’t sit back. “While homeland security is talking to the secretary of state offices, and while LEOs are doing their best to keep up with this new world, state legislators need to make sure that our election codes provide for best practices to be implemented,” says Senator Daniel Ivey-Soto of New Mexico. “We need to give election officials enough freedom to respond to challenges as they come up, as well as making sure our election codes contain the proper procedures in statute so everybody understands the rules of elections from beginning to end.”

Many states and jurisdictions are looking at purchasing new elections technology in the next few years, and legislators are often part of the decision-making process, sometimes by creating task forces. Security of the systems can be a top-of-the-list priority. Not that security supersedes other valuable characteristics of a system (accuracy, reliability, accessibility for all voters, cost-effectiveness and more) but security has to be among the prime considerations.

What Legislators Can Do

  • Hold an informational hearing on election security; invite your state and local experts to explain their current processes.
  • Set up a task force on elections, either relating to equipment or security.
  • Most states require logic and accuracy testing before an election, where all machines are tested to assure they are functioning and counting correctly. If your state does not require it by state law, it is likely to be common practice. Should it be codified?
  • Consider requiring post-election audits, so that results can be sampled after the fact as a spot-check on accuracy. 32 states have laws of this nature already in place, and in 2017, two more states enacted legislation to do so.
  • Is there a law that requires elections officials to compare the number of voters who checked in at a polling place with the number of ballots that were cast? The term of art is "ballot reconciliation." Sometimes a voter gets a ballot and then decides not to cast it—that can be recorded. Reconciliation is something of a shield against leaving a box of uncounted ballots in a trunk.
  • Provide security-specific funding. While many security efforts don’t require the purchase of new hardware or software, staff may be required to train local officials, or to implement best practices.
  • Take a role in deciding if DHS should be invited to review your states’ systems. DHS is offering a “free” resource, but some have concerns about federal intrusion into running elections—a state responsibility.

Additional Elections Security Resources: 

NCSL Resources

Resources from the U.S. Election Assistance Commission (EAC):

Registration of Voters in the United States: A 1929 Noteworthy Text

Image of Joseph Harris' Book You can find “Registration of Voters in the United States” by Joseph Harris as a Google book online, but the dusty print version from 1929 provides the smells, looks and the texture indicating that this is a venerable tome.

The content of the 88-year-old book is great, too.

It offers not a word about the formation of statewide voter registration databases, provisional ballots, online voter registration, automated voter registration, or postcard registration—all modern-day inventions. Instead, it records the birth story of voter registration in the United States. Reading it now, the first takeaway is that while we have a great deal of variation between state registration systems, they’re not as varied as they used to be. 

Prior to 1800 there was no voter registration anywhere in the United States. (Now North Dakota is the only state without registration.) Massachusetts was the first state to enact a law requiring an official voter list to be prepared in advance of elections; the year was 1801. Assessors of every town and plantation were required to prepare lists of qualified electors twenty days before the election each year. The purpose was to ensure that only those who were eligible to vote could vote. While times have changed (originally only white male property owners were eligible), registration still serves the same purpose.

Registration laws gained traction in New England states first. They quickly became a strategy used to gain an advantage for one party over the other. For example, in Pennsylvania in 1836, a law was passed dictating registration requirements in the city of Philadelphia, a Democratic stronghold even then. Assessors in Philadelphia were required to prepare lists of all qualified voters. Proponents claimed the law was necessary to reduce electoral fraud, while opponents (largely Democrats) alleged the law’s real intent was to reduce the vote of the poor and working-class, who were less likely to be home when assessors conducted the door-to-door registry.

Who can vote is one question; who holds responsibility for registering voters is another matter. After the Civil War, governments—especially municipalities—played an increasing role in regulating elections.  A few examples:

  • Chicago 1880: Voters were required to appear in person before election judges on a Tuesday, three or four weeks prior to every election. Elections clerks would then conduct a house-to-house canvass to verify the names of all adult male registrants whom they suspected to be improperly registered. One can easily imagine the fraud that could easily occur amongst the designated fraud-finders.
  • Boston 1896: A permanent registration procedure was adopted in which the police conducted an annual canvass to identify eligible voters.
  • Milwaukee 1911: Enacted a permanent registration procedure and kept card records of voters that the police purged by canvassing the neighborhoods. 

From the outset, the cost of registration, who was responsible for registration, the length of the registration period before an election, and even whether registration was needed at all have varied. Sound familiar? Some of those same issues still drive policy debates today.

Interested in “Registration in the United States”? It’s yours for $124 on Amazon

Register Now For NCSL's Capitol Forum

NCSL Capitol Forum adSave the date: NCSL’s Capitol Forum will take place Dec. 11-13 in Coronado, Calif. We have some great election sessions lined up including Redistricting 2020: Questions Legislators Should Be Asking Now and Finding (and Mitigating) Vulnerabilities in Elections Processes. Add in a tour of San Diego's new Elections Office, great issue forums and it’s a can’t-miss event. See the online agenda for more information and register soon. 

From the Chair

Image of Representative Dan Zwonitzer The Canvass spoke with Representative Dan Zwonitzer on Sept. 28 in the Jonah Building, the temporary home of the Wyoming Legislature while the State Capitol is undergoing remodeling. Rep. Zwonitzer is the chair of the House Corporations, Elections & Political Subdivisions Committee and represents House District 43, which includes Laramie County. He has served in the Wyoming House since 2005.

Q. How does working in a legislature that is dominated by one party alter how the committee functions?

When I started we had enough Democrats that we were within a two-vote threshold of having a veto-proof majority. Right now I only have one Democrat on my committee of nine, whereas there used to be three. I’m not sure if it’s due to partisanship or not but we’re not getting the same quality and length of debate and vetting of legislation. Formerly the check of the governor being from another party made sure that the legislature passed well-vetted legislation. We have lost some internal checks and balances due to the current 51 to 9 split.

Q. What values do you hold as you think about election policy issues as they come before your committee?

Fairness is always the number one. It is difficult in a state where we have such a Republican majority to ensure the rights of the minority, whether Democrat or another party. For instance, if you’re not a Republican in the state, same day voter registration is one way non-Republicans feel that they get a voice. With same day registration, voters can change their party and vote in a primary right away and then change it back afterward. So as a chairman, I’m very much aware that we have partisan dynamics at play throughout the state that are causing election difficulty, especially in primary elections where the primary is the major election contest for candidates.

Q. What are the major election administration priorities for you and Wyoming?

The overarching concern on all of the election issues is finances. New election equipment is going to be a huge fight, because historically the state hasn’t paid. Counties run elections but now have limited budgets. Counties are looking at their outdated equipment and have a concern about replacement, while the state doesn’t see it. Counties can’t afford continuing the elections as they’ve been doing them. But there’s no one solution which works best for every county and is currently cost realistic.

Q. What are you most proud of in Wyoming?

One of the great things is that anyone can run for office here. That’s partly because we’re a one-party state, and it’s partly because we don’t have a lot of restrictions on campaigns. We try to be generous in the law and give people the benefit of the doubt in running for office. Anyone can run and anyone can get elected.

There’s some pride in Wyoming that if you go negative, people will call you out for it. We also don’t have long elections. It’s poor form to announce before February or March, six months before the primary. With the short election cycle, even statewide you can go and meet most people you want to meet. I give my cell phone number out and I have a Facebook page that overlaps with public life. We are very much accountable public servants at all times here.

Q: How did you get selected to chair the elections committee?

This is my seventh term, and I’ve always been interested in government. I was always fascinated with elections and government process and got really lucky to be placed on the Corporations committee at the start of my second term. On this committee, the issues can be both really intricate, with utility and insurance law. After a while, I was one of the few left who had a good grasp of the issues. I’ve been chairman for three years now.

Q: Has there been anything surprising to you since becoming chair?

The most difficult part of being chairman, I think, is that you’re always thinking about process. Before becoming chair, I got to ask the hard-hitting questions. Now as chairman, I have to be the one setting the example in following parliamentary procedure and making sure everyone who wants to ask a question or wants to testify gets to, all while watching the clock. 

 

The Elections Administrator's Perspective

Image of Phil McGranePhil McGrane is the Chief Deputy Clerk in Ada County Idaho. Ada County, which includes the city of Boise, is Idaho’s most populous county and has the state’s largest elections office. McGrane spoke to The Canvass August 19 to discuss food truck voting, elections security precautions, and what legislators need to know about their elections officials.

Q: How did you get into the business of elections?

I fell into it to a certain degree. I actually started in elections back in 2005, right out of college, after I graduated with a philosophy degree and a minor in ethics. I’ve always had an interest in politics and elections. Right after the Help America Vote Act [HAVA], I was rolling out some of the new equipment like accessible voting devices, but my primary responsibility was training and recruiting poll workers.

Q: Tell us a little about how “food truck voting” works in Idaho. What inspired you? Sounds delicious.

We launched it last year during the presidential election. It was sort of an experiment. The first model was described as firework stand voting—here in Idaho there are stands in the grocery store parking lots selling fireworks. The neat thing with that is that they’re little self-contained units. And one of my hobbies is that I’m a competitive BBQer. I travel around the country with my father-in-law cooking BBQ. Our set-up is similar in that we have a trailer and a couple of pop-up tents in front of it. The similar design is what’s made it so affordable.

Q: How does food truck voting help with voter accessibility? How often is it used?

It’s been used almost every election. We have multiple early voting sites in Boise, our biggest city, but we have some smaller rural cities where they’re really in our outlying parts of the county. We’re going to load up the trailer and spend some time in each of these little towns. They won’t have to drive up to Boise to early vote. We also reach out to places like Boise State University, the locations of our biggest employers and places where there are a lot of people. It avoids those long lines that people associate with voting, and it really aims to help out voters. And it’s all with the aim of shifting people to vote over a longer period of time. When we first used it, our biggest problem was that it was too popular. There were huge lines. I think we could’ve voted more people, but we got more polished as time went on.

Q: What are the issues your county faces?

We had elections prior to 2000, but they were often overlooked as an industry, people didn’t scrutinize them and there were a lot of small vendors. But once Florida happened, the attention all-around increased. Now we’re having to integrate more tech at our polling locations just to facilitate the complexity of the process. That all stems from greater regulation of the industry. What you intend in a legislative committee hearing versus what actually happens when you deploy it for 200,000 voters can sometimes appear very, very different.

Q: Does “voter confidence” or “election security” come up for you now more than previously?

Absolutely, but probably not as much as the general public thinks. We were proactive when the first email disclosures came up last summer before the presidential election. Our office and the county IT department started having conversations. Idaho was never really a target as a mostly one-party state, but it also has a very libertarian mindset. We were more concerned to make people feel safe and comfortable about our system being secure.

Q. What steps have been taken to make people feel safe and to secure the election?

We contracted with a cybersecurity firm to try to hack into our system—a penetration test specifically focused on our elections system. One part of the test specifically focused on our early voting as we are relying on more technology for that. It was eye-opening. This guy was super friendly, very helpful, and could do terrible things with his laptop. But he was never able to get to our elections system where the votes are actually tallied and counted, so that was reassuring. He did make recommendations, and we were able to beef up our security as a result. I would recommend it to our secretary of state and other parts of our state and anybody really. Be proactive about security rather than being caught in a situation where you’re flat-footed, and be transparent with the public about what you’re doing.

Q: What do you wish legislators knew about your work?

One of the things we do, and that I would encourage any legislator to do, is to tour the elections office. I’d encourage them to do their local one, and if they’re from a rural area, to also tour their capital or big city. The best way to think of elections is to think of it as a giant logistics operation. I describe our office as the largest event planning office in the state of Idaho. Boise State football games are really big here, and they have to incorporate all the same stuff we do. Or it’s like a wedding. But instead of inviting of your family and friends, it’s 200,000 of our closest friends all showing up. And we do it across 125 locations all at once. That’s the biggest thing for legislators—just walk them through all the parts. Most people don’t even know that such a place exists. When most people think of voting they picture their local polling location, not this giant logistics space. I think it informs better policy if they’ve seen firsthand and can appreciate things as they’re drafting legislation. How is someone actually going to do this? What will this actually look like?

Q: Can you give an example when this could pay off?

We hired a marketing firm to help develop some quick guides and training tools for both our poll workers and our voters to help and explain this decision-making process. Some of our workers weren’t using the materials. At one place they got their scissors out and cut up the material, because they didn’t like the design and designed it themselves. Despite our best intentions, you got to see how it actually worked when deployed. We’ll have up to 1,400 poll workers on Election Day and that’s just a lot of people. To get them all to do something the same way is a big ask. That’s how I think—if a legislator gets to see their elections office when they’re drafting legislation they can appreciate things. I know how this will look from 30,000 feet, but how will it look like when somebody has to do it?

Q: Is there anything that comes up every election year?

Something on a legislative level is trying to make it simple enough to execute it. We’ve had such a greater interest of legislators trying to legislate in the elections arena, which is not necessarily good or bad. Before Bush v. Gore and HAVA, I would say most elections offices were not heavily involved in the legislative process. We’ve had to make a role in elections offices to deal with the legislative policy arena, since it’s so often being tinkered with. Some people have great intentions, but some are trying to gain a competitive advantage. It’s sort of tough to wade through that.

Q: Is there anything else you think that should be covered?

Updating some of our state’s laws is an on-going issue. Our campaign finance laws were written as a citizen initiative in the 1970s. Now, legislators are going to have to revamp or rewrite our laws. Or for instance, Idaho was one of the last states to use punch cards. Many of our laws were written with punch cards in mind, and now we’re trying to make these laws work with modern equipment even though the equipment works on very fundamentally different methods. It gets very challenging to use modern technology with old statutory framework. Elections are unique in that the modern tools we have don’t work with old legal framework. 

Ask NCSL

Ask NCSL 2017 logoHow many states have laws that prohibit tampering with voting machines?

At least 33 states have statutes that prohibit tampering with voting machines, systems or other vote equipment. Penalties range from fines to felonies and terminology varies throughout state statutes— some states cite “electronic voting machines” explicitly (like Alabama) while others broadly encompass “voting equipment or materials” (like Indiana). All 50 states might also apply computer crime statutes in addition to tampering laws. In addition, NCSL’s webpage on State Computer Crime Statutes, covering hacking, malware and unauthorized access, provides laws that aren’t specific to elections that could be used to prosecute hacking of elections computers (see, for example, this article). 

Worth Noting

2018 already?!? We all know that election officials have likely been preparing for 2018 for months now. NCSL’s webpage on 2018 State Primary Election Dates is updated and ready to go. Also see updated/revamped pages on Same Day and Election Day Registration and Felon Voting Rights.

2017 is the year of risk-limiting audits. Two states enacted legislation to require risk-limiting audits this year: Virginia (SB 1254) and Rhode Island (SB 413/HB 5704). This year will also be the first year for Colorado to implement risk-limiting audits, which passed in 2013. Risk-limiting audits use the margin of victory and statistics to decide how many ballots need to be examined in order to confirm the election results. Need a post-election audit primer? See NCSL’s Post-Election Audit page.

California voters opine on vote-by-mail. The California Voter Experience Study: A Statewide Survey of Voter Perspectives on Vote-By-Mail and Vote Centers finds that Californians have concerns about vote centers and voting by mail. The majority of voters don’t like the idea of vote centers replacing neighborhood polling places, and many aren’t willing to travel to get to a vote center location. Many expressed reservations about the USPS and its ability to get their ballot delivered safely. The study notes that opinions may change once more voters have these options, though—change is always hard. 

Voting twice? Five states—Colorado, Delaware, Maryland, Oregon and Washington—participated in a study to identify potential cases of double voting in the 2016 presidential election. Colorado reports 10 people who voted in the Rocky Mountain state are suspected of casting two ballots in its elections and 38 people may have voted in Colorado and one of the other four states that participated in the study. The state plans to investigate these instances, since administrative errors, rather than fraud, could be to blame.

The elections ecosystem. Ever wondered how election law affects election administration, public trust and voter engagement? The Democracy Fund has an Election Administration and Voting systems map that looks at relationships between all of these things and the core dynamics between them.

Who votes with automatic voter registration? A new report studies the impact of Oregon’s automatic voter registration program, the first to implement an opt-out policy of voter registration. Eligible citizens are automatically registered to vote unless they actively opt out. The study examines demographics and voter turnout under the new system.

So many acronyms, so little guidance. The Supreme Court has scheduled oral argument on Jan. 10, 2018, in Husted v. A. Phillip Randolph Institute. The lawsuit challenges Ohio's procedures for maintaining voter lists as required by the Help America Vote Act (HAVA) and the National Voter Registration Act (NVRA). A decision in the case is expected by June 2018.  

Ranked choice voting. Here’s a RCV Implementation Plan provided by the Ranked Choice Voting Resource Center. And here’s what NCSL’s magazine, State Legislatures, had to say about RCV.

Illegal Ballots in Pennsylvania? A report from Pennsylvania's Department of State suggests that as many as 544 votes were cast by noncitizen immigrants between 2000 and 2017 in the Keystone State. The apparent source of the problem is a glitch in the state's electronic driver's license system. If the number is correct, the 544 illegally-cast votes would amount to 1 out of every 172,000 ballots cast in Pennsylvania since 2000.  

Electioneering to be examined at the US Supreme Court. The Supreme Court has agreed to hear the case of Minnesota Voters Alliance v. Mansky, which will decide whether banning political apparel at polling places violates the First Amendment. At least eight states (Delaware, Kansas, Montana, New York, South Carolina, Tennessee, Texas, and Vermont) other than Minnesota have enacted similar bans. On top of this, states vary widely in how they define electioneering and how they regulate it.

From NCSL'S Elections Team

A graphic that reads "From NCSL Elections Team"Here’s the good news: Beth Hladick is providing support to our elections team. That means many things, one of which is that she wrote the story about the history of voter registration. Here’s the other good news: NCSL’s Forum this year (Coronado, Calif., Dec 10-13) will offer programming with a strong emphasis on elections security. Search the full agenda with “Redistricting and Elections.” We’d love to see you there.

What’s your good news? Please share it with us.

—Wendy Underhill, Beth Hladick and Patrick Potyondy