Election Tech Providers Offer Advice on Cybersecurity and More
Who runs elections in the United States? The easy answer is “the states.” To be more specific, “states” means that state and local election officials share responsibility for voter registration and voting—based on policies established by each state’s legislature.
There’s another set of experts who rarely get the limelight (and, in fact, do not want any limelight), and those are corporations that provide technology and services to election officials. These companies may specialize in creating or maintaining voter registration databases, electronic poll books, polling place equipment, vote counting technology, ballot design and printing, electronic ballot delivery, tracking for absentee ballots, or some combination of these and other related tasks.
Representatives of many of these election tech providers were in Des Moines, Iowa, last month, for a meeting held in conjunction with the summer conference of the National Association of Secretaries of State (NASS). While they are competitors when it comes to the marketplace, if federal policy is at hand, they work together on the Subsector Coordinating Council (SCC) to the Election Infrastructure Subsector, the newest “critical infrastructure sector” recognized by the Department of Homeland Security.
The SCC and its individual members are policy-neutral; they don’t have a horse in the race on voter ID, absentee voting rules and timelines, how voter registration is offered or any other policy question legislators might tackle.
“Whatever legislators decide, we want to be sure the outcome can be done securely, accurately and accessibly,” says Sam Derheimer of Hart InterCivic, a full-service provider in the elections sphere.
Because these folks know their onions, The Canvass asked them what advice they might offer to legislators. We’ve summarized their suggestions below.
Legislate the desired outcome, not the details.
Some states, by tradition, have barebones statutes and leave interpretation to the official who has rulemaking authority. (For elections, this is often—but not always—the secretary of state.) Other states tend to have very explicit statutes. The level of detail a legislator specifies in a bill may depend partly on the state’s pattern and partly on the bill author’s trust in the official who has rulemaking authority.
From the technology provider’s perspective, with all other things being equal, less is more. “We appreciate your policy approaches that are neutral and nonideological to best serve all of the elections community with confidence,” advises Kay Stimson, of Dominion Voting Systems. “Neutral,” that is, in the sense of not prescribing how something is to be done, but rather setting a desired outcome—which could, potentially, be achieved through more than one approach.
“I’m deeply impressed by how many really great, well-read, tech-savvy legislators we see. And they are great allies when they work together with election officials,” Stimson adds.
An example: This year North Dakota replaced references to “electronic voting systems” with “voting systems,” a technology-neutral term that allows for multiple approaches.
Avoid naming specific technology solutions because tech is ever-changing.
Not naming a specific technology in statute is a derivative of the goal to “legislate outcomes, not details.” It’s worth highlighting on its own because “tech is changing so rapidly, you don’t want your choices in statutes,” Steve Trout, of VotingWorks, says. “Stick to high level principles because otherwise you’re going to need to change that statute every year. If you put in the specs for an iPhone 1, you’re stuck and can’t move on to have the iPhone number we’re currently on.”
For instance, in its 2021 session, Louisiana re-established the process for approving voting systems. The previous language called for touchscreen voting devices that included a voter-verifiable paper record of each vote; the new language specifies that a paper record—most likely the ballot—is required, without stipulating how it is to be created. The bill also creates a commission to oversee the selection of new voting systems.
Elections cybersecurity is trickier than cybersecurity elsewhere.
For bank transactions, it’s great that our systems know who is on either end of a transaction so errors can be tracked backwards and fixed. With voting, the goal is to not track a specific ballot back to a specific voter (that’s what a “secret ballot” means, after all). That makes elections harder than banking, cybersecurity-wise.
Also, decentralization and the use of lay people in an intensely IT-related field add to the intricacies of protecting against cyber intrusions. “The infrastructure is placed in the hands of Grandma and Grandpa, twice a year on average, and deployed across the nation in tens of thousands of polling places,” says Ed Smith, from Smartmatic, another full-service elections provider.
Because elections and the technology it takes to run them are unique, “so too should be the people tasked to protect it all from cyber threats,” says Chris Wlaschin, the VP of systems security for Election Systems & Software, one of the nation’s largest providers of elections equipment. “An expert who knows both elections and cyber is your best bet to protect your environment.”
Finding that expert isn’t easy. Some states are hiring “cyber navigators” at the state level to assist local election officials who may not have the required expertise. At least seven states have cyber navigators now; Illinois was first to make such an enactment in 2018.
Mailing ballots can be more difficult than mailing other items.
For most mail, “it's a bummer if something is late but it’s not existential; if ballots are sent out a week late, that’s a real problem,” says Maria Bianchi, of Democracy Works, a not-for-profit technology group. The organization provides the Voting Information Project to states to help voters know how, when and where to vote, and Ballot Scout, a ballot-tracking system for absentee ballots that allows election officials and voters to follow ballots through the Postal Service.
Mailing timelines matter, and so does the technology to produce and process those mail ballots. The COVID-19 pandemic created a larger demand for absentee/mail ballots in 2020, which in turn drove up demand for paper ballot tabulators—and for ballot stock. Ballots cannot be printed on just any type of paper—tabulators require heavier ballot stock, and the wrong kind of paper doesn’t work in the tabulators (a feature, not a bug). Planning for the right materials, machines and schedule is essential.
Supply chain security came to the nation’s attention in 2020 for personal protective equipment—but it matters for elections too.
In the last year, an understandable interest has surfaced in how “American” election technology is. In 2021, Texas enacted the first law to address this, requiring that all voting systems approved in Texas must be manufactured, stored and held in the U.S., with definitions of what those phrases mean. It states that all firmware and software must be installed and tested in the U.S. and calls for a feasibility study of requiring all voting system components to be made in the U.S. as well.
“My job forces me to deal with reality,” says Wlaschin. “And the reality is that voting systems, just like other technologies—some of which are the difference between life and death, such as a pacemaker or a defibrillator—rely on foreign-sourced parts in their hardware. These parts might be a screen, or plastic housing or other, more integral components. The bottom line is there are no voting systems made entirely in the United States. None. Many are assembled here. Many have the majority of their parts sourced from America. But to source 100% of components from the U.S. is not just a tall order, it’s likely an impossible one.”
What can legislators do? They can adopt a requirement that any technology used in their state is in accord with the latest voluntary voting system guidelines (VVSG 2.0) from the U.S. Election Assistance Commission (EAC) and is tested by Voting System Test Laboratories, U.S. based companies accredited to test voting systems. The EAC also provides a list of manufacturers that are eligible to submit voting systems for federal testing and certification in the U.S.
Audits are hot—and they're technology-based.
Two-thirds of the states require postelection audits, and many are moving toward statistically based audits, known as risk-limiting audits, at least on a pilot basis. In 2021, Alabama, Kentucky and Texas all enacted audit laws, and New Hampshire established a committee to study postelection audits. At NASS’s summer meeting, the organization released postelection audit recommendations.
“Audits are going to be the hot topic for some time to come,” says Stimson. “It’s not just how to do them, and what to audit, but the who and the when.” Many of the details relate to technology. Are paper ballots used? Is a cast vote record (a spreadsheet-like list of all votes counted, without a trace to who voted of course) available? Are the paper ballots easily retrievable if needed for the audit? Does the state want to make ballot images (again, without any record of who voted them) available to the public? Election officials and the companies that support them can answer—and so can experts in the nonprofit sector. See the Knowing It's Right guides to risk-limiting audits; the author, Jennifer Morrell, may be able to provide technical assistance at no cost to the state.
Election technology providers can be helpful before drafting legislation begins.
Legislators know to go to subject matter experts when developing their policy ideas. They may not think of election technology providers as similar experts, but they could.
“Bills are written by people with an interest in the voter experience, which is great,” says Bianchi, of Democracy Works. And yet, “If you aren’t thoughtful about the ways state and local election administrators will be implementing the new law, you can end up creating legislation that falls short of the intended impact.”
Bianchi, Stimson and other providers recognize that a state’s election officials are the obvious go-to people when a new idea is heading toward bill drafters. Those officials will provide the best “how it works” information—and they may connect legislators with technology providers for details on how technology can help a state reach its policy goals.
News Worth Noting
Election Administration Reports Ends 50-Year Run
In June, "Election Administration Reports" stopped publishing after 50 years—yes, that’s half a century! These bi-weekly reports, started by Richard Smolka, strived to provide balanced, factual coverage on a range of election administration issues.
Election Guidance From the DOJ
The U.S. Department of Justice issued a pair of new guidance documents for states and voters. "Federal Law Constraints on Post-Election 'Audits'" concerns federal laws governing the retention and preservation of election records and those prohibiting intimidation of, or interference with, any person’s right to vote or to serve as an election official. "Guidance Concerning Federal Statutes Affecting Methods of Voting" provides guidance regarding certain federal voting rights laws enforced by the DOJ.
GIS Model Statutory Language
The GIS and elections experts at the National States Geographic Information Council have crafted model statutory language as a resource for anyone trying to create and enact statutes regarding GIS for elections. Find the council's best practices for GIS in elections here.
Monthly Dose of Cybersecurity
Idaho Falls, Idaho— A new task force will tackle issues of cybersecurity with a special focus on elections security. The 19-member task force comprises cybersecurity experts, government officials and three legislators: Senator Jim Woodward and Representatives Brooke Green and Dustin Manwaring.
Washington, D.C.—VoteShield, a project of Protect Democracy, is a cybersecurity platform designed to monitor voter registration databases. Using publicly available data, the tool tracks changes to voter rolls with the goal of identifying irregularities and spotting possible malicious activity. For more information, see VoteShield’s fact sheet.
New York City—Global Cyber Alliance has created a free cybersecurity toolkit to help improve the cybersecurity and integrity of elections. The toolkit is intended to support election offices and help implement recommendations from the Center for Internet Security’s Handbook for Elections Infrastructure Security.
Colorado Investigating Password Breach
Colorado officials are investigating a potential chain-of-custody and security protocol breach of Mesa County’s voting system after the county’s election system passwords were posted online. The breach, according to the secretary of state’s office, did not create an imminent, direct security risk and did not occur during an election. National experts indicate that copies of the voting system proprietary software have been released to the public, raising further security concerns. Mesa County commissioners have voted to replace the compromised equipment.
California 2021 Recall Election
The California gubernatorial recall election is Sept. 14. “It is a short but counterintuitive ballot question,” Kim Alexander said, in a recent California Vote Foundation news release. “Voters who are for keeping Gov. Newsom in office should cast a 'no' vote on the recall question. Voters who are against keeping him in office should vote 'yes' on the recall question.” The California Online Voter Guide is a nonpartisan resource designed to help voters with the upcoming statewide recall election.
On-Cycle Elections May Double Voter Turnout
A new study from researchers at the University of California, San Diego examines how moving from off-cycle to on-cycle elections may double voter turnout and increase representation during local elections. The study found that moving local elections onto general election dates in California led to a considerably more representative electorate in terms of race, age and partisanship—especially when the local elections coincide with a presidential election.
CivXNow Policy Summit
CivXNow, a coalition of organizations dedicated to improving K-12 civic education, will host a two-day virtual summit on Sept. 21 and 22 to support policy action on civic education. NCSL is a co-sponsor for this event, which will bring together state legislators, state education leaders, philanthropic leaders, members of the press and others. Register here.
Just the Facts
Arizona’s Maricopa County—the country’s second largest voting jurisdiction—has created a new webpage, JustTheFacts.Vote. The resource aims to bust myths and clarify some of the complexities surrounding elections.
Anne Dallas Dudley Award
Tennessee launched the Anne Dallas Dudley Awards for high schools that meet student voter registration thresholds. Named for renowned suffragist Anne Dallas Dudley, the awards recognize high schools that reach at least 85% voter registration of eligible students. All Tennessee public, charter and private schools as well as home school associations are encouraged to participate in this program.
From the NCSL Elections Team
Join us on Thursday, Sept. 9 at 2 p.m. ET for a free webinar on recent Supreme Court elections cases. Experts Jessica Ring Amunson, from Jenner & Block, and Erin Murphy, of Kirkland & Ellis, will provide a deep dive into two recently decided SCOTUS elections cases: Brnovich v. Democratic National Committee and Americans for Prosperity Foundation v. Bonta. You won’t want to miss learning what these decisions mean for elections, campaigns and state legislatures. Register here.
Do you have a policy question or research request? Send us an email—we can help.
—Mandy Zoch, Wendy Underhill and Christi Zamarripa