The Department of Justice (DOJ), Department of Defense, Department of Homeland Security (DHS), Director of National Intelligence, Federal Bureau of Investigations (FBI), National Security Agency, and the Cybersecurity and Infrastructure Security Agency have all concluded that foreign adversaries will try to interfere in the 2020 elections. While additional federal funding could significantly help secure the country’s election infrastructure, states shouldn’t wait for the federal government to act. Below are different actions three swing states — Pennsylvania, Ohio, and Wisconsin — have taken that illustrate the kinds of things states can do to secure their elections. These steps include replacing insecure voting equipment, conducting post-election audits, upgrading election infrastructure, and monitoring election systems for malfeasance by bad actors. If we are to avoid a repeat of 2016, we must continue to limit our election infrastructure’s exposure to disruption by our adversaries.
Replace paperless voting systems
On October 31, Pennsylvania Governor Tom Wolf signed into law a bipartisan measure that included $90 million for replacing outdated, paperless voting equipment after the Blue Ribbon Commission on Pennsylvania’s Election Security issued a report with recommendations for fixing the state’s outdated election infrastructure, systems, and technologies. The law should ensure that all Pennsylvania counties are able to purchase new, paper-based voting systems with better security to guard against hacking than their previous equipment.
It will also help Pennsylvania counties deploy the voting equipment for the first time during the state’s April 2020 presidential primary, instead of the November 2020 presidential election. Deploying new voting equipment in an election is sometimes challenging because voters and election officials are relatively unfamiliar with it. New equipment should be deployed for the first time in smaller, low-turnout elections where equipment-related issues are less likely to create problems, such as long lines, that can eat into some voters’ workdays and prevent some from voting.
All states that use paperless voting systems should immediately phase them out to avoid administering elections that provide faulty results due to an undetectable software glitch or calamitous breach. In Northampton County, Pennsylvania’s November 5, 2019 election, the voting equipment incorrectly showed a Republican judicial candidate winning by a nearly statistically impossible margin. It appears that Northampton was able to rectify the situation by manually counting the paper backups for all the votes the machine counted incorrectly. If a jurisdiction with a paperless voting system experienced a similar problem during the 2020 presidential election, it would be much more difficult to fix.
Audit the elections
Since even the most secure voting systems are at some risk for hacking, states should make the effort to conduct transparent, robust, post-election audits. One way to do this successfully is to conduct pilot audits. Earlier this month, Pennsylvania conducted risk limiting audits in Mercer County and Philadelphia on some of its new voting equipment. These audits used statistical analysis to determine whether reported election outcomes are accurate and to detect possible interference by adversaries. These audits have been recommended by both the U.S. Senate Select Intelligence Committee and National Academy of Sciences and help ensure that a state’s election infrastructure is strong and resilient.
Next month, Ohio will conduct similar risk limiting audit pilots in Defiance County and Clark County. This comes on the heels of legislation Ohio Governor Mike DeWine signed into law on October 25 that requires each county board of elections to audit the official results of every general and primary election held in even-numbered years.
Every state should take steps towards conducting statistically significant audits of their paper ballots prior to the certification of their election results. Starting with pilot programs and working towards full implementation will help ensure that the audits are smooth and the election outcomes are accurate.
Improve cyber protections of election systems
Local election management computers and networks are targets for foreign interference. They can be attacked remotely, and successful attacks could alter a county’s voter registration database, voting machine configuration, or results reporting infrastructure. No election office can reasonably be expected to handle this problem on their own, so Ohio election officials are working with others to help address it.
In addition to post-election audits, the legislation signed by Governor DeWine would increase cyber protections for the state’s election systems. Among other things, the legislation creates a “civilian cybersecurity reserve” that can be deployed to help protect state and local election officials from cyberattacks, adds the Ohio secretary of state to Ohio’s Homeland Security Advisory Council, and creates a chief information security officer position within the Secretary of State’s office to provide more expertise on election security issues.
In June 2019, Ohio Secretary of State Frank LaRose issued a directive to county boards of elections, requiring them to implement a number of election security upgrades. Every board of election will have an Albert sensor to detect attempted intrusions of the voter registration database. Every board of election is also required to undergo risk and vulnerability assessments, remote penetration testing, validated architectural design reviews, and cyber threat hunts from the Department of Homeland Security (DHS) to assess its networks and learn ways to improve its cyber security. And all counties are required to use a domain name ending in “.gov” or “.us” to ensure that each county’s website is legitimate and belongs to county election officials.
Securing complex software systems is quite difficult, and unfortunately there are several avenues of vulnerability in such systems that adversaries can use to alter the results or cast doubt on the integrity of an election. That said, engaging outside cybersecurity resources, using tools from DHS, and employing smart defensive tactics are a few ways states can reduce the likelihood that its election systems are successfully hacked.
Monitor election systems for malign behavior
To address both previous concerns about Russia’s meddling in the 2016 elections and evolving cybersecurity risks, the Wisconsin Elections Commission formed the Wisconsin Election Security Council, a group dedicated to bolstering cyber security and shoring up other election-related security issues before the 2020 elections, on October 16. The members include more than two dozen officials from the FBI, DHS, DOJ, Department of Military Affairs, Department of Transportation, the Governor’s office, the state Legislature, the League of Wisconsin Municipalities, Counties Association, and Towns Association. The body is exploring ways to use existing resources to enhance cyber security, strengthen relationships, and work with partners on security-related matters throughout the 2020 cycle. In Wisconsin, elections are conducted at the municipal level by 1,850 municipal clerks, most of whom work part-time. The Council should help ensure that these clerks have adequate resources to protect themselves from foreign interference.
While other states are not as decentralized as Wisconsin, each would benefit from having its own election security council. These entities could help state (and local) election officials identify their vulnerabilities, ascertain the causes and contributing factors to each one, and provide recommendations for remedying them in time for their 2020 elections.
There are many ways states can make their election infrastructure more secure for 2020. States using paperless voting equipment could transition to precinct-counted optical scan ballots that provide a paper trail of each voter’s vote. States without mandatory post-election audits could adopt robust post-election audit procedures to help validate election outcomes and detect and correct software failures and attacks. Every state should form a working group comprised of local, state, and federal officials, as well as cybersecurity and elections experts, to help ensure that its elections systems are secure against both known and emerging threats as the 2020 elections draw closer.
We know that foreign authoritarian actors are coming in 2020. Let’s make sure that we can successfully defend, detect, and recover from their attacks.
The views expressed in GMF publications and commentary are the views of the author alone.