Securing the vote: Steps for states include updating voting infrastructure and holding post-election audits, but funding is a stumbling block

In September 2017, the U.S. Department of Homeland Security (DHS) notified 21 states (including Illinois, Iowa, Minnesota, North Dakota, Ohio and Wisconsin in the Midwest) that Russian hackers had targeted their voting systems before the 2016 elections. 
While most of the attempts were not successful, voter registration systems were breached in at least two states: Arizona and Illinois. (According to DHS, there was no evidence that any information had been altered in these two states.)
Fast-forward to today, with just months before the 2018 general elections that will determine partisan control of the U.S. Congress and several state legislatures, and elections security experts are recommending that immediate steps be taken to secure the country’s election infrastructure — for example, identifying the potential avenues for attacking election systems, replacing outdated voting machines, ensuring the security of registration systems, and conducting post-election audits.

Whether and when this occurs will depend in part on a mix of help from the federal government and new state-level policies and investments.

Systems designated as ‘critical’
In early 2017, then-DHS Secretary Jeh Johnson designated elections infrastructure as “critical,” making state and local elections systems a priority for cybersecurity assistance and protections. Since then, DHS officials have reached out to election officials in all states and offered a range of free cybersecurity tools, including comprehensive onsite assessments of a state’s election system, DHS spokesperson Scott McConnell says.
“We continue to work with state and local election officials to improve the security of their election infrastructure through sharing timely and actionable threat information and offering our cybersecurity services,” he adds. “State and local officials have taken a number of steps to secure elections, and DHS has made it a priority to support these efforts.”
DHS has promised that any state requesting an onsite assessment will receive it before this year’s midterm elections, McConnell says, adding that so far, 14 states have taken the federal department up on the offer. (He declined to identify those states.)
In March, the Wisconsin Election Commission reported that DHS would conduct a “risk vulnerability assessment” of its state election system. According to the commission, during the two-week test, DHS cybersecurity specialists will simulate hacking attempts “from both outside and inside the state network to identify vulnerabilities.” They will also conduct a phishing campaign, sending simulated malicious emails to “users of state elections applications” and then tracking the activity of the email recipients.
In addition to these comprehensive assessments, McConnell says, 32 states currently receive recurring “cyber hygiene scans” — a weekly report of vulnerabilities and mitigation strategies. The department is also granting security clearances to chief state election officials, he notes, and working to declassify information as quickly as possible to get it to officials who need it.
Since Illinois’ system was hacked, that state has been receiving regular cyber scans from DHS and has requested a comprehensive risk assessment. It has also added firewalls and installed new software to prevent intrusions.
New federal funds ‘a start’
Along with this type of technical assistance, new federal funding for states is on the way. In the omnibus appropriations bill for fiscal year 2018 (approved by the U.S. Congress and signed by President Donald Trump in March), $380 million was included for states to enhance election technology and make election security improvements.
According to the U.S. Election Assistance Commission, these funds will be made available as noncompetitive grants. States can use the money to:
  • remove voting equipment that only records a voter’s intent electronically, and replace it with equipment that utilizes a voter-verified paper record;
  • implement a post-election audit system that provides a high level of confidence in the accuracy of the final vote tally;
  • upgrade election-related computer systems to address vulnerabilities identified through DHS or other qualified entities;
  • facilitate cybersecurity training and implement cybersecurity best practices for election systems; or
  • fund other activities that will improve the security of elections for federal offices.
States are required to provide a 5 percent match within two years of receiving the federal funds. (They have until Sept. 30, 2023, to request the money.) This funding “is a really important step, and an acknowledgment that this is a national security issue that needs support from the federal government,” says Larry Norden, deputy director of the Brennan Center for Justice’s Democracy Program. “But it’s just a start, and not nearly enough.”
He adds that states, local governments and the U.S. Congress will have to continue such support over the long haul, while also adopting best security practices, planning for emergencies, and having backups such as paper ballots in case of a successful breach.
“There’s no finish line in this race,” Norden says. “Cyber threats evolve, and we must assume that adversaries and bad actors will look for new ways to undermine faith in our elections.”
Some voting machines ‘past their prime’
Spurred at least in part by the “hanging chad” controversy in the 2000 presidential election, the U.S. Help America Vote Act of 2002 allocated $4 billion in grants for states to update their voting systems and poll worker training. (The $380 million in the federal FY 2018 budget was authorized by this 2002 law, and marked the first federal grants under it since 2010.)
But now, many of the updates are a decade or more old — and many states say they don’t have the funding to replace outdated systems.
These systems often rely on now-unsupported software and weak security systems. Earlier this year, in response to a Brennan Center survey, 229 officials in 33 states — including Illinois, Indiana, Kansas, Minnesota, Nebraska, North Dakota, Ohio and Wisconsin — said they needed to replace voting machines by 2020.
“Older equipment generally is going to break down more often and is more difficult to repair,” Norden says.
“In talking to election officials, because these machines are no longer manufactured, when the machines break down, they have to be taken out of service,” he notes. “This means less machines for people to vote on. This can lead to all kinds of problems, such as longer lines and a lack of resources.”
And because older equipment tends to run on software no longer serviced by vendors, Norden adds, it is more vulnerable to cyberattacks. “We had election officials tell us they were buying replacement parts on eBay, and obviously that is not the most secure thing to do,” he says.
Even before passage of the federal omnibus budget, some Midwestern states were moving ahead with or considering proposals to replace voting equipment. Michigan is one of the few states that had money left over from the Help America Vote Act ($30 million); last year the Legislature kicked in another $10 million to help counties buy new optical-scan voting equipment with paper ballots from an approved vendor list. Voter-assisted terminals will be available for those who need it.
Some of the new equipment was installed in 2017, but all municipalities will have it in place before Michigan’s Aug. 7 primary election. The state will also pay for five years of service and maintenance, after which county and local governments will need to pay these costs.
Minnesota legislators have created a voting equipment grant program and allocated $7 million for it. Earlier this year, in announcing the awarding of grants to assist counties and cities in purchasing new equipment, Minnesota Secretary of State Steve Simon said $13.3 million had been requested.
Last year, Iowa’s HF 516 established a revolving loan fund to assist counties in updating their voting technology and purchasing electronic poll books. That bill, however, did not provide an appropriation for the loan fund.
In Ohio, Sen. Frank LaRose introduced a bill last year that would have provided $89 million to help counties pay for new voting machines. In March, he proposed changes to SB 135, boosting the amount to $114.5 million. That revised amount, LaRose says, would provide enough funding for counties to purchase new voting machines for each precinct, based on the cost of the lowest-cost optical scanner. Counties that want other machines would have to pay the difference, but each machine would need to be paper-verified. (Ohio law has required paper verification since 2005.)
“This is the infrastructure that runs our democratic processes of conducting elections,” LaRose says. “These machines are past their prime. They need to be replaced; they are becoming inefficient and hard to maintain.
“The new machines are obviously more efficient, but also offer opportunities for greater security.”
In 2016, a special legislative committee in Nebraska examined the status of the state’s election systems and concluded that its equipment was becoming outdated and should be replaced.
That committee’s chair, Sen. John Murante, subsequently introduced LB 316, which would create an election technology fund. Most Nebraska legislators favor buying new equipment, Murante says, but he adds that fiscal conditions must improve before the state can make the $20 million to $30 million investment.
“With the crash of commodity prices, our state budget has taken a significant hit,” Murante notes.
Updates to voter registration databases
The 2002 Help America Vote Act mandated that states create computerized, statewide voter registration databases. In its 2017 report “Securing Elections from Foreign Interference,” the Brennan Center estimated that 41 states (including Indiana, Iowa, Kansas, Michigan, Nebraska, Minnesota, Ohio and South Dakota) had such databases that were initially created over a decade ago.
The report also indicated that many states use discontinued software that is more vulnerable to attack.
In March, Secretary of State Simon asked the Minnesota Legislature for $1.4 million over four years to update the statewide registration database (created in 2004), citing the attempted Russian hack in 2016 and ongoing discussions with DHS officials about the probability of future attempts. He requested $381,000 for the first year, which Gov. Mark Dayton included in his proposed budget.
According to Norden, it also is important for employees who use these systems to have the latest cybersecurity training. (A lot of the best practices for a voter registration system are going to be the same as any database that a state is using, Norden notes.)
Most states offer this type of training for state employees, but for many, it is voluntary. Illinois, with passage of last year’s HB 2371, mandated that state employees undergo annual cybersecurity training, which will include detecting phishing scams, preventing spyware infections and identity theft, and preventing and responding to data breaches. (Legislative, judicial and university employees, along with constitutional officers other than the governor, are exempt from the state requirement.)
Since 2015, under Ohio’s information technology policy, all state agencies’ system users (“employees, contractors, temporary personnel or other agents of the state”) have had to receive annual security-awareness training.
The value of post-election audits
How can states better deter fraud, find errors, reveal when recounts are necessary, and promote public confidence in their elections process? Security experts stress the value of post-election audits, which compare a hand count of voter-verified paper records with totals collected by the electronic voting system.
“Having a voter-verified paper record is of limited value if you’re not using it to check the software-generated totals,” Norden says. “If the idea is that you want to trust but verify, then you need to actually use the paper after every election to verify the electronic totals.
“And the way to do that is a post-election audit.”
Five Midwestern states — Illinois, Iowa, Minnesota, Ohio and Wisconsin — require some type of post-election audit, but only Minnesota’s audit is binding: it is used to determine official election results and can trigger a full recount. The most recent state in the Midwest to pass such a law is Iowa (HF 516, passed in 2017), where the secretary of state’s office determines the number of counties and precincts to be audited. Under the law, results of the audit “shall not change the results, or invalidate the certification, of an election.”
In Indiana, the county chair of a political party can request an audit, and in Nebraska, audits may be conducted by the secretary of state.
A bill unanimously passed by the Kansas House last year (HB 2333) would require that after each election, and before certification of it, county officials conduct manual audits in 1 percent of all precincts (a minimum of one randomly selected precinct) within the county. This audit would be conducted by bipartisan election boards.
The bill, which is still pending in the Senate, also would require any new voting system purchased by counties to provide a paper record.
In Ohio, post-election audits are conducted by local boards of election due to a 2014 directive from the Ohio secretary of state. They take place in even-numbered years and following presidential primary elections.
This year, two bills in Ohio requiring post-election audits have been introduced: HB 467, which would codify the secretary of state’s directive, and SB 256, which would require “risk-limiting” audits of election results. As the bill describes, risk-limiting audits use “statistical methods to limit to acceptable levels the risk of certifying an incorrect outcome for a particular race, question or issue.”


Interstate cooperation designed to help keep voter rolls up to date

To help ensure that states have accurate voter registration lists, two multi-state programs have been developed to assist with list maintenance: the Electronic Registration Information Center, or ERIC, and the Interstate Voter Registration Crosscheck Program.
Governed by its 23 member states (including Illinois, Minnesota, Ohio and Wisconsin in the Midwest), ERIC uses information from motor vehicle departments, Social Security Administration records and other databases to compare voters across states. States pay an initial $25,000 fee to join and then contribute annual dues to cover operating expenses. Each member state receives reports showing voters who have moved within their state, who have moved out of state, or who have died. The reports also display duplicate registrations in the same state, as well as individuals who are potentially eligible to vote but are not yet registered. To strengthen security and protect voter privacy, voter records are converted to indecipherable characters before being sent. Between 2012 and 2017, ERIC identified more than 26.5 million potential, not-yet-registered voters; and between 2013 and 2017, it identified more than 8.4 million out-of-date records (including cross-state and in-state movers, in-state duplicates and deceased people).
The Interstate Voter Registration Crosscheck Program was established in 2005 by then-Kansas Secretary of State Ron Thornburgh. The stated purpose of the program is to identify possible duplicate registrations among states. A free program, it initially involved Missouri, Iowa, Nebraska and Kansas, but has since expanded under Kansas’ current secretary of state, Kris Kobach. Crosscheck relies on names and dates of birth for matching. At its peak, the program involved 30 states. But due to ongoing security concerns and “false positives,” eight states have withdrawn from the program. In April, the Illinois General Assembly passed SB 2273, which would remove Illinois from Crosscheck. Gov. Bruce Raunter had not acted on the legislation as of late April. A bill (SB 326) has also been introduced in Kansas that would remove that state from the program.
Stateline Midwest: April 20182.22 MB