In the earlier articles in this Election Security series, I aimed to be as objective as possible, just stating the facts as given. I even went so far as to have the election officials review the process descriptions, just to be sure they were correct.
This article is somewhat different. While I hope my analysis and recommendations are relatively objective, this is policy and commentary, not reporting. Reporting is what is; policy is what works or can work; and commentary is what should be.
So, with those caveats, here is my analysis of what we have learned about election security, at least within the systems we looked at. I hope you can use this to look at election security in your own locality, as well.
The Unknown
Let’s start with this: we have almost no idea how secure our voter registration data is at the state level. If you read that article, you saw that the Secretary of State’s office gave us a three-sentence statement that basically said “we take security seriously – trust us.”
That raises some questions:
- Do they have good segregation of duties? We don’t know.
- Do they hire outside companies to do penetration testing? We don’t know.
- Who has read-write access to the data? We don’t know.
- How secure is the transfer of data between county clerks and the state? We don’t know.
To be fair, to this point we have not had any significant problems (that I am aware of) with voter data. People show up at the polls, their registration is accurate, they vote.
But what if the data was NOT secure? And, unbeknownst to anyone, an outside agency hacked into the data and erased or changed just enough voter registrations to keep just enough voters from voting to make a difference in an election? When would we find out? On election day, of course. And the losers would scream, and the winners would say everything was fine, and we would have a giant mess.
So, is your voter registration data secure? At this point, there is only one answer: We don’t know.
The Bad or Questionable
In contrast to the lack of information we received from the state, we were able to have fairly extensive conversations with the local election staff in Jefferson County, and thus are able to discuss both the good and the bad of the voting and tabulation processes.
Fortunately, in all our investigation of local elections, there was much more good than bad or questionable. But, in line with a parenting/teaching lesson I learned long ago, I’m going to list the bad first, then get to the good. (And for those wondering why: You name the bad thing first, so the listener isn’t waiting on it and misses all the good.) So here goes.
The post-election accuracy check of random precincts does not involve hand-counting the ballots. If you remember from the voting article, approximately 3% of the precincts are chosen at random for an accuracy check. This is done by running the paper ballots from that precinct through a different voting machine to see if they produce the same totals.
The problem with this, of course, is that if there is something wrong with the programming of the USB drive (accidental or nefarious), it will not be caught, because the same glitch or hack will cause the same totals. The only way to TRULY check the accuracy of the programming and the machines is to hand-count the ballots and compare those totals to the ones that come out of the machine.
There is no published authentication process for the Electionware software. There needs to be a way to ensure that the ES&S Electionware software that is installed locally is the same version as the one that is inspected and certified by the Election Assistance Commission. Someone inside or outside the company could rewrite the Electionware software such that the votes in every precinct are miscounted by some amount in the direction of a candidate or party. They then could substitute the hacked version and deliver it to the local election boards for use in the election.
Kentucky does not require the highest level of election system certification. There are four levels of state requirements when it comes to equipment certification:
- No Federal Requirements: Relevant state statutes and/or regulations make no mention of any Federal agency, certification program, laboratory, or standard.
- Requires Testing to Federal Standards: Relevant state statutes and/or rules require testing to Federal voting system standards. (States reference standards drafted by the Federal Election Commission (FEC), National Institute of Standards and Technology, or the EAC).
- Requires Testing by a Federally Accredited Laboratory: Relevant state statutes and/or regulations require testing by a federally or nationally accredited laboratory to Federal standards.
- Requires Federal Certification: Relevant state statutes and/or rules require that voting systems be certified by a federal agency.
Kentucky is at level 2. The state Board of Elections chooses a testing laboratory, then requires vendors to send their equipment to that laboratory. That laboratory then performs tests to ensure the equipment meets federal standards.
Obviously, this leaves quite a bit of room for either sloppy work or actual malfeasance, if the right people wanted to pursue it. The laboratory does not have to be certified to do such testing; they simply have to be chosen by the state BoE.
The Good
Fortunately, there is much good to be named in the election processes we looked at. The following bullet list is not exhaustive, but highlights the items that struck us as the most important:
- Bipartisan everywhere. The boards, the staffs, even the warehouse workers – all bipartisan. Assuming they take that approach seriously, this one fact can prevent most subterfuge from even getting started.
- Paper ballots. This cannot be stated enough: if your local election board uses touch screen voting with no hand-countable paper trail, raise hell until they change. If it’s digital, it can be hacked, and if there is no paper trail, the election can be stolen with no recourse. The fact that Jefferson County uses paper ballots, and that those ballots are stored under lock and key for 30 days after the election so an actual hand recount can be done if needed, should make every voter happy.
- Numbered seals. I have seen pictures of voting machines sealed with twist-ties, or with zip-ties from the hardware store. Having numbered seals, with the numbers recorded, just makes it that much harder to hack into a machine.
- Two USB drives, with only one accessible at the precinct. This is good design; if someone tried to insert a hacked USB stick at the precinct, the machine would not run, because the two didn’t match.
- No WIFI or Bluetooth. The ES&S machines have wifi capability, but it was not even installed in the machines purchased by Jefferson County. An excellent decision.
- Test ballots. Slipups happen, even with the most diligent staff. Running a test deck before the machine is sent to the voting location ensures that those slipups don’t show up on election day.
- No overvoting. The fact that the machine notifies the voter that they have overvoted, AND that the ballot is then discarded and the voter must vote again right there on the spot, is an excellent design and process decision.
- And the most important “good thing” of all – TWO TAPES! This may seem like a small thing, but the fact that there is a public totals tape put up at the precinct means that from that point forward, the election cannot be hacked. If someone tried to interfere with the tabulation and reporting process, there would be an outcry from the persons who had already seen the totals at the precinct. Such a simple step, and yet it is one of the main protections against election hacking.
Recommendations
Our list of recommendations is short, but we think it is important, and could take a pretty secure election system to the next level of confidence and security.
First of all, Kentucky needs to upgrade their certification standard. We should require election boards to use only federally certified machines, rather than accepting the word of a non-certified lab chosen by state officials.
We need to work with ES&S to improve the “chain of custody” of the software. Let’s assume that some person or group had the money and the time to try to affect an election in Kentucky. Considering all the security steps outlined in these articles, it becomes obvious that the weakest link is the software that comes from ES&S. Has the source code been examined for either outright hacks in the code itself, or for backdoors that would allow injection of code later? If that source code has been examined by a strong, independent lab, how do we know that the software received in Kentucky is the same as the software that has been examined?
Once the software is programmed onto the USB drive, and that drive installed in a voting machine, that software could be switching votes according to some algorithm, and no one would know unless they took the time to hand-count the paper ballots. The two totals tapes would agree, and everything from that point forward would run as planned … except the reported totals would be incorrect, because the software had been compromised.
Which brings us to our last recommendation: The local election board should hand-count a certain percentage of precincts, chosen at random, to make sure the software has not been compromised. Is this a lot of work? Certainly. But you have to ask yourself: How valuable is the knowledge that our voting, and the counting of those votes, is secure?
And, you also have to think through what you would do if you found discrepancies. The obvious answer, it seems to me, is that you would declare the election results to be “on hold” until you had checked more precincts. Again, getting this right is more important than doing it quickly.
Final Thoughts
I have to say, I went into this work wondering about our election security. There have been so many reports of strange results in certain locales, and even entire states, that I wondered what I would find.
For the most part, what I found was a solid system, run by bipartisan teams that took their work seriously, and processes that should prevent almost all election tampering. We should be thankful that the election infrastructure in our state appears to be strong.
Note that we did not look at other aspects of elections, such as voter suppression, poll access, early voting, absentee voting, dark money, or any of the other problems and trends threatening our democracy. Our only focus for this series was to answer the question Are our elections secure? For the parts of the process we were able to examine, we believe the answer is Yes.
–30–
Thoughts? Comments? Add yours in the comment section at the bottom of the page.
Photo by FutUndBeidl