A judicial election in Northampton County, Pennsylvania, in November produced a literally unbelievable result. About 55,000 votes were cast on newly purchased electronic voting machines, but only 164 votes were registered for the Democratic candidate. Luckily, the touch-screen machines produced a backup paper trail, which allowed for an accurate recount. Ultimately, the Democrat won by some 5,000 votes. The root cause of this systemic vote switching is still under investigation. Whatever the case, though, the mass malfunction of these machines highlights the reliability and security issues around electronic voting systems that are mostly already primed for use in the 2020 elections.
As disturbing as the Northampton County miscount is in its own right, it throws into relief a grave general issue that applies to voting systems across the country. One would hope that whatever glitch or virus, once identified, that caused the massive malfunction will be quickly and easily fixed, patched, or updated so that those machines can be relied upon to work properly going forward. Further, one would also assume that other vulnerable voting systems around the country will be updated prophylactically to prevent similar malfunctions in next year’s elections. However, neither of those things is very likely to happen. Our current regimen for certifying electronic voting systems makes changing or updating election systems in the run-up to an election very difficult—and as Election Day 2020 gets closer, that maintenance becomes virtually impossible.
Certification requirements vary widely from state to state, but the general purpose is to require voting systems to perform as designed and produce reliable, trustworthy results. Depending on the state, these certification tests are performed either by vendors or by an independent lab. In some states, systems are rigorously tested, while others receive little testing at all.
After certification, the software is basically frozen. Any changes or updates, in part or whole, can throw the entire system out of its original certification and require recertification before it can be used in another election.
The complicated, elderly federal certification process for voting systems evolved out of the Help America Vote Act, which Congress passed in 2002 in response to Florida’s “hanging chad” debacle in 2000. HAVA provided $3.9 billion in federal funds for states to update their voting systems and established the U.S. Election Assistance Commission. States are constitutionally charged with implementing their own elections, which means they handle funding, purchasing, and certifying (or not) their own voting systems. However, more than 40 states rely in some way on a federal certification process finalized in 2005 by the Election Assistance Commission. This process, defined by adherence to the EAC’s Voluntary Voting System Guidelines, was intended to give states the ability to trust the voting systems they purchased. In addition to the states, voting system vendors adopted the guidelines, too. The EAC doesn’t do the testing itself—instead, it certifies Voting System Test Laboratories, which in turn test voting systems to ensure guideline compliance. (The EAC currently lists three accredited Voting System Test Laboratories, which are all independently operated.)
The guidelines and certification protocol, although voluntary, are intended to offer a thorough evaluation and testing protocol that sets a national minimum standard. That sounds like a common-sense idea, but it’s a tall order. Election management systems are a combination of hardware and software, and include back-office PCs, tallying devices, electronic poll books, and the voting machines themselves, among other components. The lengthy federal certification process examines basic system functionality and performance, such as the correct preparation of ballots and the accurate recording and counting of votes. Other tests assess accessibility issues (can people who are visually impaired use the machine, for instance?) and determine the durability and security of the system.
The whole accreditation process is complicated and costly and takes at least six months to complete, according to J. Alex Halderman, a professor of computer science and an expert in cybersecurity. If the voting system adheres to the guidelines and passes all the tests, then it’s officially certified by the EAC. But there’s a catch: At the time these guidelines were created, little attention was paid to the security of the underlying software platforms or the machines that operated on them.
Voting systems, even those that use hand-marked paper ballots, rely on computerized management systems to organize, implement, and oversee elections and tally the results. In many cases, these systems and their software date back to the early 2000s, when HAVA funding became available. Election security experts stress the importance of timely updates to voting system software to protect against newly identified concerns and vulnerabilities. It seems like that should be easy—for most of us, after all, regular security patches and updates to cellphones and computers either happen automatically or simply require a quick affirmative click.
But updating voting systems is much more complicated. States and voting districts purchase and own voting system hardware, but the software on which the systems run is licensed, proprietary, and part of a long-term contract with the system’s vendor. The costs of these long-term support contracts are high—sometimes even more than the hardware itself. Software upgrades are usually made available only at the discretion of the vendor and might not be offered or covered under the original licensing agreement. Worse, even a minor software update could jeopardize the original certification and raise the specter of having to retest and recertify the system in its entirety. In contrast, outdated voting systems, even those with known vulnerabilities, routinely retain their original certification. This can create a situation where there is little marketplace incentive for vendors or practical incentive for election officials to install updates and patches or to upgrade to newer and more secure operating systems. In short, because of the rigidity, expense, and sluggish nature of the certification process, it will be very difficult, if not impossible, for election officials to nimbly and effectively respond to a cyberthreat or outright attack in the run-up to next year’s election.
To make matters worse, a standard security measure—air-gapping voting machines, meaning they aren’t connected to the internet—also complicates the updating process. The idea is to keep them safe from hackers, but air-gapping also means machines may have to be manually serviced by certified technicians. Given the difficulty and potential expense, some states and districts don’t bother with updates at all. Just this year, a court case in Georgia revealed that the state’s voting system’s software had last been updated in 2005.
Election security experts stress that there are readily available ways to bolster security. The EAC should compartmentalize voting systems so that a component of the system could be updated without triggering an unnecessarily complicated recertification of the voting system in its entirety. Also, it’s a very poor security practice to allow machines and systems that are known to be vulnerable to retain their certification and remain in use.
The Securing America’s Federal Elections Act, which passed the House in June, would allocate $600 billion to state governments to increase voting system security. It would also amend HAVA to empower the EAC to decertify any voting systems that don’t meet cybersecurity guidelines. However, the Democratic bill has faced staunch resistance from Republicans and is currently going through the reconciliation process with the Senate, so it’s unclear what the final product will look like—if it even happens.
The SAFE Act, in its original form, also requires states to implement mandatory risk-limiting audits—something the machine malfunctions in Pennsylvania highlight the importance of. These audits occur after the election, when a small sample of paper ballots is checked to make sure the sample accurately aligns with the machine count. In this way, discrepancies can get flagged, and a full recount can be initiated if needed. Had the Northampton County machine malfunction been more limited and less obvious, no error would have been suspected, no audit would have been performed, and the losing candidate would have been declared the winner. Currently, only Colorado, Rhode Island, and Nevada have mandatory risk-limiting audits, but many states have pilot programs and are considering adopting the practice. These audits only work, however, if there’s a paper record of voting. Most states and districts have steadily moved away from the paperless electronic voting machines that were once common. Still, according to a recent report from the Brennan Center for Justice, 12 percent of the voting on Election Day 2020 will take place on direct-recording electronic machines that don’t create any paper trail. The big question is how to get to a place where mandatory risk-limiting audits are the standard, not the exception.
“The opportunity here is for the federal government to set minimum security standards, and then the states can figure out how to meet or exceed them within their own constraints,” says Halderman. “Today there are more federal regulations on whiskey or bottled water then there are for election technologies.”