Washington, D.C. — Less than nine months before midterm elections, a new study shows that most state election systems remain vulnerable to hacking and other interference by foreign governments bent on disrupting the election process.
The Center for American Progress (CAP) conducted research and interviewed election officials to determine their election security preparedness after U.S. intelligence agencies concluded that Russia tried to influence the 2016 election by targeting state voting systems.
As events have shown, election security is now a matter of national security, especially because U.S. intelligence officials have predicted that hostile nation-states such as Russia again will attempt to penetrate U.S. election infrastructure in 2018 and 2020.
The study assigns grades to all 50 states and the District of Columbia based on adherence to best practices under seven categories, including adopting minimum cybersecurity measures for voter registration databases, using paper ballots, and conducting post-election audits.
“This report should spur demand across the country for urgent steps needed to defend America’s election security against another attempt by a foreign nation to disrupt our elections,” said Danielle Root, lead author of the report. “While vulnerabilities in the election infrastructure still exist, it’s encouraging to see some states taking steps to better protect their elections.”
While all states have taken steps to protect their elections from outside influence or system failure, the report found that election infrastructure in most states remain susceptible to attacks by sophisticated enemies.
Among the findings:
• Kansas received an F.
• No state received an A, and only 11 states received a B. Another 23 states received a C, 12 states received a D, and five states received failing grades. Even states receiving a B are vulnerable to attack.
• The biggest threat to election security is the continued use of paperless electronic voting machines, which are vulnerable to hacking and do not leave a reliable paper trail that can be audited to confirm election outcomes. Fourteen states use paperless direct-recording electronic (DRE) machines in at least some jurisdictions; five states rely exclusively on paperless DRE machines for voting.
• Only two states (Colorado and Rhode Island) have good post-election auditing requirements in place. The report found that 33 states have post-election audit procedures that are unsatisfactory from an election security standpoint.
• At least 10 states do not provide cybersecurity training to election officials.
The study reveals that Kansas adheres to a number of minimum cybersecurity best practices related to voter registration systems, but the state allows voting using machines that do not provide a paper record and fails to mandate post-election audits, which does not provide confirmation that ballots are cast as the voter intends and counted as cast. Kansas also allows voters stationed or living overseas to return voted ballots electronically, a practice that election security experts say is notoriously insecure. Its ballot accounting and reconciliation procedures also need improvement. The state did earn points for requiring that all voting machines be tested to Election Assistance Commission Voluntary Voting System Guidelines before being used in the state, and for requiring election officials to carry out logic and accuracy testing on all voting machines before an election.
Despite numerous attempts to speak to someone in state government about the cybersecurity standards for the state’s voter registration system, state officials did not respond to our requests for information or comment, and we were unable to locate all of the information independently. If Kansas is adhering to all of the minimum cybersecurity best practices for voter registration systems, it would receive a “good” score — worth three points — for that category, bringing its grade up to a D.
Kansas’s reliance on machines that do not provide a paper record, coupled with its failure to carry out post-election audits even in jurisdictions with voter-verified paper trails, leaves the state open to undetected hacking and other Election Day problems. Going forward, Kansas should switch to a statewide paper-based voting system that can be audited through robust procedures that test the accuracy of election outcomes. In doing so, the state should look to risk-limiting audits like those in Colorado as a potential model. To improve its overall election security, Kansas should require that electronic poll books receive pre-election testing to ensure that they are in good working order before Election Day. The state would also be wise to partner with the Department of Homeland Security (DHS) to identify and assess vulnerabilities in its voter registration system, if it’s not doing so already. While recognizing the importance of state autonomy when it comes to elections, federal agencies with expertise in cybersecurity and access to classified information on contemporaneous cyberthreats have the personnel and resources necessary to thoroughly probe and analyze complex election databases, machines, and cybervulnerabilities. By combining their expertise on cyberthreats and their insight into the unique qualities of localized election infrastructure, state and federal officials can better assess and deter attempts at electoral disruption. Kansas should also prohibit electronic absentee voting and instead require that all voted ballots be returned by mail or in person. Regarding ballot accounting and reconciliation, all ballots — used, unused and spoiled — must be accounted for at individual polling places.
Minimum cybersecurity standards for voter registration system in Kansas: Incomplete*
• The state’s voter registration system is estimated to be at least 10 years old.
• The state’s voter registration system provides access control to ensure that only authorized personnel have access to the database.
• The state’s voter registration system has logging capabilities to track modifications to the database.
• The state’s voter registration system includes an intrusion detection system that monitors incoming and outgoing traffic for irregularities.
• The state performs regular vulnerability assessments and penetration testing on its voter registration system.
• The state has engaged in conference calls with DHS regarding election security matters, but it is unclear whether the state has enlisted DHS’s help in monitoring its voter registration system.
• State officials were unable to provide us with information on whether the state provides cybersecurity training to election officials.
• Electronic poll books are used by some, but not all, jurisdictions in the state. Pre-election testing of electronic poll books is left up to the counties that use them. Paper voter registration lists are available at polling places that use electronic poll books on Election Day.
Voter-verified paper audit trail in Kansas: Unsatisfactory
Depending on the jurisdiction, some voters in Kansas cast paper ballots, while others vote using DRE machines. Some DRE voting machines in the state produce a voter-verified paper record, while others are entirely paperless.
Post-election audits in Kansas: Unsatisfactory
The state does not require mandatory post-election audits.
Ballot accounting and reconciliation in Kansas: Unsatisfactory
• Ballots are not fully accounted for at the precinct level.
• Precincts are required to compare and reconcile the number of ballots with the number of voters who signed in at the polling place.
• Counties are required to compare and reconcile precinct totals with countywide results to ensure that they add up to the correct amount.
• There is no statutorily mandated review process to ensure that all voting machine memory cards or flash drives have been properly loaded onto the tally server at the county level.
• While election results are made public, it is unclear whether the same is true of information regarding ballot reconciliation processes and results.
Paper absentee ballots in Kansas: Unsatisfactory
The state permits Uniformed and Overseas Citizens Absentee Voting Act voters to submit completed ballots electronically, via email or fax.
Voting machine certification requirements in Kansas: Fair
• Before being purchased and used for an election, all voting machines must be shown to meet or exceed federal voting system standards.
• Some jurisdictions in the state likely still use voting machines that were purchased more than a decade ago.
Pre-election logic and accuracy testing in Kansas: Fair
• Election officials conduct mandatory logic and accuracy testing on all voting machines prior to an election.
• Testing is open to the public.
• Testing occurs within five days prior to an election.
CAP’s research and report card are designed to identify vulnerabilities in election infrastructure in order to build urgency for appropriate solutions and arm stakeholders with information to demand increased security measures. Overall, states still lack the necessary funding and resources to adequately protect future elections from interference by hostile nations such as Russia. Despite bipartisan efforts in Congress to bolster election security and provide needed funding, legislation remains blocked.
Liz Kennedy, CAP’s senior director of Democracy and Government Reform, added, “In this threat environment, Congress needs to step up and provide more resources to invest in America’s election infrastructure so that states can do the job right.”
There have been some recent signs of progress. Last fall, for example, Virginia switched out its paperless voting machines for paper ballots, while Rhode Island joined Colorado in requiring risk-limiting post-election audits. And on Friday, Gov. Tom Wolf’s administration in Pennsylvania — which still uses paperless voting machines in some jurisdictions — ordered counties looking to replace their voting systems to purchase machines with paper records.
Read the full report by Root, Kennedy, Michael Sozan and Jerry Parshall at https://www.americanprogress.org/issues/democracy/reports/2018/02/12/446336/election-security-50-states/ for additional information.
*State officials did not respond to requests for information and comment on cybersecurity requirements for the state’s voter registration system. Information gathered for this section derives from independent research.