ELECTION SECURITY: VOTING TECHNOLOGY VULNERABILITIES
Registrar of Voters, Orange County, California
Past President, California Association of Clerks and Election Officials (CACEO)
Past President, National Association of Election Officials
Past Chair, United States Election Assistance Commission (EAC) Board of Advisors
Member, EAC Voting Systems Standards Board
Member, Department of Homeland Security (DHS) Election Security Task Force (Government Coordinating Council)
Member, 2018 National Academy of Sciences, Engineering and Medicine’s Committee on the Future of Voting: Accessible, Reliable, Verifiable Technology Committee
Subcommittee on Investigations & Oversight
Subcommittee on Research & Technology
Committee on Science, Space, and Technology
U.S. House of Representatives
June 25, 2019
Good afternoon, Chairwoman Sherrill, Chairwoman Stevens, Ranking Member Baird, Ranking Member Norman, and members of the Subcommittee on Investigations & Oversight and the Subcommittee on Research & Technology. My name is Neal Kelley and I am the Chief Election Official, Registrar of Voters for Orange County, California. Thank you for the invitation to speak at this joint hearing to address:
- The key findings of the National Academies of Sciences, Engineering, and Medicine Consensus Study Report, “Securing the Vote, Protecting American Democracy”,1 specifically as they pertain to the National Institute Standards of Technology (NIST).;
- The best practices used in Orange County, including the use of paper trails with voting machines, electronic pollbooks and risk-limiting audits;
- Barriers states and counties encounter in the pursuit of enhancing election security; and
- How Congress can further assist states and counties with securing election system technologies.
As a member of the National Academies of Sciences, Engineering, and Medicine’s Committee on the Future of Voting, I would like to share the key findings of the committee’s report, “Securing the Vote, Protecting American Democracy”, as they relate to NIST. I have submitted the Report Highlights for Federal Policy Makers along with my testimony today. I would also like to share the insights I have gained as an election administrator.
The National Academies’ report begins with a discussion of the 2016 Presidential Election, which exposed new technical and operational challenges faced by state and local governments, the federal government, researchers, and the American public. Specifically, the 2016 elections showed that we must become more discerning consumers of information and become more proactive in our efforts to defend our election systems against bad actors who seek out opportunities to infiltrate and undermine the credibility of our election infrastructure. The 2016 Presidential Election made it clear that the federal, state, and local governments must work collaboratively to secure our election infrastructure and that we must discuss the threats to our elections candidly and apolitically.
In the two decades following the 2000 Presidential Election, numerous initiatives have been undertaken to improve our election systems. Although progress has been made, old and complex problems persist, and new problems emerge. Aging equipment, the targeting of our election infrastructure by foreign actors, a lack of sustained funding dedicated to election security, inconsistency in the skills and capabilities of elections personnel, and growing expectations that voting should be more accessible and convenient as well as secure complicate the administration of elections in the United States.
We must prevent efforts to corrupt our electoral process while continuing to administer elections for an electorate that is increasing in size and complexity. The threats and challenges will continue to grow, and the security of the American elections process will only be achieved through collaboration, cooperation, and the allocation of sufficient resources.
Working together, NIST and the Election Assistance Commission (EAC) have made numerous contributions to the improvement of electronic voting systems by providing critical technical expertise. The voluntary voting systems guidelines (VVSG), developed by the EAC in collaboration with NIST, are particularly important. Nevertheless, despite the critical roles that these agencies play in strengthening election infrastructure, the federal government currently provides limited ongoing financial support. While one-time funding has been historically allocated, election cybersecurity is known to be an ongoing challenge that will require ongoing efforts to better understand threats and vulnerabilities and develop strategies and solutions to defend and protect America’s election systems.
As elections will likely involve the use of even more technology in the future, the committee’s report called upon NIST to develop security standards and validation protocols for electronic pollbooks in addition to the standards and verification and validation protocols that the agency has developed for voting systems. The development of such standards is crucial, but limited funds and staff resources make it difficult for NIST to address these and other challenges involved in protecting our election infrastructure. If the challenges currently facing our election systems are ignored, we risk an erosion of confidence in our elections system and in the integrity of our election processes.
Our report recommends that the EAC and NIST — the architects, developers, and shepherds of the VVSG — continue the process of refining and improving the VVSG to reflect changes in how elections are administered, to respond to new challenges to election systems as they occur (i.e., cyberattacks), and to research how new digital technologies can be used by federal, state, and local governments to secure elections. Our report further recommends that a detailed set of cybersecurity best practices for state and local election officials be developed, maintained, and incorporated into election operations and that the VVSG be periodically updated in response to new threats and challenges.
VVSG was first adopted in 2005 to increase security requirements for voting systems and it augmented the 2002 Voting System Standards to address advancements in election practices and computer technologies. The next iteration occurred 10 years later in 2015 with the approval of VVSG 1.1, which enabled NIST to create test environments for the proposed changes. Almost immediately following the adoption of VVSG, it was clear that we cannot wait another 10 years for updated voting system guidelines and principles and the EAC and NIST began working on the next iteration, entitled VVSG 2.0. Rather than provide device-specific guidance as previous VVSG versions did, VVSG 2.0 has a new structure to provide high-level principles and guidelines on all functions that are incorporated into a device or devices that make up a voting system. In addition, VVSG 2.0 will include requirements to provide technical details necessary for manufacturers to design devices that meeting the established principles and guidelines and test assertions that allow laboratories to test a voting system against the prescribed requirements.
The draft guidelines also require software independence for all voting systems so as to allow for the determination of the correct outcome even if the software does not perform as intended. Our report echoed this principle, recommending that the computers and software used to prepare ballots should be separate from the computers and software used to count and tabulate ballots.
While many of the discussions related to elections revolve around cybersecurity, continued attention must be paid to modernizing our election systems. Our report recommends that NIST should establish Common Data Formats for auditing, voter registration, and other election systems. Through conformance with such standards, new election systems would be better protected against infiltration attempts.
Electronic voting systems that do not produce a human-readable paper ballot of record are of particular concern as the absence of a paper record raises security and verifiability issues. Because of this, our report recommended that all elections should be conducted with human-readable paper ballots. We further recommended that states mandate risk-limiting audits prior to the certification of election results. With current technology, this requires the use of paper ballots. Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots. Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible.
Whether required by law or because local officials have independently adopted an audit requirement, most jurisdictions conduct audits after an election. Some audits focus on the processes followed by election officials, which are performance audits, but those do not check for the accuracy of election results. The report specifically recommends states mandate risk-limiting audits (RLA) prior to the certification of election results and all federal and state contests, and for local contests where feasible for that reason. An RLA is not considered to be a performance audit as it seeks to ensure accuracy that the reported outcome would be the same if all ballots were examined manually and that any different outcome has a high likelihood of being detected and corrected. Colorado was the first state in 2018 to conduct RLAs in a statewide election.
The report recommends that use of the Internet, or any network connected to the Internet, for a voter cast a ballot or the return or market ballots should not be permitted. There is no known technology that guarantees the secrecy, verifiability, and security of a marked ballot transmitted over the Internet. No matter how well constructed or prepared, it is impossible to anticipate and prevent all possible attacks through the Internet and we know that there are actors who look for vulnerabilities with the deliberate intention to compromise America’s elections. Although cybersecurity is a never-ending challenge, best practices such as adopting state-of-the-art technologies and best practices more widely and developing new knowledge about cybersecurity will achieve stronger defenses against cyberattacks.
Voter registration databases are also vulnerable to cyberattacks, whether it is standalone or it is connected to other applications. Presently, election administrators are not required to report any detected compromises or vulnerabilities in voter registration systems. The report recommends that states make it mandatory for election administrators to report these instances when it occurs to the DHS, the EAC, and state officials. In Georgia, more than 6.5 million voter records and other privileged information were exposed due to a server error. The security vulnerability had not been addressed 6 months after it was first reported to authorities, even though it could have been used to manipulate the state’s election system. This is exactly the kind of scenario that can be avoided if the proper agencies were notified and had an opportunity to act.
Since voter registration databases are increasingly being integrated with other databases, it is recommended that election administrators routinely evaluate the integrity of voter registration databases and the other databases they are connected to. In Illinois, Russian actors targeted and breached an online voter database in 2016 by exploiting a coding error. For three weeks, they maintained undetected access to the system. Ultimately, personal information was obtained on more than 90,000 voters. In California, hackers penetrated state registration databases and gained access to the personal information of a large number of voters and demanded ransom. Election infrastructure should not be at the mercy of hackers motivated by money or a desire to inflict chaos upon the American people. Strict standards and funding can be established to prevent the likelihood of similar instances in the future.
In addition to recommendations directed to the EAC and NIST, our report offers recommendations for the federal government, state governments, and election administrators and calls for research on voting that supports basic, applied, and translational research relevant to the administration, conduct, and performance of elections.
As the fifth largest voting jurisdiction of the nearly 9,000 voting jurisdictions in the United States, Orange County is in the fortunate position of being able to allocate resources and staff to support pilot programs and determine best practices for the use of paper audit trails (with voting machines and electronic pollbooks). I am pleased to share what my team and I have practiced and learned over the past 15 years as one of the leading election administration agencies in the country.
On the matter of election security, we remain closely connected to our local fusion center and to Information Sharing and Analysis Centers such as Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). Information sharing in both directions is tremendously helpful for maintaining awareness of innovative digital tools and security threats or challenges. In addition, we invite security experts to conduct audits and testing on our systems to identify vulnerabilities and to propose solutions as necessary. To increase staff awareness of election security, staff participate in regular table top exercises with government and private partners. Staff are also required to take and pass an annual countywide cybersecurity training. When considering potential vendors for professional services, we maintain strict security requirements to ensure vendor integrity.
In addition, Orange County partnered with DHS on its “See Something, Say Something” campaign to encourage staff, volunteers, and voters to speak up when there is something suspicious. The DHS “See Something, Say Something” campaign logo was prominently displayed in poll worker training manuals, polling place set-up guides, and office materials and the campaign was discussed in in-person trainings that thousands of poll workers participated in.
Starting in 2006, California Elections Code section 19250 required the use of a Voter Verifiable Paper Audit Trail (VVPAT) for any electronic voting machine in California. Although Orange County is in the process of obtaining new voting equipment, we currently use a voting system (Hart InterCivic HVS 6.1) which contains a VVPAT printer, installed by my office, that has been certified for use in California. A VVPAT allows a voter to manually verify that the selections on the ballot reflect their intentions, regardless of whether the ballot is paper or electronic ballot. This is particularly helpful in a recount because the original paper record can be used to verify that the final tally is correct.
Electronic pollbooks must meet high level security requirements to be used in California, and Orange County has placed additional requirements on potential electronic pollbook solutions. Data must be encrypted while in transmission and while at rest. Mobile device management allows advanced remote management of pollbooks and includes the ability to remotely wipe all data from a pollbook if it were to be misplaced or stolen. Additionally, electronic pollbooks are never connected to voting systems. This “air gap” eliminates the capability of affecting voting machines via pollbooks.
In 2018 I chose to implement two risk-limiting audit (RLA) pilot programs in both the 2018 Primary and General Elections. These audits identified best practices and allowed us to share lessons learned with other county election officials and policymakers for consideration when developing post-election audit procedures and policies. While having a legacy voting system does not prohibit an elections agency from conducting a risk-limiting audit, I recommend that voting systems be updated in order to better support risk-limiting audits at a ballot comparison level. This added ability, included only in modern voting systems, allows jurisdictions to provide voters with increased confidence in election outcomes.
Orange County has a long history of supporting the movement toward risk-limiting audits:
- In 2007, Orange County participated in the California Secretary of State’s Post-Election Audit Standards Working Group to evaluate the 1% manual tally and other post-election audit models.
- In 2010, Orange County conducted an RLA audit pilot and submitted findings to the EAC.
Orange County specifically conducted RLA pilots in 2018 in advance of being allowed to conduct RLAs in lieu of the currently mandated 1% manual tally starting with the March 2020 Primary Election. Additionally, we partner with academic institutions to review our methodology. We solicit feedback from institutions such as MIT, UC Berkeley, Princeton, and Caltech.
To share our experiences and best practices, I released the 2018 Risk-Limiting Audit Pilot Project Report in April 2019. This report is available on our website. It includes a glossary of terms and basic outline of RLA procedures to help those new to the concept of an RLA to become familiar with it.
Having served as the Chief Elections Official in Orange County, California for the past 15 years, I have seen the election security landscape change dramatically. In the current landscape, the focus is on developing digital defense strategies against ongoing foreign state sponsored attacks that seek to undermine confidence in our democratic institutions. State and local election officials need broad support to protect America’s election infrastructure. As the Academies’ report states, “To fully address the challenges inherent in electronic election systems and to prevent foreign interference, federal, state, and local officials must adopt innovative measures to ensure that the results of elections reflect the will of the electorate.” The failure to do so will result in unforeseeable and lasting damage to the American public’s confidence in elections, which is the underpinning of the democracy we live in and pride ourselves in.
As you know, states and counties differ not only in geographic area and population size but also in terms of their access to resources, funding, and information. Yet, the election security challenges that local election officials face have no bearing on the size of their jurisdiction, access to funding and resources, and ability to mitigate or respond to such threats. My office is considered by many to be at the forefront of election innovation by virtue of its participation in working groups that communicate election security information, its participation in trainings, and its prioritization reviews of all processes and procedures so as to identify and resolve vulnerabilities and be resilient against on-going and expanding threats.
Nevertheless, not every election office has the resources that we have in Orange County. There are hundreds, if not thousands, of election offices where only a handful of dedicated staff are on hand to run their jurisdiction’s elections fairly and securely. The lack of personnel in many of these small jurisdictions make it difficult to add additional responsibilities. Sending staff to trainings or bringing trainings to small or rural voting jurisdictions can be particularly challenging because it reduces the number of staff on hand at the elections office. The magnitude of what is involved in maintaining election security can be overwhelming to any individual seeking to expand their knowledge and remain abreast of the ever-changing field of election security. We must not lose sight of smaller jurisdictions that could benefit greatly from shared resources.
To share the knowledge and experience gained by being at the forefront of election cybersecurity, I released the 2018 Election Security Playbook: Orange County, CA Elections to provide other local elections officials and the public with an opportunity to understand the role of election systems as critical infrastructure, to share core information security principles, and to identify critical threats and vulnerabilities. The Playbook is the only guide to be published from the perspective of a local election official. It provides scenarios and tips that are relatable to other local election officials seeking to build their election security knowledge and implement basic safeguards to protect election systems.
The Playbook was reviewed by the Department of Homeland Security, the Election Assistance Commission, and the Federal Bureau of Investigation and it is available to the public in the Orange County Registrar of Voters’ website in our Election Library. The Playbook has been downloaded thousands of times and has been publicly shared by the Department of Homeland Security, the National Association of State Election Directors, and the Cybersecurity and Infrastructure Security Agency as a resource for election offices to use as a starting point in building their foundation in election security. I have included the Playbook as an appendix to my testimony.
Additionally, I am the Co-Chair of the Department of Homeland Security’s Digital Networking Development Working Group. A newly formed working group, the Department of Homeland Security Digital Networking Development (DND) Working Group is a partnership between representatives from the government and private sectors tasked with reviewing and providing recommendations on the development and utilization of digital tools to both private and public members of the election infrastructure community. This working group seeks to evaluate digital tools intended to communicate critical information to help secure election infrastructure, share digital tools to partners in government and private sectors, and research innovative digital tools that support cybersecurity and protect election infrastructure.
The first of its kind, the working group seeks to serve as a clearinghouse for information on digital tools that support election security. Local election officials have found the numerous sources of election security information to be overwhelming. This makes it difficult to identify the most up-to-date and relevant information. This contributes to the challenge local election officials face in remaining current on the latest digital tools, threats, and challenges. I am grateful for our partnership with DHS in making this information available in a constructive way.
Congress has a unique ability to address issues affecting multiple states. It is incredibly challenging to coordinate resource and knowledge sharing amongst states and local jurisdictions. Congress can greatly assist states and counties with securing election system technologies by assisting in the standardization of information sharing and by providing funding for the digital tools, training, and staff resources necessary to secure our elections. States and local governments are ready to work with Congress to secure our elections, and agencies such as EAC and NIST, if given the opportunity, could build upon their research and standards to support the development of the digital tools necessary to provide election security.
Thank you and I look forward to your questions.
1 For the full report, please see https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy
. This report was undertaken with grants to the National Academy of Sciences from the Carnegie Corporation of New York (#G-16-53637) and the William and Flora Hewlett Foundation (#G-2016-5031) and with funds from National Academy of Sciences’ W. K. Kellogg Foundation Fund and the National Academies of Sciences, Engineering, and Medicine’s Presidents’ Circle Fund.