Cybersecurity and election experts recently told members of the House Oversight and Government Reform Committee that the use of paper ballots and a defined auditing process – traditionally low-tech solutions – present some of the best methods for protecting U.S. election systems and restoring voter confidence.
“The two important properties are, first, that there be a paper artifact of the voter. Optical scan paper is an example of a system that does that. That’s probably the best state-of-the-art technology that we have right now,” said Matthew Blaze, associate professor of computer and information science at the University of Pennsylvania. The second property is that we have a mechanism for detecting compromise of the software that tabulates the votes, and that’s the risk-limiting audit feature. Put together, those achieve an approach of what we call strong software independence.”
Strong software independence means that, even if the voting machines are compromised, there is a method for certifying the accuracy of the vote that doesn’t rely on the software.
Virginia recently made the decision to decertify all of the state’s remaining fully-electronic voting machines and move to a paper scanning system for the November 2017 statewide election. According to Edgardo Cortés, commissioner for the Virginia Department of Elections, the decision was made based on whether his office could confidently tell the Virginian people that the election results were correct, should something happen to a voting machine.
“We wouldn’t be in a position to do that with the equipment we were using,” said Cortes.
However, according to the Louisiana secretary of state Tom Schedler, transitioning to paper ballots alone is not enough to ensure accurate vote tallies and improve voter confidence in the results.
“We are not naive to the future cyber attacks, but we also know that the use of paper ballots can just as easily open up fraud vulnerabilities unless strong protocols are followed by election officials,” said Schedler.
“Certainly we should want to move to a place where systems are both auditable and also audited,” said Susan Klein Hennessey, fellow in national security law and governance studies at the Brookings Institution. She explained that election officials need to establish auditing plans that are executed on a regular basis.
“An auditable system is effectively meaningless if we don’t actually undertake the audit,” said Hennessey.
According to Blaze, risk-limiting audits should be done on voting machines after every election.
Hennessey added that while actually altering the votes recorded by election machines is quite difficult, foreign adversaries more often seek to undermine the public’s confidence in the outcome of an election.
“To do so, a malicious actor needs only to penetrate systems in a manner that introduces uncertainty,” said Hennessey.
“It’s very difficult to prove that it hasn’t happened,” said Blaze.
In fact, prolonged conversations about the lack of security in voting machines and the potential for alteration can, themselves, deter voter participation without ever changing an actual vote, according to Schedler. He added that combatting the misconceptions in voter’s minds has become a job “on steroids” in the last two years.