Election infrastructure security: Should we use Internet voting?
To protect the integrity and security of U.S. elections, all local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election, says a new report from the National Academies of Sciences, Engineering, and Medicine.
In addition, every effort should be made to use paper ballots in the 2018 federal election. Ballots that have been marked by voters should not be returned over the Internet or any network connected to it, because no current technology can guarantee their secrecy, security, and verifiability, the report says.
“The 2016 presidential election was a watershed moment in the history of elections – one that exposed new challenges and vulnerabilities that require the immediate attention of state and local governments, the federal government, researchers, and the American public,” said Michael McRobbie, president of Indiana University and co-chair of the committee that conducted the two-year study and wrote the report.
The committee included computer science and cybersecurity experts, legal and election scholars, social scientists, and election officials.
Assessments by the U.S. intelligence community found that during the 2016 presidential election, America’s election infrastructure was targeted by actors sponsored by the Russian government who obtained and maintained access to elements of multiple U.S. state or local election systems. The intrusions made clear the vulnerability of election infrastructure to cyberattack, the new report says — a vulnerability exacerbated by aging equipment and a lack of sustained funding. Foreign state-sponsored attacks present a challenge for even the most well-resourced jurisdictions; small, under-resourced jurisdictions are at serious risk.
State and local governments must work together with the federal government to secure and improve election systems, the report says. The cybersecurity of electronic systems used in elections, such as voter registration databases and vote tabulation systems, should be continuously monitored and improved. And audits of paper ballots should be used to verify that votes have been tabulated correctly and to detect when electronic systems have been compromised.
“This is a critical time for our country,” said committee co-chair Lee Bollinger, president of Columbia University. “As a nation, we need to take collective action to strengthen our voting systems and safeguard our democracy. In addition, the nation’s leaders need to speak candidly and apolitically about threats to election systems. The American people must have confidence that their leaders place the larger interests of democracy above all else.”
The report recommends steps that the federal government, state and local governments, and election administrators should take to improve the security of election infrastructure and safeguard its integrity and credibility, including:
Human-readable paper ballots
Paper ballots form a body of evidence that is not subject to manipulation by faulty software or hardware and that can be used to audit and verify the results of an election. Human-readable paper ballots may be marked by hand or by machine (using a ballot-marking device), and they may be counted by hand or by machine (using an optical scanner), the report says.
Voters should have an opportunity to review and confirm their selections before depositing the ballot for tabulation. Voting machines that do not provide the capacity for independent auditing – i.e., machines that do not produce a printout of a voter’s selections that can be verified by the voter and used in audits – should be removed from service as soon as possible.
Risk-limiting audit
States should mandate a specific type of audit known as a risk-limiting audit prior to the certification of election results. By examining a statistically appropriate random sample of paper ballots, risk-limiting audits can determine with a high level of confidence whether a reported election outcome reflects a correct tabulation of the votes cast.
Risk-limiting audits offer a high probability that any incorrect outcome can be detected, and they do so with statistical efficiency; a risk-limiting audit performed on an election with tens of millions of ballots may require examination by hand of as few as several hundred randomly selected paper ballots. States should begin with pilot programs of risk-limiting audits and fully implement these audits for all federal and state election contests – and local contests where feasible – within a decade.
Internet voting should not be used at the present time
Internet voting should not be used in the future until and unless very robust guarantees of secrecy, security, and verifiability are developed and in place. Currently, no known technology can guarantee the secrecy, security, and verifiability of a marked ballot transmitted over the Internet. (The Internet is an acceptable way to transmit unmarked ballots to voters as long as voter privacy is maintained and the integrity of the received ballot is protected.)
Integrity of voter registration databases
Election administrators should routinely assess the integrity of voter registration databases. They should put in place systems that detect efforts to probe, tamper with, or interfere with voter registration systems. States should require election administrators to report any detected compromises or vulnerabilities in voter registration systems to the U.S. Department of Homeland Security, the U.S. Election Assistance Commission, and state officials.
Backup plans are essential
Jurisdictions that use electronic pollbooks should have backup plans in place to provide access to current voter registration lists in the event of any disruption. Traditionally, pollbooks – which are used to verify an individual’s eligibility to vote – have been printed lists, but 36 states now use e-pollbooks in at least some of their jurisdictions.
Critical infrastructure
Election systems should continue to be considered as U.S. Department of Homeland Security-designated critical infrastructure. In addition, the U.S. Election Assistance Commission and the U.S. Department of Homeland Security should continue to develop and maintain a detailed set of cybersecurity best practices that election system vendors and state and local election officials should incorporate into their practices.