A 21-member panel of elected officials, former U.S. Justice department officers and nonprofit leaders convened in May by the University of Pittsburgh to review Pennsylvania’s election security issued its preliminary report Tuesday, landing on a increasingly common conclusion for states reviewing their voting processes: buy new ballot equipment that produces a paper record for each voter.
The Commission on Pennsylvania’s Election Security , run out of Pitt’s Institute for Cyber Law, Policy and Security, made two other broad recommendations in its preliminary report, calling on state and federal lawmakers to provide additional funding to help the commonwealth’s 67 counties buy new voting machines, and asking elections officials to scrutinize the cybersecurity practices of the vendors they work with.
But the top-line item is the swift replacement of the direct-recording electronic machines — also known as DREs — that don’t produce printed backups of ballots, and that 83 percent of Pennsylvania voters currently use. DREs are frequently cited by election-security analysts as being particularly vulnerable to tampering because they cannot be audited following an election.
The state government has already started moving to replace the equipment, with Acting Secretary of State Robert Torres issuing an order in April instructing every county to have voting machines that can produce paper backups of each ballot in place by November 2019, when many towns and cities, including Philadelphia, will be holding municipal elections.
Fulfilling Torres’ order will be costly, however. The state estimates buying and certifying new equipment, as well as training local election workers to use them, will cost the counties a collective $125 million, leaving a significant funding gap. Pennsylvania’s 2018-19 budget contains just $14 million to help counties procure new voting equipment, with most of that sum coming from the grant the state received as part of the $380 million the federal Election Assistance Commission divvied up among the states this year. (Pennsylvania is one of six states spending 100 percent of its grant on new voting machines.)
The third recommendation, monitoring vendors’ cybersecurity practices, could prove more complicated. The commission wants election officials to assess the risks posed by third-party companies they work with, but currently, there are few guidelines for how that would be accomplished, said Chirstopher Deluzio, a law and policy fellow at Pitt Cyber.
“Given that election infrastructure is part of our nation’s critical infrastructure, that’s striking,” he told StateScoop.
As Deluzio put it, better vendor scrutiny by election officials might include require companies to disclose their ownership or hiring practices during the bidding process, or running vulnerability assessments throughout the life of a contract. Deluzio mentioned the case of Maryland, where officials learned in July that the vendor that had been hired in 2013 to manage the statewide voter registration database had since been purchased by a larger company, which in turn is controlled by an investment fund led by a Russian billionaire known to have ties to President Vladimir Putin.
“Many Pennsylvania counties rely on outside vendors to help with ballot preparation,” Deluzio said. “That kind of introduction of a vendor and their supply chain could compromise their machines.”
Still, with each county maintaining its own process for running elections, Deluzio said he did not want to paint with “too broad a brush.”
The Pitt commission is scheduled to issue a final report in early 2019, including recommendations about the voter registration system, post-election audit procedures and the commonwealth’s ability to respond to potential cyberattacks.