Having verifiable paper trails for votes has proven to be a useful tactic, officials from three states told senators Wednesday, but they said states still have a long way to go in securing elections.
Secretaries of State Steve Simon of Minnesota, Jay Ashcroft of Missouri and Jim Condos of Vermont testified before the Senate Rules and Administration Committee about their security precautions going into this November’s midterm elections, and to lobby for more federal support for upgrading voting equipment and cybersecurity practices.
States across the country have been scrambling to batten down how they conduct elections in the wake of intelligence officials’ reports that hackers linked to the Russian government attempted to penetrate the voting systems in 21 states during the 2016 presidential election. But states that are moving toward more paper trails of ballots and stronger security around voter files are going in the right direction, the secretaries of state said.
“It’s very hard to hack paper,” Simon said.
Minnesota, which Simon called “proudly old-school,” uses paper ballots exclusively to conduct its elections. “It’s a huge advantage, especially post 2016. We see now many states that were once sold on a paperless future now realizing paper’s good after all.”
Simon’s line about digital actors being unable to reach a physical piece of paper echoes other officials’ calls to keep elections more analog , but the importance of a paper trail lasts after people are finished voting.
Condos, who is scheduled to become the president of the National Association of Secretaries of State, reiterated the importance paper ballots in conducting post-election audits. In Vermont, state officials randomly select 5 percent of all voting districts and conduct a recount of every line on every ballot from that sampling. Condos said he is considering expanding the sample size to 8 percent.
Later in the hearing, senators also heard from Noah Praetz, the director of elections for Cook County, Illinois, which contains Chicago and is the second-most-populous county in the country. Like his statewide counterparts, Praetz also promoted paper balloting.
“We’ve got a piece of paper that every voter looked at,” he said. “Worst-case scenario, we can create an election that’s trusted and true.”
Beyond the ballot
There are other election-security holes that paper ballots and audits can’t patch. A hacking operation that successfully penetrated the voter registration file in Illinois — but was found to have not changed any records — came up frequently during the hearing. Fears of renewed efforts by cyberattackers have states urging the federal government to offer more resources, though they won’t all be ready by this November.
Simon said Minnesota is using the first $1.6 million of the $6.6 million it’s getting from the federal Election Assistance Commission to rebuild its statewide voter registration system. Other upgrades, especially providing improved resources to rural areas, will take longer. Both Simon and Condos said one of their greatest challenges is helping smaller jurisdictions keep up with ever-changing cybersecurity demands.
“Only nine of our 87 counties have full-time election staff,” Simon said. “It costs money. Hennepin County” — which contains Minneapolis — “might have the resources to mount these defenses, but others don’t.”
But even if the lower rungs of government don’t have as robust cyberdefenses, they are on the front lines. “Every cyber-incident in 2016 was first reported by state authorities, not the federal government,” Ashcroft said.
Ashcroft briefly diverted the hearing when he said in his opening statement that “voter fraud is an exponentially greater threat than hacking of election equipment,” an opinion that was not shared by his fellow secretaries of state and pounced upon by the Democratic senators who attended the hearing. Independent reports refute Ashcroft’s claim, too: there were only four documented cases of voter fraud in the 2016 election out of more than 137 million ballots cast nationwide.
Ashcroft also announced he is convening his own summit on election security for secretaries of state this September in St. Louis.
There are some practices states are already taking to improve their election cybersecurity. Condos said Vermont runs a daily backup of its voter-registration database and gets weekly cyber-hygiene scans from the Department of Homeland Security. Indiana Secretary of State Connie Lawson wrote in submitted testimony that her state is using two-factor authentication to access elections-related systems in 10 counties.
Ultimately, though, the state officials concluded that while they would welcome additional federal resources, there are no real conditions for “victory” against continued cyberthreats from state-backed actors.
“There is no end zone where you get to spike the football,” Simon said. “There is no tape to break. You have to stay ahead of the bad guys, and some of them are funded by governments with near-unlimited resources.”