State

State’s voting machines pose ‘clear and present danger,’ warns Pennsylvania election security commission

In a new report, the body urges the state to replace its touchscreen-based machines with those producing paper ballots as soon as possible.

By Benjamin Freed

January 29, 2019

(Getty Images)

A 21-member panel of elected officials, former U.S. Justice department officers and nonprofit leaders convened last year by a University of Pittsburgh research institute to review Pennsylvania’s election systems released its final report Tuesday, recommending the state move as quickly as possible to replace its touchscreen voting machines and implement stronger cybersecurity procedures to protect the statewide voter registration database.

Pennsylvania and the federal government, the report reads, should help the state’s 67 counties purchase new voting systems before the 2020 presidential election, if not before elections for local offices later this year.

“Given the clear and present danger that these paperless machines pose, replacing the systems with those that employ voter-marked paper ballots should be the most pressing priority for Pennsylvania officials to secure the Commonwealth’s elections,” the report reads.

While Pennsylvania currently uses a mixture of digital and analog machines to collect votes, 83 percent of the state’s registered voters live in precincts that use direct-recording electronic machines — commonly called DREs — that do not produce paper records of the ballots they collect. But replacing those machines will be expensive, with some previous estimates topping $125 million.

“I think we can do it,” David Hickton, the director of the Pitt Institute for Cyber Law, Policy and Security and one of the commission’s co-chairs, told StateScoop. ‘It’s in our interest to do it and have 2019 on the new system because I think the 2020 election is going to be a high-interest election.”

Use of DREs has been a point of great consternation for cybersecurity experts, with some finding evidence that their programming can lead to tabulation errors that could potentially affect election outcomes. A study earlier this month of machines used in South Carolina found that hundreds of votes were miscounted in 2018 races.

All-digital voting machines have also been cited as a concern in the wake of attempts by Russian government hackers to infiltrate the election systems in at least 21 states, including Pennsylvania, during the 2016 presidential race.

Most of Pennsylvania’s DREs are also more than 15 years old and are no longer supported by their manufacturers, leading county officials to look for replacement parts on eBay, Hickton said.

“Even if we didn’t have documented risk in the 2016 election … we have to regard this as a necessary expenditure,” he said.

Pennsylvania is moving to replace its machines, but the report’s authors are calling for speed. Secretary of the Commonwealth Robert Torres issued an order last year directing counties to replace their voting equipment by November 2019. Torres’ successor, Kathy Boockvar, held a series of expos around the state featuring voting-machine vendors, with the final expo held in Erie on Tuesday.

More than machines

The Pitt commission’s report goes beyond just the physical replacement of voting machines, and makes several recommendations to improve the cybersecurity of the statewide voter registration database, which was targeted but not penetrated by hackers in 2016.

The report calls on the state and counties to undergo more rigorous training and communicate more frequently with the Department of Homeland Security’s cybersecurity division to ensure database security.

And though the report commends the state for implementing protocols that restrict database access to authorized users who manage and prepare poll books on election days, it also says Pennsylvania and its counties could go further. Plans for response to hypothetical cyberattacks, which Pennsylvania declined to share with the commission, could be improved if counties join the Election Infrastructure Information Sharing and Analysis Center, an intergovernmental organization run by the nonprofit Center for Internet Security. As of Jan. 4, only five Pennsylvania counties — along with the state — had joined the group.

“The EI-ISAC is a critical cybersecurity resource that assists with cyber incident responses, real-time cybersecurity advisories and alerts, and more,” the report reads. “These are no-cost resources that every county in Pennsylvania should be using.”

But even with the availability of free and trustworthy resources, Hickton said officials in some counties — which he did not name — are resistant to messages that they need to harden their security.

“There are 67 counties that have a say in this,” he said. “The tension is there, and it can be healthy or it can be unhealthy. There have been people who have been very vocal about the proposition that nothing happened in 2018 election. The fact there was no hacking in the 2018 election is not proof that we don’t need to make changes.”

A scare in Maryland

Hickton stressed that election officials throughout Pennsylvania should review their current cybersecurity postures, including which vendors they use. Part of that recommendation was fueled by Maryland officials’ discovery last year that a software company the state had hired in 2013 to build its voter registration database was purchased two years later by an investment firm controlled by a Russian billionaire known to be close to President Vladimir Putin.

While a DHS report last November found that Maryland’s voter file was not compromised, Hickton said the episode should’ve scared every election official into evaluating their technology vendors and finding the funds to replace them, if necessary.

“Election security is civic infrastructure,” he said. “It’s as important as public safety. We’re routinely replacing fire trucks and other items of capital expense, and our election infrastructure has to be a capital expense.”

The Pitt commission’s report isn’t binding, but it was issued with a sense of urgency, giving December 31, 2019 as the absolute latest the state should decertify its DREs. And though Hickton, a former U.S. attorney for Western Pennsylvania, shares that sense of urgency, he conceded that the path to making election systems more secure is open-ended.

“I don’t think there’s a silver bullet,” he said. “It’s the things we always talk about, which is cooperation, awareness. We need our elections to have integrity and people to have faith in them.”