Election Security

Election security continues to be an important topic of discussion at all levels of government. This article examines the major election vulnerabilities and summarizes election security activities being undertaken at the federal level as well as in Kansas.

Tools Used in Elections

The federal U.S. Election Assistance Commission (EAC) noted more than 300,000 pieces of voting equipment were deployed during the 2018 election. Since a majority of election tools are electronic, cybersecurity and tampering are major issues concerning election security. Many tools and resources increase the efficiency and security of elections. The tools and resources examined in this article include online voter registration systems, electronic poll books, election personnel, voting machines, storage and tallying of ballots, transmission of vote tallies, postelection audits, and other cybersecurity tools.

Online Voter Registration Systems

The EAC found more than 211 million registered voters for the 2018 election. According to the National Conference of State Legislatures (NCSL), currently 40 states and the District of Columbia (D.C.) use an online voter registration system to register those voters. Additionally, Oklahoma is phasing in online voter registration as of late 2020. As with any online system, there are benefits and risks. Online voter registration can expedite new voter registration, updates to existing voter registrations, and finding other election information, such as locating polling places. However, online voter registration systems are at risk of cyberattacks, as was seen when hackers targeted election systems, including voter registration systems, in 21 states during the 2016 election. While Arizona, Florida, and Illinois were confirmed to have breaches of their voter registration systems, a 2018 NBC News article indicated four other states’ voter registration systems were compromised to varying levels of severity before the 2016 election. To date, no evidence has been found that any voter information was altered or deleted.

The Kansas online voter registration system is about ten years old. The Kansas Director of Elections (Director) with the Office of the Secretary of State (Office) indicated in July 2018 a firewall was in place to protect the voter registration system, which was continuously updated, and that Office staff had been trained on cybersecurity best practices. The Secretary of State previously had stated in 2016 that the voter registration system had logging capabilities to track modifications to the database.

Electronic Poll Books

In January 2014, the Presidential Commission on Election Administration recommended all jurisdictions transition to electronic poll books (EPBs). The EAC indicates 36 states and the District of Columbia (D.C.) used EPBs during the 2018 election, with seven of these states using EPBs in all election jurisdictions. EPBs replace paper poll books and allow poll workers to access the list of eligible voters, check in voters more efficiently, and prevent voters from checking in more than once.

EPBs are electronically connected to a central registration database either via the Internet or a closed network. This connection could be made either at the time of downloading the list onto the device or during the entire time the device is in use. However, the Brennan Center for Justice (Brennan Center) notes there are no accepted technical standards for these connections. The Center for Internet Security identifies six major risks associated with EPBs: risks associated with established (whether persistent or intermittent) Internet connectivity; network connections with other internal systems, some of which may be owned or operated by other organizations or authorities, including private networks for EPBs; security weaknesses in the underlying commercial off-the-shelf product, whether hardware or software; security weaknesses in the dedicated components, whether hardware or software; errors in properly managing authentication and access control for authorized users, including permissions for connecting to networks and attaching removable media; and difficulties associated with finding and rolling back improper changes found after the fact. Some ways in which EPBs can be secured include the use of secure sockets layer security, use of a virtual private network, and proper security training for staff.

Vote Centers

EPBs are generally used in states that allow or require the use of vote centers. Vote centers are an alternative to specific precinct polling places and allow any voter to cast a ballot in any vote center in the jurisdiction (generally a county) rather than at their assigned polling place. States that allow or require the use of vote centers also generally allow or require local jurisdictions to use EPBs, which can be used to receive immediate updates on voters who have voted in other vote centers (unless the state specifies that the EPB may not be connected to the network).

In 2019, Kansas law was amended with enactment of Sub. for SB 130, permitting all voters in a county to vote at any polling place on election day, at the discretion of the county voting official.

According to NCSL, as of 2020, 16 states statutorily allow the use of vote centers as an alternative to precinct polling places. Of those 16 states: 7 require counties to use EPBs, 5 states allow counties to use EPBs, and 4 states (Kansas included) do not specify in statute whether the county is required or permitted to use EPBs.”

Postelection Audits

Currently, 38 states and the District of Columbia (D.C.) require some form of a postelection audit.

NCSL has divided postelection audits into two categories:

• Traditional postelection audit: usually conducted by hand-counting a portion of the paper records and comparing them to the electronic results produced by an electronic voting machine; and
• Risk-limiting audit: an audit protocol that makes use of statistical principles and methods and is designed to limit the risk of certifying an incorrect election outcome.

Thirty-four states and the District of Columbia (D.C.) require a traditional postelection audit, and Colorado, Nevada, Rhode Island, and Virginia statutorily require risk-limiting audits.

In Kansas, 2018 HB 2539 required county election officers to conduct a manual audit or tally of each vote cast in 1.0 percent of all precincts, with a minimum of one precinct located within the county. The audit requirements apply to all counties for elections occurring after January 1, 2019. The requirement for audit or tally applies regardless of the method of voting used. The bill specified these contested races will be audited:

• In presidential election years: one federal race, one state legislative race, and one county race;
• In even-numbered non-presidential election years: one federal race, one statewide race, one state legislative race, and one county race; and
• In odd-numbered election years: two local races, selected randomly after the election (KSA 25-3009).

The Office of the Secretary of State selected the random offices to be audited from the 2020 general election on November 4, 2020.

Electronic Transmission of Ballots

The EAC reported The Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) voters are increasingly using electronic means to receive and return absentee ballots. email was the most popular electronic transmission method, with 56.6 percent of UOCAVA voters receiving their absentee ballots and 29.6 percent returning the ballot via email. Voting securely through the Internet places much of the security responsibility on the votes and the security measures they have in place on their devices. Although it is possible to strengthen a wireless connection against an attacker for such applications, doing so is not easy and can be easily misconfigured. Also, these stronger protections can be difficult to use and maintain, especially for those unfamiliar with the technology.
According to NCSL, 4 states allow certain voters to return ballots using a web-based portal, 19 states and D.C. allow certain voters to return ballots via email or fax, 7 states allow certain voters to return ballots via fax, and 19 states do not allow electronic transmission and permit voters to return ballots only through postal mail.

Additionally, in 2018, West Virginia began using a block chain-enabled mobile voting application, called Voatz, for overseas residents from 24 counties. However, it suspended use of that application for the 2020 elections.

Other Election Security Resources

States utilize a myriad of resources to protect their election infrastructure from outside attacks. These resources may include cyber-liability insurance, enlisting the help of the National Guard and white-hat hackers, participation in interstate information sharing programs, and cybersecurity services provided by either the federal government or private entities.

Current Federal Government Activities

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) helps stakeholders in federal departments and agencies, state and local governments, and the private sector manage their cybersecurity risks.

The NCCIC works with the Multi-State Information Sharing and  Analysis Center (MS-ISAC) to provide threat and vulnerability information to state and local officials; all states are members. The MS-ISAC membership is restricted to state and local government entities. It has representatives collocated with the NCCIC to enable collaboration and access to information and services for state chief information officers.

During the 2016 election cycle, the National Protection and Programs Directorate (NPPD) within DHS offered voluntary assistance to state and local election officials and authorities from NCCIC, which helped stakeholders in federal departments and agencies, state and local governments, and the private sector manage their cybersecurity risks. In a Senate hearing, the Secretary of Homeland Security stated 18 states accepted DHS’ offer to help improve cybersecurity of their election systems prior to the 2016 election. Eleven states, including Kansas, chose not to accept DHS’ offer, citing concerns with federal intrusion on state elections.

On January 6, 2017, the Secretary of Homeland Security determined election infrastructure should be designated as a critical infrastructure sub-sector. Participation in the sub-sector is voluntary and does not grant federal regulatory authority. Elections continue to be governed by state and local officials, but with additional effort by the federal government to provide security assistance through the DHS Cybersecurity and Infrastructure Security Agency (CISA).

DHS was attempting to obtain security clearances for the top election official in each state so those officials would have access to classified intelligence about cybersecurity threats. According to a report from the Office of the Inspector General, as of July 2018, 87 of the 100 eligible states’ election officials received their interim or full security clearance from DHS to receive information on election-related threats. Fully granted clearances were provided to 43 officials, and 44 were granted on an interim status. According to a report from the Office of the Inspector General dated February 2019 on an audit conducted to evaluate the effectiveness of DHS’ efforts to coordinate with states to secure election infrastructure, the lengthy security clearance process hinders DHS’ efforts to secure the election infrastructure.

Initially, only 19 states signed up for the risk assessments DHS offered, and 14 conducted “cyber-hygiene” scans. In the Office of the Inspector General audit report, it was noted state and local officials’ mistrust of federal involvement increased reluctance to request DHS assistance. The audit noted CISA performed weekly cyber-hygiene scans on 141 outward facing election networks and conducted 35 risk and vulnerability assessments for election stakeholders. An October 2020 Inspector General audit report noted CISA had increased its outreach to and coordination with election stakeholders. The CISA National Risk Management Center (Center) focuses on evaluating threats and defending critical infrastructure against hacking. The Center runs simulations, tests, and cross-sector exercises to evaluate critical infrastructure weaknesses and threats.
In fall 2017, the Federal Bureau of Investigation (FBI) established the Foreign Influence Task Force to identify and counteract the full range of foreign influence operations targeting U.S. democratic institutions. The Foreign Influence Task Force works with personnel in all 56 FBI field offices and brings together the FBI’s expertise in counterintelligence, counterterrorism, cyberterrorism, and criminal terrorism, to root out and respond to foreign influence operations.

On February 20, 2018, the U.S. Attorney General ordered the creation of the Department of Justice (DOJ) Cyber-Digital Task Force (Task Force) to canvass the ways the DOJ addresses the global cyber threat and identify how federal law enforcement can more effectively accomplish its mission in this area.

The Attorney General has asked the Task Force to prioritize its study of efforts to interfere with U.S. elections. The Task Force released a report on July 19, 2018. The DOJ also issued a statement indicating the agency planned to alert American companies, private organizations, and individuals they are being covertly attacked by foreign actors attempting to affect elections or the political process. The Task Force has released several reports focusing on cyber threats, including malign foreign influence operations and potential threats relating to the use of cryptocurrency.

In early July 2018, the Director of the National Security Agency (NSA) directed the NSA and the Department of Defense’s (DOD) Cyber Command to coordinate actions to counter potential Russian government-sanctioned interference in the 2018 midterm elections. The joint program is also working with the FBI, the Central Intelligence Agency, and DHS and continues to generate insight on foreign adversaries to improve cyber defenses. DHS created the National Risk Management Center (NRMC) within the Cybersecurity and Infrastructure Agency; it is a centralized location for government and private sector partners to share information related to digital security.

In August 2018, DHS, EAC, DOD, the National Institute of Standards and Technology, NSA, Office of the Director of National Intelligence, U.S. Cyber Command, DOJ, the FBI, 44 states (including Kansas), D.C., and numerous counties participated in the Tabletop the Vote 2018, DHS’ National Election Cyber Exercise that tested the ability of state and federal officials to work together to stop data breaches, disinformation, and other voting related security issues.

Executive Order (EO) 13848 was issued in September 2018, declaring a national emergency regarding foreign influence and interference with election processes and equipment. The EO allows the imposition of sanctions on any person, entity, or foreign government who is found to be attempting to interfere or to have interfered with U.S. election processes or equipment.

EAC Current Activities

The EAC recommended the Voluntary Voting Systems Guidelines (VVSG) Version 2.0 in September 2017. The VVSG Version 2.0 states a voting device must produce a voter verifiable paper audit trail (VVPAT), and the software or hardware cannot produce errors that could lead to undetectable changes in tallies. The VVSG Version 2.0 voluntary requirements were released in February 2020. The EAC has also added a page to its website concerning election security preparedness, with many links to information on how to secure election systems, guides on what to do during and after a cybersecurity incident, and glossaries for commonly used terms (https://www.eac.gov/election-officials/election-security-preparedness).

New Help America Vote Act (HAVA) Funding

On March 23, 2018, the Consolidated Appropriations Act of 2018 (Act) was signed into law. The Act included $380.0 million in grants, which were made available to states to improve the administration of elections, including to enhance technology and make election security improvements. The majority of the funds was for election cybersecurity and to purchase new voting equipment.

In 2018, Congress appropriated $4.3 million for election security in Kansas, requiring a 5 percent match that was met by a Kansas State General Fund (SGF) transfer in FY 2019 and FY 2020. In 2019, Congress appropriated an additional $4.6 million for election security in Kansas under the Act, requiring a 20 percent match that was met by SGF moneys for FY 2021.

In August 2020, the EAC notified the Kansas Secretary of State (Secretary) an additional $15,427 appropriation for election security would be added to the original appropriation, requiring a $3,085 match. The Secretary requested this state match as a SGF transfer in FY 2022.

The EAC allowed states to combine funds into one fund titled “2018 HAVA Election Security,” and the total award for Kansas is approximately $9.3 million. Such funds do not have an expiration date for expenditure.

HAVA CARES Act Funding

In response to the COVID-19 pandemic, in March 2020, the Coronavirus Aid, Relief and Economic Security (CARES) Act was enacted and appropriated $400.0 million in HAVA funds to states to prevent, prepare for, and respond to the COVID-19 pandemic for the 2020 federal election cycle. Such funding is separate from the 2018 and 2020 HAVA election security funding.

Kansas was awarded approximately $4.6 million of the total $400.0 million in funding. Such appropriation must be used by December 31, 2020, and Kansas must provide a 20 percent match by March 2022. The required state match for Kansas is $924,500.

The Kansas Secretary of State announced the following plan for the expenditure of HAVA CARES Act funding:

• Approximately $2.6 million to reimburse all 105 counties for COVID-19-related expenditures, according to a formula based on voting age population for each county’s allotted reimbursement cap. No county received a reimbursement allotment cap of less than $5,000. Counties submitted plans in May 2020 for such funds and have until December 2020 to submit receipts to the Secretary for reimbursement;
• Approximately $1.0 million to procure personal protection equipment kits, plexiglass shields, and disposable pens for voters and polling places statewide to ensure additional protection for election workers and voters;
• Approximately $365,000 to purchase secure drop boxes for mail ballots. The Secretary authorized such funds to purchase two secure drop boxes per county, with certain exceptions;
• Approximately $150,000 to publish targeted, digital educational ads to all registered voters in the state for the general election to educate voters on options to cast a ballot in the November 2020 election amidst the COVID-19 pandemic; and
• A small portion of such funds to establish improved teleconferencing and telework options for election-related items, including virtual election panels and media opportunities.

Kansas Election Security Activities

In February 2018, the Center for American Progress (CAP) released an analysis of election security in all 50 states. Kansas was ranked F/D, one of five states that received an unsatisfactory ranking. However, the State received fair marks for voting machine certification requirements, pre-election logic and accuracy testing, and adherence to a number of minimum cybersecurity best practices.

Kansas received unsatisfactory marks for the lack of a VVPAT from all voting devices and postelection audits; the State’s ballot accounting and reconciliation procedures; and for allowing voters stationed or living overseas to return voted ballots electronically. [Note: At the time of the CAP report’s publication, 2018 HB 2539 had not yet been passed. See more information on HB 2539 under sections “Voting Devices” and “Postelection Audits” in this article.] Kansas received an incomplete mark for minimum cybersecurity for voter registration systems due to the absence of information from state officials on these topics.

Election Personnel

Kansas poll workers must be a resident and registered voter in the area in which they will serve; normally at least 18 years of age, though they may be as young as 16 years old if they meet certain other requirements; and not a candidate in the current election. In Kansas, there are no requirements for poll workers to submit to and pass background checks. KSA 25-2806 requires county election officers to provide instruction concerning elections generally, voting devices, ballots, and duties for poll workers before each election. The curriculum specifics and training duration is left to the discretion of the county election officer.

Voting Devices

According to the EAC, Kansas deployed a total of 6,365 voting machines for the 2018 elections; 894 direct-recording electronic voting machines (DREs) without VVPAT, 57 DREs with VVPAT, 4,461 ballot marking devices, and 953 electronic scanners. As of March 2018, approximately 20 counties had replaced some or all of their voting devices or were in the process of purchasing new voting devices, including Johnson County.

Kansas statutes concerning electronic voting devices can be found in KSA 25-4401 through KSA 25-4416, also known as the Electronic and Electromechanical Voting Systems Act. KSA 25-4406(m) requires voting devices to be compliant with HAVA voting system standards. Logic and accuracy testing must be conducted on all voting devices within five days before an election, pursuant to KSA 25-4411. County commissioners and county election officers may select the type of voting device utilized in their voting locations, as long as it has been approved by the Secretary of State.

Amendments to KSA 25-4406 in 2018 HB 2539 require any electronic or electromechanical voting system approved by the Secretary of State to provide a paper record of each vote cast at the time the vote is cast. The bill also required voting systems have the ability to be tested before an election and prior to the canvass date.

Storage and Tallying of Votes

The majority of Kansas counties use some form of paper ballot and use electronic scanners to tally the votes.

These paper ballots are stored in locked boxes with authorized access. Counties that use DREs without a VVPAT store votes on removable memory cards.

Transmitting Vote Tallies

KAR 7-21-2 states results are to be sent only by fax, phone, hand delivery, or encrypted electronic transfer. According to the Office of the Secretary of State, officials typically call in or email results, and there is no Internet uploading of results.

COVID-19 Pandemic-Related Information

In June 2020, the Brennan Center released “Preparing for Cyberattacks and Technical Problems During the Pandemic,” which included a checklist for election officials to navigate cybersecurity during the COVID-19 pandemic. The checklist includes instructions for election administration and infrastructure; mail voting; in-person voting; and results reporting, certification, and public communications.

More detailed information on election security in Kansas can be found in the Kansas Legislative Research Department memorandum titled “Status of Election Security in Kansas,” located at http://www.kslegresearch.org/KLRD-web/Elections&Ethics.html.

1. Arkin, W.; Dilanian, K.; McFadden, C. U.S. Intel: Russia compromised seven states prior to 2016 election. (2018, February 27). Retrieved from https://www.nbcnews.com/politics/elections/u-s-intelrussia-compromised-seven-states-prior-2016-election-n850296.
2. Secure sockets layer security is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
3. A virtual private network creates a safe and encrypted connection over a less secure network.
4. NCSL, Vote Centers, https://www.ncsl.org/research/elections-and-campaigns/vote-centers.aspx
5. Alaska, Arkansas, Arizona, California, Connecticut, Delaware, Florida, Georgia, Hawaii, Illinois, Iowa, Kansas, Kentucky, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, and Wisconsin.
6. NCSL, Electronic Transmission of Ballots, https://www.ncsl.org/research/elections-and-campaigns/internet-voting.aspx.
7. Cyber-liability insurance is coverage for financial consequences of electronic security incidents and data breaches.
8. A white-hat hacker is a computer security specialist who breaks into protected systems and networks for potential improvements.
9. Interstate information sharing programs include the Multi-State Information Sharing & Analysis Center and the Election Infrastructure Information Sharing & Analysis Center, which collect, analyze, and disseminate threat information to members and provide tools to mitigate risks and enhance resiliency.
10. Cybersecurity services are provided by private entities including The Athenian Project and Project Shield.
11. The other states include Arkansas, Florida, Indiana, and Tennessee.
12. The Brennan Center for Justice, Preparing for Cyberattacks and Technical Problems During the Pandemic. https://www.brennancenter.org/our-work/research-reports/preparing-cyberattacks-and-technical-problems-during-pandemic-guide.