So Your State Has Come Into Some Election Security Money. Now What?

Most states won’t have comparison risk-limiting audits in place by the November midterms, which makes how they spend the $380 million in federal funding for election security, due out within 39 days, that much more important.

Congress included the money in the omnibus spending bill, at the Senate Intelligence Committee’s recommendation, to be disbursed to states under the Help America Vote Act and spent on verifiable paper balloting, post-election audits of votes and cyber defenses.

The appropriation is a good first step in shoring up voting systems against Russian-connected hacking, according to election security experts, but it doesn’t come close to replacing vulnerable polling place equipment in most at-risk states.

“I wouldn’t say it’s a drop in the bucket—a glass of water in the bucket,” Joe Kiniry, Free & Fair CEO and chief scientist, told Route Fifty by phone. “A big corporation spends this much money on cybersecurity in a year.”

A Flawed Funding Formula?

How much funding states receive will be determined by the Election Assistance Commission based on a formula laid out in HAVA, consisting of a minimum payment of .005 percent—about $1.9 million each—and a second payment based on their proportion of the U.S. voting age population. The omnibus guarantees every state $3 million and requires they match 5 percent of the money they receive within two years.

The Brennan Center for Justice and Verified Voting estimate California will receive the high: $34.6 million. Alaska, Delaware, Montana, North Dakota, Rhode Island, South Dakota, Vermont, and Wyoming will receive the minimum $3 million.

This could prove problematic because Delaware, for instance, is one of five states that use paperless direct recording electronic, or DRE, voting machines statewide. DREs make it impossible to ensure election results haven’t been hacked—requiring replacement with machines that generate a voter-marked paper trail.

“If you are a state with no paper records, you should buy machines that have paper records,” said Matthew Bernhard, a computer science PhD student at the University of Michigan whose work includes hacking a DRE machine still found in 20 states.

The cost to replace Delaware’s machines could run between $2.7 and $4.3 million, according to a recent Brennan Center-Verified Voting report, meaning 70 percent to 110 percent could be covered by the new funding. That’s better than most of the 13 states that use paperless DREs to some degree, 10 of which are unlikely to receive half the money they need to replace them—including the four other states deploying them statewide: New Jersey, Louisiana, Georgia and South Carolina.

There are additionally 20 states that use DREs with voter-verified paper audit trails, which still record votes electronically despite producing a paper record. A hacked machine could falsify both, and 14 out of the 20 states are unlikely to receive half the funding they need to replace them.

Election security experts disagree as to whether the current HAVA funding formula or one based on risk analysis—that prioritizes states lacking voter-marked paper ballots—is the best approach. David Becker, the founder and executive director of the Center for Election Innovation and Research, believes all states deserve a slice of the funding pie given all are threatened.

“We don’t know where the bad guys are going to target next,” Becker said.

Illinois, the only state the Homeland Security Department says had its voter registration system breached in the lead up to the 2016 election, was “hardly perceived a swing state,” Becker added.

Kiniry, on the other hand, feels money is best spent where it would increase trust in election outcomes: jurisdictions lacking paper ballots, those with poor audit procedures that never trigger or lack statistical backing, and swing states.

Some states like Colorado are already fairly self-sufficient when it comes to election security funding, while others like Michigan have questionable auditing practices, Bernhard said.

New HAVA funds were needed in the first place because, as of Sept. 30, 2016, 11 states had spent down their original balances and 26 had less than 10 percent remaining, according to the most recent EAC data. Those numbers will have increased, Becker said, as states were supposed to spend the money by now.

Awarding money based on risk could be seen as “rewarding bad behavior” of jurisdictions that “didn’t do the right thing” to begin with, Kiniry admitted.

Regardless of how much funding states ultimately receive, experts agree step one is ensuring optical scan voting systems, which read marked paper ballots, are everywhere.

Step Two: Audits

Whether states have time before the midterms to deploy new voting machines depends on where they are in the certification process and how quickly state and county procurement processes move afterward.

But about 70 percent of voters are already on a paper record, said Marian Schneider, president of the Verified Voting, a nonprofit and nonpartisan organization.

“If states already have paper ballots, yes, there is time to implement an audit process certainly before 2020 and, since we’re only in March, before the midterms,” Schneider said.

Don’t expect expert-recommended, comparison risk-limiting audits, which involve comparing a random sampling of paper ballots to their digital counterparts, anywhere outside of Colorado.

And even theirs is a work in progress with its 9 percent risk limit—higher than the advised 5 percent or lower, Bernhard said. A 9 percent risk limit means that if the election result is wrong, the audit will catch the error 91 percent of the time.

Rhode Island passed legislation mandating risk-limiting audits, but not in 2018. And a bill was only just introduced in California.

Jurisdictions have reached out to Free & Fair about experimenting with it’s risk-limiting audit software or training their election officials in 2018, but resources are limited and legislative mandates lacking. Every state with paper ballots can do a ballot-polling risk-limiting audit, which only requires "some dice, pencil and paper, and a few human beings," Kiniry said.

In the near term, implementing an audit strategy is a straightforward, robust way to defend against cyberattacks, Bernhard said, audits running about $50,000 in any given state. He’s currently helping develop a new, less-complex auditing method that uses existing legal frameworks, so it will be “more palatable” for lawmakers to implement.

Non-statistical audits frequently require election canvassers to audit 1 percent of precincts, but they could simply rescan ballots through the same hacked machine and wind up with the same result. Requiring 1 percent to 2 percent of ballots statewide to be audited gets around this, Bernhard said, assuming the state’s voting system doesn’t run solely on DREs.

Kiniry wouldn’t be surprised if there are a number of close midterm races, given the sweeping point swings seen in interim elections.

“Those responsible for elections in states should recognize, in general, their statutes give them the power to ensure final vote tallies,” Kiniry said. “Many like to follow the letter of law, but now we’ve reached a stage where maybe it’s time to go back to the paper ballot record in many instances, when things are close or fishy, and do paper recounts.”

Most states have laws requiring recounts if an election result falls within a certain margin of error like 1 percent, but a smart cyberattack would ensure a hacked tally falls directly above that. Citizens can request recounts in their precincts but shoulder the costs if the result stands.

Recounts initiated by secretaries of state would likely cost tens of millions of dollars nationally, Kiniry said, but provide breathing room through 2020 while allowing public participation in the electoral process. They’re also labor intensive and still meaningless if DREs were used, Schneider said, advising election officials to push for audits in lieu of recounts.

'There’s Just Not Enough Good People.'

States with the right voting machines and auditing safeguards are free to spend what’s left of their federal funding hiring election security professionals to support both state and local election officials.

The problem, according to Kiniry: “There’s just not enough good people.”

“There’s not, but a lot of experts in election security didn’t get trained in election security,” Becker said. “This might be a real opportunity to bring more technical expertise into the elections field.”

Educating election officials on proper cyber hygiene, so as to avoid breaches like Illinois’, and to do things as simple as not take pollbooks home is critical in the runup to the election, Bernhard said, despite their busy schedules.

States may also want to invest in cyber assessments of voter registration databases and internet-facing applications, intrusion detection and response at state and local offices, and beefed-up security protocols around authorized user access like two-factor authentication or physical tokens.

Coordination at the state level, rather than the jurisdiction level, will make things easier, Kiniry said, as will solidifying recommended operational procedures.

State and federal governments also need to start rethinking how they fund elections, Becker said.

While the existing HAVA funding formula was a quick and easy way to get money to states this time around, the bipartisan Secure Elections Act proposed by Sen. James Lankford and backed by Verified Voting prioritizes states with the least secure voting machines.

A grant program, like the one recommended by the Senate Intelligence Committee, would also help local election officials find money to do research, Bernhard said. Georgia is putting together the money to buy new voting machines, he added, and the federal funding might get them over the hump.

“Even in states where maybe someone thinks they’re not working as diligently as they should be, there’s a lot of movement on cybersecurity,” Becker said. “Generally speaking, we’re better off now than we ever have been.”