The Blue Ribbon Commission on Pennsylvania’s Election Security released a final report recommending legislators consider bond issuances to help counties purchase voting systems with paper ballots and implement mandatory post-election audits and election emergency plans before the 2020 presidential election.
In September, the commission released interim recommendations to replace insecure Direct Recording Electronic (DRE) voting systems with those that incorporate voter-marked paper ballots, such as optical scan machines, and for state and federal governments to help counties cover associated costs. The final report reiterates those top priorities and provides a framework for swift legislative action.
“We must not pretend that the existing election architecture from an era of flip phones is sufficient to withstand a determined foreign adversary. Improving it will require political will, including funding. And it requires that the Commonwealth and counties are prepared to administer an election even in the face of a cyberattack,” reads a statement from commission co-chairs David Hickton and Paul McNulty.
The independent, bipartisan commission was convened in May 2018 by Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security (Pitt Cyber) and McNulty, president of Grove City College, with support from The Heinz Endowments and the Charles H. Spang Fund of The Pittsburgh Foundation. The commission is hosted by Pitt Cyber and is in collaboration with Verified Voting and Carnegie Mellon’s Software Engineering Institute CERT Division.
The commission assessed the cybersecurity of Pennsylvania’s election architecture, including voting machines and election management systems, the voter registration system, and recovery and resilience in the event of a cyberattack or other technological failure.
“We know we are under attack, we know methods of attacks and we know the points within the architecture that are most at risk. Ignoring those risks until we are forced to respond to a successful attack would be irresponsible and dangerously negligent. We cannot afford to bury our heads in the sand on this issue,” said Hickton.
“Sophisticated and vigilant actors determined to weaken national security by undermining the democratic process have targeted voting infrastructure in Pennsylvania and in states across the nation. We must identify and correct vulnerabilities and develop systems with redundancies that ensure every vote can be counted, even in the aftermath of an attack,” said McNulty.
Tom Ridge, who served as Pennsylvania’s 43rd governor from 1995-2001 and as the nation’s first U.S. Secretary of Homeland Security, said the report underscores the need to quickly implement changes.
“The significant threats to the security of our election system demand swift and bold action by Pennsylvania’s leaders,” said Gov. Ridge. “The Blue Ribbon Commission on Pennsylvania’s Election Security has issued a thoughtful and thorough report that provides a clear roadmap for officials to do what is needed to protect our democracy. Now is the time to act.”
Recommendations in the report include:
- The Department of State should decertify DRE voting systems after Dec. 31, 2019, if not sooner, and should not certify DRE machines — not even with voter-verifiable paper audit trails. Only systems that tabulate voter-marked paper ballots, which are retained for recounts and audits, should be certified.
- Pennsylvania’s governor, general assembly and counties should explore creative financing mechanisms such as a bond issuance to help counties fund the cost of replacing voting systems.
- The general assembly should require transparent risk-limiting audits after each election.
- The general assembly should revise the Pennsylvania Election Code to provide clear authority for the suspension or extension of elections due to widescale cyber-related attacks, natural disaster or other emergencies disruptive of voting.
- The Pennsylvania Department of State and counties should include cybersecurity as a key selection factor when selecting election-related vendors.
- The Commonwealth and counties should provide cybersecurity awareness training for election officials where it is not already in place.
- The auditor general and Commonwealth’s Inter-Agency Election Preparedness and Security Workgroup should review the Commonwealth’s cyber incident response plans for improvements.
For more information about the commission, visit https://www.cyber.pitt.edu/commission.