Pennsylvania Commission Issues Urgent Call to Replace Vulnerable Voting Machines

More than 80 percent of the state’s voters use electronic machines that do not leave an auditable paper trail

September 27, 2018

The Blue Ribbon Commission on Pennsylvania’s Election Security issued its interim recommendations this week. (I do staff work for the commission through my role as the Law & Policy Fellow at the University of Pittsburgh Institute for Cyber Law, Policy, and Security.)

Stressing the “urgency of the threat and that many counties are appropriately undertaking decisions with respect to replacing outdated voting systems,” the commission made its suggestions in advance of its full report, which is slated for early next year. 

The Commission had three principal recommendations, and they apply to any state still using vulnerable paperless electronic voting systems:

  • Counties should replace machines that do not produce a voter-verified paper audit trail and opt for systems using voter-marked paper ballots (either by hand or by machine).
  • When purchasing new machines, counties should safeguard against supply chain vulnerabilities and assess vendors for potential security risks.   
  • The state and federal governments should help counties purchase secure voting systems.

The risk to Pennsylvania’s elections is acute: More than 80 percent of the state’s voters use paperless electronic voting machines. Countless studies and reports have shown that these outdated machines are vulnerable to hacking and present unreasonable security risks. As Brennan Center Counsel Liz Howard recently testified before a Pennsylvania legislative committee, the “unanimous national security and scientific community consensus is that replacing all paperless voting machines with equipment that creates a paper record of every vote cast is the simple solution” to bolster the security of elections.

Pennsylvania officials at the state level have shown an appreciation of the need to replace vulnerable voting machines. In April, Acting Secretary of State Robert Torres directed that counties have “voter-verifiable paper record voting systems selected no later than December 31, 2019, and preferably in place by the November 2019 general election.” The commission applauded this sensible move, urging counties using paperless electronic voting machines to “replace them with systems using voter-marked paper ballots (either by hand or by machine) before 2020 and preferably for the November 2019 election.”

Despite this seeming momentum to replace vulnerable machines, there has been no state commitment to help counties shoulder the cost of purchasing new equipment. Nor has Congress stepped in to fill that void — in fact, the cost of replacing machines in Pennsylvania is well in excess of the roughly $13.5 million allocated by the federal government. The commission’s recommendation that both the state Legislature and Congress provide funding to help counties purchase new, more secure voting machines rightly frames the funding burden as one that should be borne by both the state and federal governments.

Lastly, the commission urged election officials to follow vendor selection and management best practices with an eye toward minimizing vendor security risks and “supply chain vulnerabilities.” Remarkably, there is no federal regulatory regime governing election vendors, which perform many critical election-related functions, such as ballot preparation, logic and accuracy testing, and equipment manufacturing and servicing. This regulatory vacuum puts the onus on state and local officials to closely scrutinize vendors for cybersecurity-related risks and to assess vulnerabilities in vendors’ supply chains. In Maryland, for example, officials learned this summer that a vendor trusted with servicing the state’s voter registration database and other systems was financed by a fund in which a Russian oligarch was a substantial investor. 

As officials in Pennsylvania and across the country look to replace voting machines and make other procurement decisions, they should be cognizant of these risks and heed the commission’s recommendation to use “a vendor’s cybersecurity readiness as a primary metric in procurement decision-making” and to conduct “ongoing cybersecurity monitoring throughout the life cycle of the vendor relationship.” And where paperless electronic voting machines remain in use, officials should hasten their replacement.

Click here to read more about election security and how you can protect the vote.