Pennsylvania’s elections are vulnerable. But there are steps the state can take to move its outdated voting systems forward, according to a new report released Tuesday.
The report, which offers a model for other states, was produced by the independent Blue Ribbon Commission on Pennsylvania’s Election Security. Christopher Deluzio, a counsel for the Brennan Center’s Democracy Program, participated in the commission through his role as the Legal and Policy Scholar of the University of Pittsburgh Institute for Cyber Law, Policy, and Security.
Pennsylvania’s vulnerable voting systems
Election security is especially urgent in Pennsylvania because of outdated voting machines that are susceptible to hacking and manipulation. As of 2018, more than 80 percent of Pennsylvania voters use paperless electronic voting machines (DREs), which do not produce a verifiable paper record that either voters or election officials can review.
Pennsylvania also uses an old voter registration system that was not designed to combat current cybersecurity threats. Leading up to the 2016 election, Russian operatives targeted several state voter registration systems including Pennsylvania’s, according to the Department of Homeland Security.
“Pennsylvania elections are uniquely vulnerable for a combination of two reasons,” said Deluzio. “The state continues to use paperless DREs, and it’s also a perennial battleground state.”
The Pennsylvania Department of State has acknowledged this problem and has required counties to have voting systems with verifiable paper records selected by the end of 2019. This is consistent with the top recommendation of the commission’s report, which is for Pennsylvania to replace its DRE voting machines with systems that use voter-marked paper ballots.
However, Pennsylvania counties currently bear the full financial burden for the new voting systems. There’s a need for the state and the federal government to help counties fund the new systems, the report finds.
The need for cybersecurity, election audits, and contingency planning
New voting machines and registration systems alone won’t secure Pennsylvania’s elections. The commission report outlines how the state can bolster its cybersecurity by implementing best practices, providing cybersecurity training for election officials, and conducting cybersecurity assessments.
The commission also recommends the adoption of risk-limiting audits, which are a method for verifying whether voting machines are recording and tallying votes correctly. Risk-limiting audits, which have now been mandated in Colorado, Rhode Island, and Virginia, involve hand-counting a statistically meaningful sample of votes cast. This can helps determine whether the original vote tally was correct.
Finally, the report underscores the need for extensive contingency planning to ensure that election officials are prepared to respond in the event of a cyberattack.
The report also offers evidence that independent commissions like Pennsylvania’s can help states improve election security.
“We should be excited that this report is pushing Pennsylvania in the right direction,” said Deluzio. “This independent commission provides us with a model for other states to make concrete policy on election security.”