Preparing for Cyberattacks and Technical Failures: A Guide for Election Officials

Note: This report was published before Covid-19 radically altered the 2020 election. A more recent report, “Preparing for Cyberattacks and Technical Problems During the Pandemic: A Guide for Election Officials," factors in how the disease has disrupted November’s election. Read it here.

Introduction

America’s intelligence agencies have unanimously concluded that the risk of cyberattacks on election infrastructure is clear and present — and likely to grow. ¹ While officials have long strengthened election security by creating resiliency plans, ² the evolving nature of cyber threats makes it critical that they constantly work to improve their preparedness. It is not possible to build an election system that is 100 percent secure against technology failures and cyberattacks, but effective resiliency plans nonetheless ensure that eligible voters are able to exercise their right to vote and have their votes accurately counted. This document seeks to assist officials as they revise and expand their plans to counter cybersecurity risks.

Many state and local election jurisdictions are implementing paper-based voting equipment, risk-limiting audits, and other crucial preventive measures to improve overall election security. In the months remaining before the election, it is at least as important to ensure that adequate preparations are made to enable quick and effective recovery from an attack if prevention efforts are unsuccessful.

While existing plans often focus on how to respond to physical or structural failures, these recommendations spotlight how to prevent and recover from technological errors, failures, and attacks. Advocates and policymakers working to ensure that election offices are prepared to manage technology issues should review these steps and discuss them with local and state election officials.

Electronic pollbooks, or e-pollbooks, are laptops or tablets that poll workers use instead of paper lists to look up voters. E-pollbooks expedite the administration process, shorten lines, lower staffing needs, and save money. Most e-pollbooks can communicate with other units in the same location to share real-time voter check-in updates. They may also be able to communicate directly with a local election office or with other locations, such as vote centers, via physical connections or wireless networks.

There are no national standards for e-pollbook operations or security. E-pollbooks present unique challenges because they need to maintain updated information across numerous devices and locations. Additionally, many devices that may be used as e-pollbooks do not have the ability to connect via physical networks and require some type of wireless communication to convey important information. Election officials should consider the following security recommendations when using e-pollbooks:

Limit or eliminate connectivity to wireless networks whenever possible. E-pollbooks used for voter check-in generally do not need wireless connections. Officials who operate precinct-based voting on Election Day should choose e-pollbook options that use hardwired connections to share voter information in real time across units to complete the voter check-in process. This provides the greatest level of security. Bluetooth is not an acceptable alternative to other types of wireless network connectivity; researchers have found security vulnerabilities that risk the spread of malware and allow unauthorized access to data being transmitted between Bluetooth-connected devices. ¹

Implement proper security protocols when wireless connectivity is required. Election officials using vote centers and multiple early-voting locations may require some network connectivity to share voter check-in information across several locations. Additionally, some e-pollbooks may not fully function if their wireless connections are eliminated or disabled. For example, certain e-pollbooks use Apple iPads, which rely solely on wireless connectivity for communication. If wireless networks must be used, officials should implement security protocols, including encrypting communication between e-pollbooks and requiring strong passwords that are changed after every election.

Ensure that systems are properly patched as part of Election Day preparations. E-pollbooks must receive appropriate operating system updates and software patches in advance of every election to protect against known cyber vulnerabilities. To determine what patches are available or recommended, election officials should start by reviewing any guidelines or requirements created by state or local government IT agencies. States and localities may develop their cybersecurity requirements on the basis of the National Institute of Standards and Technology’s cybersecurity framework. ² Adhering to these requirements will ensure that election officials are using best practices for securing election systems, protecting the personally identifiable information (PII) of voters, and preserving the integrity of voter data used on Election Day. Alerts from the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) can also provide insights about recent vulnerabilities and emergency security patches.

Keep appropriate backup of e-pollbooks in polling places. Paper backups of e-pollbooks are the best resiliency measure in the event of an e-pollbook failure. They allow poll workers to continue confirming voters’ eligibility, diminish the potential for long lines, and may minimize the need to issue provisional ballots. While jurisdictions in 41 states and the District of Columbia (DC) use e-pollbooks, our research indicates that only 11 states and DC formally require paper backups on Election Day, although several other states recommend the practice or have counties that voluntarily keep paper backups. ³ Durham County, North Carolina, experienced a significant failure of e-pollbooks in November 2016, when many voters arrived at the polls to find that they had been marked on the e-pollbooks as already having voted or were improperly marked as needing to provide additional identification. ⁴ Voting was delayed for more than an hour and a half as the county printed paper pollbooks and delivered them. ⁵ This delay could have been avoided if printed pollbooks had been sent ahead of time with other polling place materials. Preemptively sending paper backup of e-pollbooks to polling places obviates the need for detailed logistics in case of e-pollbook failure.

Jurisdictions should evaluate their e-pollbook recovery procedures to ensure they will be easy for poll workers to follow and will not introduce new obstacles to voters casting their ballots quickly. As the use of vote centers and other centralized voting locations increases, printing pollbooks may create logistical and administrative challenges. These types of voting locations may need other backup options, such as nonnetworked devices from a different vendor that contain the entire list of registered voters for a jurisdiction, along with the correct ballot style and current status (i.e., voted, absentee, or not voted) for each voter. Another option is to produce a backup list on demand using high-speed printers. This backup procedure, which New Hampshire law calls for, could allow polling places to quickly transition from malfunctioning e-pollbooks to paper backups.

Provide sufficient provisional ballots and materials for two to three hours of peak voting. A key backup measure for Election Day is to supply sufficient provisional ballots and provisional balloting materials. It is preferable to issue regular ballots to eligible voters if the e-pollbook system fails. However, it may not be possible to determine voter eligibility in the event of such a failure, especially if backup paper pollbooks are unavailable or are found to contain errors. Provisional ballots ensure that individuals can cast a ballot while providing election officials time to determine their eligibility. These ballots should be counted once officials determine eligibility, with no further action required of the voter. Having sufficient provisional ballots to account for two to three hours of peak voting activity will allow voting to continue in the event of system failures. ⁶ For the November 2020 election, this will require enough provisional ballots for at least 35 percent of registered voters. ⁷ While not enough to deal with an all-day problem, it will provide sufficient time for other measures to be implemented or additional ballots and materials to be delivered. Contingency plans must provide for additional materials to be delivered if the problem cannot be resolved.

Train poll workers to implement pollbook contingencies. Improper or insufficient training of poll workers can lead to voters being turned away, long lines, and ineligible individuals casting ballots. Poll worker instructions for managing provisional ballots must specify how to handle e-pollbook failures appropriately, including when to allow voters to cast a regular ballot and when to issue provisional ballots instead. Whenever voter eligibility can be confirmed in a timely fashion through the use of appropriate backups, regular ballots should be issued. The U.S. Election Assistance Commission (EAC) provides a list of guidelines for poll workers regarding provisional ballots as well as some best practices for poll worker accountability. Provisional ballot forms must clearly indicate the sections that should be filled out by voters, poll workers, and election staff, so each person knows what he or she needs to do. It is also important to provide a clear list of circumstances in which to use provisional ballot envelopes, including on the envelopes themselves. In 2018, Virginia adopted new provisional ballot materials created in coordination with the Center for Civic Design that illustrate these best practices. ⁸

More Resources

• Center for Internet Security Handbook
• Belfer Center Cybersecurity Playbook
• Pew E-pollbook Database
• National Conference of State Legislatures Page on E-pollbooks
• EAC Standards for Poll Workers
• Center for Civic Design on Provisional Ballots

Even under the best of circumstances, equipment failures occur. For digital or optical-scan voting systems, recovery in case of an equipment failure can be relatively fast; as ballots are already printed, voting can continue while the tabulator issue is resolved. As a Brennan Center report on voting machines notes, jurisdictions that rely on direct-recording electronic (DRE) machines can face more problems in the event of a failure, since “voters may have to wait in long lines while election workers scramble to repair them.” ¹

These problems can occur when jurisdictions use ballot-marking devices (BMDs) and ballot-on-demand (BOD) printers as well. In the event of a system failure, these machines will not function until repaired or replaced, and jurisdictions using them will need to print ballots in advance of the election to allow voting to continue. Regardless of the voting system used, election officials should conduct logic and accuracy testing on all voting equipment prior to every election in order to minimize the chance of unforeseen failures on Election Day.

If using paper ballots, print enough ballots for all registered voters. Many election officials using paper ballots decide how many ballots to print on the basis of prior election turnout or the percentage of registered voters expected to vote. This approach can result in ballot shortages and leave jurisdictions unprepared for unexpected voter surges. This happened across the country during the 2018 midterm elections, when turnout reached historic levels, and many experts predict record-breaking turnout in 2020. ² To prepare, election officials should print enough ballots for all registered voters. Jurisdictions that allow Election Day registration may require an even higher ballot supply.

If using voting systems that do not require preprinted ballots, print enough emergency paper ballots for two to three hours of peak voting activity. Emergency ballots should be provided to voters who are identified as qualified and meeting all the requirements for voting pursuant to state law but who are unable to vote due to a voting machine malfunction. Emergency ballots are different from provisional ballots, which are given to voters whose eligibility is unclear. Emergency ballots should be counted as soon as functional voting equipment becomes available, without any additional scrutiny of voter qualifications, unlike provisional ballots, which may require research on voter eligibility. Printing enough emergency ballots for two to three hours of peak voting activity will allow voting to continue until equipment can be repaired or replaced, or until additional paper ballots can be delivered to a polling place. For the November 2020 election, this will require enough provisional ballots for at least 35 percent of registered voters. Appropriate procedures should be put in place for chain of custody and accounting for preprinted paper ballots.

DRE voting systems directly record, in electronic form, voters’ selections in each race or contest on the ballot. An increasing number of states and local jurisdictions have begun replacing antiquated DREs with BMDs as the primary voting option. Others are increasingly using vote centers, which often rely on BOD printers to produce on-site any ballot style and language that might be needed for a particular voter. Because these systems do not need preprinted ballots, election jurisdictions using DREs, BMDs, or BOD-printed ballots as their primary voting option should preprint and distribute emergency paper ballots that can be counted by existing tabulators. There are 16 states that will use DREs as the principal polling place equipment in at least some jurisdictions in 2020. ³ However, at least seven do not mandate that paper ballots be made available in the event of DRE failure. ⁴

In vote centers that have a large number of ballot styles, preprinted emergency ballots for at least the precincts closest to that vote center should be stocked. Vote centers can also be stocked with master copies of emergency paper ballots in all necessary styles and languages, along with a photocopier to reproduce them in emergency situations.

Tabulators should be programmed to accept and read both ballots produced by the BMD/BOD printers and preprinted emergency ballots. Preelection testing should verify that the tabulators properly identify and record both types of ballots.

Develop procedures to manage and track malfunctioning equipment or equipment failure. Machines that appear to be malfunctioning or improperly calibrated should be taken out of service and additional voting equipment deployed to the polling place or vote center. Recalibrating DRE touch screens or conducting any other necessary voting equipment repairs should be done in full view of observers. Any reports from voters of machine errors should be tracked and immediately reported to the central election office. Election offices should review and compare these reports across voting locations to identify trends that could indicate widespread problems, including potential cyberattacks. Training should ensure that poll workers understand the process for counting ballots, including potentially hand-counting ballots, if equipment failure cannot be resolved before voting ends.

Communicate with voters to build trust in the election process. Election officials should preprint signage that will allow poll workers to inform voters of equipment failures in a manner that is consistent across locations and approved by the election office. On Election Day, poll workers should ensure that voters are not directed to use machines that are suspected of producing erroneous records.

Poll workers should also take steps to make sure that voters accurately recorded their selections on their ballots. When using hand-marked paper ballots that are counted without the help of an optical scanner, poll workers should remind voters to check their ballots to prevent overvotes, which occur when voters make more selections than the number allowed. When using DREs with a voter-verifiable paper audit trail (VVPAT) or BMDs, poll workers should clearly explain to voters how their ballots will be cast and remind them to verify that the paper printout matches the selections they made on the machine. For example, when using BMDs that print a ballot that must then be scanned by a separate machine, poll workers should say to voters, after their ballot has been printed and before it is cast: “Don’t forget to check the printed ballot carefully. If you see something wrong, you can get a replacement. Then you’ll go [over there] to cast it.”

Take steps to prevent late polling place openings due to equipment failures. Inoperable voting equipment should not prevent the timely opening of a polling place. Late polling place openings can lead to long lines and voters leaving without an opportunity to cast a ballot. ⁵ Poll workers should be trained to deal with equipment failures occurring on the morning of Election Day. Voters should be allowed to vote using emergency paper ballots if voting equipment is not operable when the polls open. Poll workers should explain to voters how their ballots will be counted once working voting equipment becomes available.

Plan to assist voters with disabilities if voting machines fail. If accessible voting machines fail and paper ballots are used instead, disabled voters may not be able to vote privately and independently. Jurisdictions with sufficient resources should have backup accessible voting equipment, with all ballot styles available (similar to what would be used at a central voting site for early voting), geographically dispersed so that it can be rapidly delivered to any polling place where accessible equipment has failed. In the longer term, jurisdictions might consider providing each polling place with accessible tablets and printers to be used by voters with disabilities in the event of equipment failure. ⁶ Poll workers should be appropriately trained on any backup systems used to provide accessibility.

More Resources

• Brennan Center Report on Voting Machines at Risk
• Brennan Center Voting Equipment Overview
• Verified Voting Verifier – Lookup Tool for Polling Place Equipment

Voter registration systems maintain official lists of registered voters, including all voter information and district assignment information. The statewide systems usually serve additional election-management purposes as well, such as processing absentee ballots. A failure of the registration system on or near Election Day can cause problems producing files for paper pollbooks or e-pollbooks, using voter information lookup tools, or validating provisional ballots immediately after the election.

Establish a 60-day preelection blackout window for all noncritical software updates and patches. These windows increase the likelihood that programming errors, viruses, or other problems will be discovered in a timely manner prior to Election Day. Sixty days provides sufficient time before the close of voter registration or the start of absentee voting to identify whether installed patches or updates have created unintended system issues. Even updates that do not directly impact voter registration databases, such as server patching, networking equipment upgrades, and locality telecommunications system changes, may impact a local election official’s ability to access the state voter registration database. Therefore it is critical that these blackout dates be established and communicated with relevant staff to prevent potential issues on or shortly before Election Day. The plan should include a process for emergency updates during the blackout window, indicating who will authorize the emergency update and how it will be tested prior to rollout.

Subject the system periodically to independent vulnerability testing. States can either partner with the Department of Homeland Security or engage outside cybersecurity consultants to test the system for vulnerabilities on a periodic basis. Vulnerability testing should be conducted well in advance of an election, and at least quarterly, to provide sufficient time to resolve any potential vulnerabilities that are discovered. While the specific results of vulnerability testing need not be released so as to maintain system security, officials should be transparent about what entity conducted the testing and what standards it used.

Maintain backup copies of digital records off-line in case online access is limited. In the lead-up to the election, local officials should download an electronic copy of voter information on a daily basis and store it securely, so that they have the most recent information in case the voter registration system becomes unavailable. This can be used to conduct research on provisional ballots after the election.

Provide voters with tools to look up their voter registration status online and conduct outreach to urge voters to use the tool in advance of any registration deadline. Voters can provide crucial information about undesired changes to their registration, including address changes they did not request, which could be an early indicator of a possible breach. Encouraging voters to check before a deadline ensures that problems can be resolved in a timely fashion. It may also reduce pressure on poll workers on Election Day.

Provide voters with tools to look up their polling place information online, and make alternative websites available. In case a voter lookup tool fails, election officials should be prepared to provide links to other polling place lookup tools, such as the Voting Information Project (VIP), an independent entity that provides information to voters using official data. New Jersey successfully used VIP to provide information to voters after Hurricane Sandy made state systems unavailable and necessitated a large number of polling place changes in advance of the 2012 election. ¹ Using tools such as VIP for polling place lookups, instead of sites that depend on statewide registration systems, also reduces the load on state servers at busy times in the election season. This requires providing accurate polling place data to the backup site in advance of elections and confirming that the backup site is working correctly.

More Resources

• EAC Deep Dive on Election Technology
• Pew Project on Upgrading Voter Registration
• EAC Checklist for Securing Voter Registration Data
• Voting Information Project

Local and state officials usually post unofficial results on election night. While this information does not reflect the certified results, large differences between unofficial election night results and the final outcome can create questions for voters about the accuracy of the process. Election night reporting sites are prime targets for denial of service (DoS) attacks because the sites’ high-use period is known ahead of time, and preventing access to unofficial results can create negative media attention about the electoral process. A hotly contested race can intensify interest in the election results, and a large increase in visitors to a reporting site in a short period can likewise bring down the site.

Establish redundancies. Some states, including Arizona and Virginia, experienced election night reporting failures in the 2014 midterm elections. ¹ Addressing the system failures after the election, several of these states established a redundant system that can be made available if the main system fails. ²

Do not connect election night reporting systems to voting systems or the statewide registration system. Election night reporting systems (ENRs) are attractive targets for cybercriminals and other nations. Bad actors have successfully attacked ENRs around the world, including in Ukraine, Bulgaria, and more recently the United States. By publishing unofficial results through an unconnected system, election officials can minimize the potential that a targeted attack on the reporting system will have any lasting impact. Knox County, Tennessee, experienced a DoS attack linked to foreign IP addresses during its May 1, 2018, primary elections. Although this attack likely served as a distraction from a separate attack on the county’s servers, the reporting website itself did not provide an avenue for future disruption. The county’s deputy director of IT noted that its reporting system is “not connected to any live databases. . . . It’s a repository for being able to report to the public, and we have intentionally kept any primary data extremely isolated.” ³

More Resources

• EAC Checklist for Securing Election Night Reporting Systems

All good contingency plans include a communication plan. At its core, a communication plan is intended to assist election officials in distributing essential information in a timely manner and maintaining public confidence in the election’s administration. Communication plans are important in all unexpected situations, from equipment failures to potential cyberattacks to unintentional errors.

Draft, review, and approve a communication plan prior to Election Day. Keeping voters, poll workers, and others informed minimizes the harm that could arise on Election Day in the event of negative developments. The most basic communication plan includes key staff and contacts. A more detailed strategy may include various response options for potential problems as well as longer-term considerations, such as notification requirements in the event personal voter information has been leaked.

Provide a public website for emergency communications. Officials should publicize links where emergency information will be posted on Election Day, possibly including official social media accounts used by state and local election officials. These can serve as official sources where voters, candidates, media, and advocacy organizations can find information regarding extended polling place hours, polling place relocations, and other emergency information. Doing this in advance of an election will make emergency communications easier for election officials.

Be transparent but careful. As the Belfer Center for Science and International Affairs suggests, “Transparent communication builds trust, but in a cyber incident, you will have few facts at hand, especially at the outset. Public comments should demonstrate that you are taking the issue seriously but avoid providing any details that may change as the investigation progresses, so you don’t have to correct yourself down the line. Avoid speculation on the perpetrator of the incident.” ¹

More Resources

• Belfer Center Cybersecurity Playbook

The Brennan Center gratefully acknowledges Carnegie Corporation of New York, Change Happens Foundation, Craig Newmark Philanthropies, Lee Halprin and Abby Rockefeller, the JPB Foundation, Leon Levy Foundation, Open Society Foundations, Rockefeller Brothers Fund, and Wallace Global Fund for their generous support of our election security work.

The authors would like to thank the many colleagues who collaborated in preparing this tool kit. Derek Tisler, Christopher Deluzio, and Wilfred Codrington contributed crucial research and editorial support to this project. Research and Program Associates Brianna Cea, Shyamala Ramakrishna, and Andrea Córdova McCadney merit special thanks for their sustained assistance in researching, fact-checking, and editing.

We are also indebted to the many experts and officials whose knowledge and feedback helped shape this tool kit. We gratefully acknowledge the following individuals for sharing their insights: Pam Smith, senior adviser, Verified Voting; Whitney Quesenbery, codirector, Center for Civic Design; Dana Chisnell, codirector, Center for Civic Design; Marcia Johnson-Blanco, codirector, Lawyers’ Committee for Civil Rights Under Law; Laura Grace, election protection manager, Lawyers’ Committee for Civil Rights Under Law; Michelle Bishop, disability advocacy specialist for voting rights, National Disability Rights Network; Aquene Freechild, campaign codirector, Public Citizen; Emily Berger, senior fellow, Public Citizen; Susannah Goodman, director of election security, Common Cause; Neal Kelley, registrar of voters, Orange County, California; Noah Praetz, director of elections, Cook County, Illinois; Matthew Davis, former chief information officer, Virginia Department of Elections; Dana DeBeauvoir, county clerk, Travis County, Texas; Genya Coulter, precinct clerk at Polk County [Florida] Supervisor of Elections; Tonia A. Tunnell, director of government relations, Maricopa County [Arizona] Recorder’s Office and Elections Department; Maribeth Witzel-Behl, city clerk, Madison, Wisconsin; Richard Rydecki, assistant administrator, Wisconsin Elections Commission; Susan Greenhalgh, national policy director, National Election Defense Coalition; and Maurice Turner, senior technologist, Center for Democracy & Technology.