Skip Navigation
Policy Solution

Preparing for Cyberattacks and Technical Failures: A Guide for Election Officials

Summary: Effective resiliency plans will help safeguard against Election Day disruptions.

Contingency Plan Illustration
traffic_analyzer/Getty/BCJ

Note: This report was published before Covid-19 radic­ally altered the 2020 elec­tion. A more recent report, “Prepar­ing for Cyber­at­tacks and Tech­nical Prob­lems During the Pandemic: A Guide for Elec­tion Offi­cials," factors in how the disease has disrup­ted Novem­ber’s elec­tion. Read it here.

Intro­duc­tion

Amer­ica’s intel­li­gence agen­cies have unan­im­ously concluded that the risk of cyber­at­tacks on elec­tion infra­struc­ture is clear and present — and likely to grow. foot­note1_lkqr7p0 1 See gener­ally Senate Select Commit­tee on Intel­li­gence, Russian Active Meas­ures Campaigns and Inter­fer­ence in the 2016 U.S. Elec­tion Volume 1, 2019, https://www.intel­li­gence.senate.gov/sites/default/files/docu­ments/Report_Volume1.pdf; Robert S. Mueller III, Report on the Invest­ig­a­tion into Russian Inter­fer­ence in the 2016 Pres­id­en­tial Elec­tion, U.S. Depart­ment of Justice, 2019, https://www.justice.gov/stor­age/report.pdf; and Olivia Gazis, “Intel Chiefs Warn of Russia-China Alli­ance as Threats Grow More Complex,” CBS News, Jan. 29, 2019, https://www.cbsnews.com/news/intel­li­gence-chiefs-provide-updates-on-world­wide-threats-2019–01–28-live-updates. While offi­cials have long strengthened elec­tion secur­ity by creat­ing resi­li­ency plans, foot­note2_4bbdxdr 2 See, e.g., Wiscon­sin State Board of Elec­tions, Report on Elec­tion Related Contin­gency Plan­ning, 2007, https://elec­tions.wi.gov/sites/default/files/public­a­tion/65/elec­tion_related_contin­gency_plan­ning_2007_pdf_19060.pdf; Senate Select Commit­tee on Intel­li­gence, Russian Target­ing of Elec­tion Infra­struc­ture During the 2016 Elec­tion: Summary of Draft SSCI Recom­mend­a­tions, 2018, https://www.burr.senate.gov/imo/media/doc/Russ­Rpt­Instlmt1-%20Elec­Sec%20Find­ings%2CRecs2.pdf. the evolving nature of cyber threats makes it crit­ical that they constantly work to improve their prepared­ness. It is not possible to build an elec­tion system that is 100 percent secure against tech­no­logy fail­ures and cyber­at­tacks, but effect­ive resi­li­ency plans nonethe­less ensure that eligible voters are able to exer­cise their right to vote and have their votes accur­ately coun­ted. This docu­ment seeks to assist offi­cials as they revise and expand their plans to counter cyber­se­cur­ity risks.

Many state and local elec­tion juris­dic­tions are imple­ment­ing paper-based voting equip­ment, risk-limit­ing audits, and other crucial prevent­ive meas­ures to improve over­all elec­tion secur­ity. In the months remain­ing before the elec­tion, it is at least as import­ant to ensure that adequate prepar­a­tions are made to enable quick and effect­ive recov­ery from an attack if preven­tion efforts are unsuc­cess­ful.

While exist­ing plans often focus on how to respond to phys­ical or struc­tural fail­ures, these recom­mend­a­tions spot­light how to prevent and recover from tech­no­lo­gical errors, fail­ures, and attacks. Advoc­ates and poli­cy­makers work­ing to ensure that elec­tion offices are prepared to manage tech­no­logy issues should review these steps and discuss them with local and state elec­tion offi­cials.

End Notes

Prevent and Recover from Electronic Pollbook Failures and Outages

Elec­tronic poll­books, or e-poll­books, are laptops or tablets that poll work­ers use instead of paper lists to look up voters. E-poll­books exped­ite the admin­is­tra­tion process, shorten lines, lower staff­ing needs, and save money. Most e-poll­books can commu­nic­ate with other units in the same loca­tion to share real-time voter check-in updates. They may also be able to commu­nic­ate directly with a local elec­tion office or with other loca­tions, such as vote centers, via phys­ical connec­tions or wire­less networks.

There are no national stand­ards for e-poll­book oper­a­tions or secur­ity. E-poll­books present unique chal­lenges because they need to main­tain updated inform­a­tion across numer­ous devices and loca­tions. Addi­tion­ally, many devices that may be used as e-poll­books do not have the abil­ity to connect via phys­ical networks and require some type of wire­less commu­nic­a­tion to convey import­ant inform­a­tion. Elec­tion offi­cials should consider the follow­ing secur­ity recom­mend­a­tions when using e-poll­books:

Limit or elim­in­ate connectiv­ity to wire­less networks whenever possible. E-poll­books used for voter check-in gener­ally do not need wire­less connec­tions. Offi­cials who oper­ate precinct-based voting on Elec­tion Day should choose e-poll­book options that use hard­wired connec­tions to share voter inform­a­tion in real time across units to complete the voter check-in process. This provides the greatest level of secur­ity. Bluetooth is not an accept­able altern­at­ive to other types of wire­less network connectiv­ity; research­ers have found secur­ity vulner­ab­il­it­ies that risk the spread of malware and allow unau­thor­ized access to data being trans­mit­ted between Bluetooth-connec­ted devices. foot­note1_h4qou5k 1 See, e.g., Armis, Protect­ing the Enter­prise from Blue­Borne, 2017, https://go.armis.com/hubfs/Blue­Borne%20Tech­nical%20White%20Pa­per.pdf; Daniele Anto­nioli, Nils Ole Tippen­hauer, and Kasper B. Rasmussen, “The KNOB Is Broken: Exploit­ing Low Entropy in the Encryp­tion Key Nego­ti­ation of Bluetooth BR/EDR” (paper presen­ted at the 28th Usenix Secur­ity Symposium, Santa Clara, CA, Aug. 2019), https://www.usenix.org/confer­ence/usenix­se­cur­ity19/present­a­tion/anto­nioli.

Imple­ment proper secur­ity proto­cols when wire­less connectiv­ity is required. Elec­tion offi­cials using vote centers and multiple early-voting loca­tions may require some network connectiv­ity to share voter check-in inform­a­tion across several loca­tions. Addi­tion­ally, some e-poll­books may not fully func­tion if their wire­less connec­tions are elim­in­ated or disabled. For example, certain e-poll­books use Apple iPads, which rely solely on wire­less connectiv­ity for commu­nic­a­tion. If wire­less networks must be used, offi­cials should imple­ment secur­ity proto­cols, includ­ing encrypt­ing commu­nic­a­tion between e-poll­books and requir­ing strong pass­words that are changed after every elec­tion.

Ensure that systems are prop­erly patched as part of Elec­tion Day prepar­a­tions. E-poll­books must receive appro­pri­ate oper­at­ing system updates and soft­ware patches in advance of every elec­tion to protect against known cyber vulner­ab­il­it­ies. To determ­ine what patches are avail­able or recom­men­ded, elec­tion offi­cials should start by review­ing any guidelines or require­ments created by state or local govern­ment IT agen­cies. States and local­it­ies may develop their cyber­se­cur­ity require­ments on the basis of the National Insti­tute of Stand­ards and Tech­no­logy’s cyber­se­cur­ity frame­work. foot­note2_kj5n­qh4 2 National Insti­tute of Stand­ards and Tech­no­logy, “Cyber­se­cur­ity Frame­work,” accessed Nov. 20, 2019, https://www.nist.gov/cyber­frame­work. Adher­ing to these require­ments will ensure that elec­tion offi­cials are using best prac­tices for secur­ing elec­tion systems, protect­ing the person­ally iden­ti­fi­able inform­a­tion (PII) of voters, and preserving the integ­rity of voter data used on Elec­tion Day. Alerts from the Elec­tion Infra­struc­ture Inform­a­tion Shar­ing and Analysis Center (EI-ISAC) can also provide insights about recent vulner­ab­il­it­ies and emer­gency secur­ity patches.

Keep appro­pri­ate backup of e-poll­books in polling places. Paper backups of e-poll­books are the best resi­li­ency meas­ure in the event of an e-poll­book fail­ure. They allow poll work­ers to continue confirm­ing voters’ eligib­il­ity, dimin­ish the poten­tial for long lines, and may minim­ize the need to issue provi­sional ballots. While juris­dic­tions in 41 states and the District of Columbia (DC) use e-poll­books, our research indic­ates that only 11 states and DC form­ally require paper backups on Elec­tion Day, although several other states recom­mend the prac­tice or have counties that volun­tar­ily keep paper backups. foot­note3_ukok7lr 3 In our research, we found writ­ten paper backup require­ments for e-poll­books in 11 states and Wash­ing­ton, DC. These 11 states are Connecti­cut, Geor­gia, Michigan, Minnesota, New Jersey, North Caro­lina, Ohio, Pennsylvania, Rhode Island, South Caro­lina, and South Dakota. Missis­sippi and West Virginia have laws recom­mend­ing paper backups. In Nevada and Wyom­ing, backup paper poll­books are avail­able in prac­tice every­where e-poll­books are used, while in other states, like Color­ado, Kansas, and Texas, paper backups are avail­able in many juris­dic­tions. Arizona and Mary­land form­ally require that either paper or elec­tronic backups be avail­able, while Idaho has indic­ated that it makes this recom­mend­a­tion. A few other states require or recom­mend that elec­tronic backups be avail­able. New Hamp­shire mandates that a suffi­cient number of high-speed print­ers be avail­able to produce a backup paper check­list in the event of a system fail­ure but has not yet deployed its e-poll­book solu­tion. Durham County, North Caro­lina, exper­i­enced a signi­fic­ant fail­ure of e-poll­books in Novem­ber 2016, when many voters arrived at the polls to find that they had been marked on the e-poll­books as already having voted or were improp­erly marked as need­ing to provide addi­tional iden­ti­fic­a­tion. foot­note4_mht0qm8 4 Pam Fessler, “Russian Cyber­at­tack Targeted Elec­tions Vendor Tied to Voting Day Disrup­tions,” NPR, Aug. 10, 2018, https://www.npr.org/2017/08/10/542634370/russian-cyber­at­tack-targeted-elec­tions-vendor-tied-to-voting-day-disrup­tions. Voting was delayed for more than an hour and a half as the county prin­ted paper poll­books and delivered them. foot­note5_kipe56b 5 Fessler, “Russian Cyber­at­tack Targeted Elec­tions Vendor.” This delay could have been avoided if prin­ted poll­books had been sent ahead of time with other polling place mater­i­als. Pree­mpt­ively send­ing paper backup of e-poll­books to polling places obvi­ates the need for detailed logist­ics in case of e-poll­book fail­ure.

Juris­dic­tions should eval­u­ate their e-poll­book recov­ery proced­ures to ensure they will be easy for poll work­ers to follow and will not intro­duce new obstacles to voters cast­ing their ballots quickly. As the use of vote centers and other cent­ral­ized voting loca­tions increases, print­ing poll­books may create logist­ical and admin­is­trat­ive chal­lenges. These types of voting loca­tions may need other backup options, such as nonnet­worked devices from a differ­ent vendor that contain the entire list of registered voters for a juris­dic­tion, along with the correct ballot style and current status (i.e., voted, absentee, or not voted) for each voter. Another option is to produce a backup list on demand using high-speed print­ers. This backup proced­ure, which New Hamp­shire law calls for, could allow polling places to quickly trans­ition from malfunc­tion­ing e-poll­books to paper backups.

Provide suffi­cient provi­sional ballots and mater­i­als for two to three hours of peak voting. A key backup meas­ure for Elec­tion Day is to supply suffi­cient provi­sional ballots and provi­sional ballot­ing mater­i­als. It is prefer­able to issue regu­lar ballots to eligible voters if the e-poll­book system fails. However, it may not be possible to determ­ine voter eligib­il­ity in the event of such a fail­ure, espe­cially if backup paper poll­books are unavail­able or are found to contain errors. Provi­sional ballots ensure that indi­vidu­als can cast a ballot while provid­ing elec­tion offi­cials time to determ­ine their eligib­il­ity. These ballots should be coun­ted once offi­cials determ­ine eligib­il­ity, with no further action required of the voter. Having suffi­cient provi­sional ballots to account for two to three hours of peak voting activ­ity will allow voting to continue in the event of system fail­ures. foot­note6_ps1ecn0 6 Nich­olas Weaver, “Elec­tion Vulner­ab­il­ity: Voter Regis­tra­tion Systems,” Lawfare, Feb. 23, 2018, https://www.lawfareb­log.com/2018-elec­tion-vulner­ab­il­ity-voter-regis­tra­tion-systems. For the Novem­ber 2020 elec­tion, this will require enough provi­sional ballots for at least 35 percent of registered voters. foot­note7_iker­hjt 7 In the typical state, 35 to 45 percent of voters surveyed arrived at their polling place during the peak three hours of voting. Because histor­ic­ally high turnout is expec­ted in the 2020 elec­tions, we multi­plied this range by 90 percent, to estim­ate that emer­gency supplies to serve 30 to 40 percent of voters would be prudent, or 35 percent in the typical case. See Charles Stew­art III, 2016 Survey of the Perform­ance of Amer­ican Elec­tions: Final Report, Massachu­setts Insti­tute of Tech­no­logy, 2017, 343, http://www.legends­vote.org/wp-content/uploads/MIT-Charles-Stew­art-Voter-Turnout-Study-2016.pdf. While not enough to deal with an all-day prob­lem, it will provide suffi­cient time for other meas­ures to be imple­men­ted or addi­tional ballots and mater­i­als to be delivered. Contin­gency plans must provide for addi­tional mater­i­als to be delivered if the prob­lem cannot be resolved.

Train poll work­ers to imple­ment poll­book contin­gen­cies. Improper or insuf­fi­cient train­ing of poll work­ers can lead to voters being turned away, long lines, and ineligible indi­vidu­als cast­ing ballots. Poll worker instruc­tions for managing provi­sional ballots must specify how to handle e-poll­book fail­ures appro­pri­ately, includ­ing when to allow voters to cast a regu­lar ballot and when to issue provi­sional ballots instead. Whenever voter eligib­il­ity can be confirmed in a timely fash­ion through the use of appro­pri­ate backups, regu­lar ballots should be issued. The U.S. Elec­tion Assist­ance Commis­sion (EAC) provides a list of guidelines for poll work­ers regard­ing provi­sional ballots as well as some best prac­tices for poll worker account­ab­il­ity. Provi­sional ballot forms must clearly indic­ate the sections that should be filled out by voters, poll work­ers, and elec­tion staff, so each person knows what he or she needs to do. It is also import­ant to provide a clear list of circum­stances in which to use provi­sional ballot envel­opes, includ­ing on the envel­opes them­selves. In 2018, Virginia adop­ted new provi­sional ballot mater­i­als created in coordin­a­tion with the Center for Civic Design that illus­trate these best prac­tices. foot­note8_3w51e3k 8 Center for Civic Design, “Making Provi­sional Voting Easier in Virginia,” accessed Nov. 20, 2019, https://civicdesign.org/show­case/making-provi­sional-voting-easier-in-virginia.

More Resources

End Notes

Prevent and Recover from Voting Equipment Failures

Even under the best of circum­stances, equip­ment fail­ures occur. For digital or optical-scan voting systems, recov­ery in case of an equip­ment fail­ure can be relat­ively fast; as ballots are already prin­ted, voting can continue while the tabu­lator issue is resolved. As a Bren­nan Center report on voting machines notes, juris­dic­tions that rely on direct-record­ing elec­tronic (DRE) machines can face more prob­lems in the event of a fail­ure, since “voters may have to wait in long lines while elec­tion work­ers scramble to repair them.” foot­note1_3mgwh02 1 Lawrence Norden and Chris­topher Famighetti, Amer­ica’s Voting Machines At Risk, Bren­nan Center for Justice, 2015, 30, https://www.bren­nan­cen­ter.org/sites/default/files/public­a­tions/Amer­icas_Voting_Machines_At_Risk.pdf.

These prob­lems can occur when juris­dic­tions use ballot-mark­ing devices (BMDs) and ballot-on-demand (BOD) print­ers as well. In the event of a system fail­ure, these machines will not func­tion until repaired or replaced, and juris­dic­tions using them will need to print ballots in advance of the elec­tion to allow voting to continue. Regard­less of the voting system used, elec­tion offi­cials should conduct logic and accur­acy test­ing on all voting equip­ment prior to every elec­tion in order to minim­ize the chance of unfore­seen fail­ures on Elec­tion Day.

If using paper ballots, print enough ballots for all registered voters. Many elec­tion offi­cials using paper ballots decide how many ballots to print on the basis of prior elec­tion turnout or the percent­age of registered voters expec­ted to vote. This approach can result in ballot short­ages and leave juris­dic­tions unpre­pared for unex­pec­ted voter surges. This happened across the coun­try during the 2018 midterm elec­tions, when turnout reached historic levels, and many experts predict record-break­ing turnout in 2020. foot­note2_57xngy1 2 Henry Olsen, “We Could Have Record Turnout in the 2020 Elec­tion. We’re Not Ready for It,” Wash­ing­ton Post, Oct. 10, 2019, https://www.wash­ing­ton­post.com/opin­ions/2019/10/10/we-could-have-record-turnout-elec­tion-were-not-ready-it. To prepare, elec­tion offi­cials should print enough ballots for all registered voters. Juris­dic­tions that allow Elec­tion Day regis­tra­tion may require an even higher ballot supply.

If using voting systems that do not require preprin­ted ballots, print enough emer­gency paper ballots for two to three hours of peak voting activ­ity. Emer­gency ballots should be provided to voters who are iden­ti­fied as qual­i­fied and meet­ing all the require­ments for voting pursu­ant to state law but who are unable to vote due to a voting machine malfunc­tion. Emer­gency ballots are differ­ent from provi­sional ballots, which are given to voters whose eligib­il­ity is unclear. Emer­gency ballots should be coun­ted as soon as func­tional voting equip­ment becomes avail­able, without any addi­tional scru­tiny of voter qual­i­fic­a­tions, unlike provi­sional ballots, which may require research on voter eligib­il­ity. Print­ing enough emer­gency ballots for two to three hours of peak voting activ­ity will allow voting to continue until equip­ment can be repaired or replaced, or until addi­tional paper ballots can be delivered to a polling place. For the Novem­ber 2020 elec­tion, this will require enough provi­sional ballots for at least 35 percent of registered voters. Appro­pri­ate proced­ures should be put in place for chain of custody and account­ing for preprin­ted paper ballots.

DRE voting systems directly record, in elec­tronic form, voters’ selec­tions in each race or contest on the ballot. An increas­ing number of states and local juris­dic­tions have begun repla­cing anti­quated DREs with BMDs as the primary voting option. Others are increas­ingly using vote centers, which often rely on BOD print­ers to produce on-site any ballot style and language that might be needed for a partic­u­lar voter. Because these systems do not need preprin­ted ballots, elec­tion juris­dic­tions using DREs, BMDs, or BOD-prin­ted ballots as their primary voting option should preprint and distrib­ute emer­gency paper ballots that can be coun­ted by exist­ing tabu­lat­ors. There are 16 states that will use DREs as the prin­cipal polling place equip­ment in at least some juris­dic­tions in 2020. foot­note3_g887qkf 3 These 16 states are Arkan­sas, Indi­ana, Illinois, Kansas, Kentucky, Louisi­ana, Missis­sippi, Nevada, New Jersey, North Caro­lina, Ohio, Texas, Tennessee, Utah, Wyom­ing, and West Virginia. Three states that have recently used DREs — Geor­gia, South Caro­lina, and Pennsylvania — have commit­ted to repla­cing them by 2020. However, at least seven do not mandate that paper ballots be made avail­able in the event of DRE fail­ure. foot­note4_tolz6n3 4 We have iden­ti­fied the follow­ing states where there are no provi­sions mandat­ing that paper ballots be made avail­able in the event of DRE fail­ure: Kansas, Nevada, North Caro­lina, Texas, Utah, West Virginia, and Wyom­ing. While not required by stat­ute, polling places in some of these states may provide some form of emer­gency paper ballots when systems go down. For instance, Kansas requires counties to keep an addi­tional supply of ballots to meet any emer­gency need for such ballots, although machine fail­ure is not specific­ally listed; Nevada requires each local elec­tion offi­cial to submit a plan for the use of absentee ballots in case of an emer­gency; Texas advises its counties to adopt proced­ures to provide emer­gency paper ballots in the event of DRE machine fail­ure; Utah allows the provi­sion of emer­gency paper ballots; and West Virginia counties have contin­gency plans in the event of machine fail­ure.

In vote centers that have a large number of ballot styles, preprin­ted emer­gency ballots for at least the precincts closest to that vote center should be stocked. Vote centers can also be stocked with master copies of emer­gency paper ballots in all neces­sary styles and languages, along with a photo­copier to repro­duce them in emer­gency situ­ations.

Tabu­lat­ors should be programmed to accept and read both ballots produced by the BMD/BOD print­ers and preprin­ted emer­gency ballots. Preelec­tion test­ing should verify that the tabu­lat­ors prop­erly identify and record both types of ballots.

Develop proced­ures to manage and track malfunc­tion­ing equip­ment or equip­ment fail­ure. Machines that appear to be malfunc­tion­ing or improp­erly calib­rated should be taken out of service and addi­tional voting equip­ment deployed to the polling place or vote center. Recal­ib­rat­ing DRE touch screens or conduct­ing any other neces­sary voting equip­ment repairs should be done in full view of observ­ers. Any reports from voters of machine errors should be tracked and imme­di­ately repor­ted to the cent­ral elec­tion office. Elec­tion offices should review and compare these reports across voting loca­tions to identify trends that could indic­ate wide­spread prob­lems, includ­ing poten­tial cyber­at­tacks. Train­ing should ensure that poll work­ers under­stand the process for count­ing ballots, includ­ing poten­tially hand-count­ing ballots, if equip­ment fail­ure cannot be resolved before voting ends.

Commu­nic­ate with voters to build trust in the elec­tion process. Elec­tion offi­cials should preprint signage that will allow poll work­ers to inform voters of equip­ment fail­ures in a manner that is consist­ent across loca­tions and approved by the elec­tion office. On Elec­tion Day, poll work­ers should ensure that voters are not direc­ted to use machines that are suspec­ted of produ­cing erro­neous records.

Poll work­ers should also take steps to make sure that voters accur­ately recor­ded their selec­tions on their ballots. When using hand-marked paper ballots that are coun­ted without the help of an optical scan­ner, poll work­ers should remind voters to check their ballots to prevent over­votes, which occur when voters make more selec­tions than the number allowed. When using DREs with a voter-veri­fi­able paper audit trail (VVPAT) or BMDs, poll work­ers should clearly explain to voters how their ballots will be cast and remind them to verify that the paper prin­tout matches the selec­tions they made on the machine. For example, when using BMDs that print a ballot that must then be scanned by a separ­ate machine, poll work­ers should say to voters, after their ballot has been prin­ted and before it is cast: “Don’t forget to check the prin­ted ballot care­fully. If you see some­thing wrong, you can get a replace­ment. Then you’ll go [over there] to cast it.”

Take steps to prevent late polling place open­ings due to equip­ment fail­ures. Inop­er­able voting equip­ment should not prevent the timely open­ing of a polling place. Late polling place open­ings can lead to long lines and voters leav­ing without an oppor­tun­ity to cast a ballot. foot­note5_lwd3qog 5 For example, during New York’s June 2018 federal primary elec­tion, a voter was reportedly unable to vote because an elec­tion worker had not yet activ­ated voting equip­ment. The voter was not offered an emer­gency ballot before having to leave the polling place. See Jake Offen­hartz, “Voters Report­ing Closed Poll Sites and Other Primary Day Confu­sion,” Gotham­ist, June 26, 2018, http://gotham­ist.com/2018/06/26/voters_primary_confu­sion_nyc.php. Poll work­ers should be trained to deal with equip­ment fail­ures occur­ring on the morn­ing of Elec­tion Day. Voters should be allowed to vote using emer­gency paper ballots if voting equip­ment is not oper­able when the polls open. Poll work­ers should explain to voters how their ballots will be coun­ted once work­ing voting equip­ment becomes avail­able.

Plan to assist voters with disab­il­it­ies if voting machines fail. If access­ible voting machines fail and paper ballots are used instead, disabled voters may not be able to vote privately and inde­pend­ently. Juris­dic­tions with suffi­cient resources should have backup access­ible voting equip­ment, with all ballot styles avail­able (similar to what would be used at a cent­ral voting site for early voting), geograph­ic­ally dispersed so that it can be rapidly delivered to any polling place where access­ible equip­ment has failed. In the longer term, juris­dic­tions might consider provid­ing each polling place with access­ible tablets and print­ers to be used by voters with disab­il­it­ies in the event of equip­ment fail­ure. foot­note6_x5o5ge8 6 States like Oregon have adop­ted remote access­ible voting by mail without requir­ing access to the inter­net to mark the ballot. Juris­dic­tions may want to consider having such systems avail­able in the polling place in the event of machine fail­ures. See State of Oregon, “Voting Instruc­tions for Voters with a Disab­il­ity,” accessed Nov. 20, 2019, https://sos.oregon.gov/voting/Pages/instruc­tions-disab­il­it­ies.aspx. Poll work­ers should be appro­pri­ately trained on any backup systems used to provide access­ib­il­ity.

More Resources

End Notes

Prevent and Recover from Voter Registration System Failures and Outages

Voter regis­tra­tion systems main­tain offi­cial lists of registered voters, includ­ing all voter inform­a­tion and district assign­ment inform­a­tion. The statewide systems usually serve addi­tional elec­tion-manage­ment purposes as well, such as processing absentee ballots. A fail­ure of the regis­tra­tion system on or near Elec­tion Day can cause prob­lems produ­cing files for paper poll­books or e-poll­books, using voter inform­a­tion lookup tools, or valid­at­ing provi­sional ballots imme­di­ately after the elec­tion.

Estab­lish a 60-day preelec­tion black­out window for all noncrit­ical soft­ware updates and patches. These windows increase the like­li­hood that program­ming errors, viruses, or other prob­lems will be discovered in a timely manner prior to Elec­tion Day. Sixty days provides suffi­cient time before the close of voter regis­tra­tion or the start of absentee voting to identify whether installed patches or updates have created unin­ten­ded system issues. Even updates that do not directly impact voter regis­tra­tion data­bases, such as server patch­ing, network­ing equip­ment upgrades, and local­ity tele­com­mu­nic­a­tions system changes, may impact a local elec­tion offi­cial’s abil­ity to access the state voter regis­tra­tion data­base. There­fore it is crit­ical that these black­out dates be estab­lished and commu­nic­ated with relev­ant staff to prevent poten­tial issues on or shortly before Elec­tion Day. The plan should include a process for emer­gency updates during the black­out window, indic­at­ing who will author­ize the emer­gency update and how it will be tested prior to rollout.

Subject the system peri­od­ic­ally to inde­pend­ent vulner­ab­il­ity test­ing. States can either part­ner with the Depart­ment of Home­land Secur­ity or engage outside cyber­se­cur­ity consult­ants to test the system for vulner­ab­il­it­ies on a peri­odic basis. Vulner­ab­il­ity test­ing should be conduc­ted well in advance of an elec­tion, and at least quarterly, to provide suffi­cient time to resolve any poten­tial vulner­ab­il­it­ies that are discovered. While the specific results of vulner­ab­il­ity test­ing need not be released so as to main­tain system secur­ity, offi­cials should be trans­par­ent about what entity conduc­ted the test­ing and what stand­ards it used.

Main­tain backup copies of digital records off-line in case online access is limited. In the lead-up to the elec­tion, local offi­cials should down­load an elec­tronic copy of voter inform­a­tion on a daily basis and store it securely, so that they have the most recent inform­a­tion in case the voter regis­tra­tion system becomes unavail­able. This can be used to conduct research on provi­sional ballots after the elec­tion.

Provide voters with tools to look up their voter regis­tra­tion status online and conduct outreach to urge voters to use the tool in advance of any regis­tra­tion dead­line. Voters can provide crucial inform­a­tion about undesired changes to their regis­tra­tion, includ­ing address changes they did not request, which could be an early indic­ator of a possible breach. Encour­aging voters to check before a dead­line ensures that prob­lems can be resolved in a timely fash­ion. It may also reduce pres­sure on poll work­ers on Elec­tion Day.

Provide voters with tools to look up their polling place inform­a­tion online, and make altern­at­ive websites avail­able. In case a voter lookup tool fails, elec­tion offi­cials should be prepared to provide links to other polling place lookup tools, such as the Voting Inform­a­tion Project (VIP), an inde­pend­ent entity that provides inform­a­tion to voters using offi­cial data. New Jersey success­fully used VIP to provide inform­a­tion to voters after Hurricane Sandy made state systems unavail­able and neces­sit­ated a large number of polling place changes in advance of the 2012 elec­tion. foot­note1_55fpy7z 1 Susan K. Urahn, “Collab­or­a­tion, Tech­no­logy and the Lessons of Elec­tion Day,” Govern­ing: States and Local­it­ies, Jan. 16, 2013, https://www.govern­ing.com/columns/mgmt-insights/col-collab­or­a­tion-tech­no­logy-voting-inform­a­tion-access­ib­il­ity.html. Using tools such as VIP for polling place look­ups, instead of sites that depend on statewide regis­tra­tion systems, also reduces the load on state serv­ers at busy times in the elec­tion season. This requires provid­ing accur­ate polling place data to the backup site in advance of elec­tions and confirm­ing that the backup site is work­ing correctly.

More Resources

End Notes

Prevent and Recover from Election Night Reporting System Failures and Outages

Local and state offi­cials usually post unof­fi­cial results on elec­tion night. While this inform­a­tion does not reflect the certi­fied results, large differ­ences between unof­fi­cial elec­tion night results and the final outcome can create ques­tions for voters about the accur­acy of the process. Elec­tion night report­ing sites are prime targets for denial of service (DoS) attacks because the sites’ high-use period is known ahead of time, and prevent­ing access to unof­fi­cial results can create negat­ive media atten­tion about the elect­oral process. A hotly contested race can intensify interest in the elec­tion results, and a large increase in visit­ors to a report­ing site in a short period can like­wise bring down the site.

Estab­lish redund­an­cies. Some states, includ­ing Arizona and Virginia, exper­i­enced elec­tion night report­ing fail­ures in the 2014 midterm elec­tions. foot­note1_y121x1c 1 Eyragon Eidam, “Is Your Elec­tion Night Report­ing System Ready for 2016?” Govern­ment Tech­no­logy, Dec. 21, 2015, http://www.govtech.com/state/Is-Your-Elec­tion-Night-Report­ing-System-Ready-for-2016.html. Address­ing the system fail­ures after the elec­tion, several of these states estab­lished a redund­ant system that can be made avail­able if the main system fails. foot­note2_e9sal6d 2 Eidam, “Is Your Elec­tion Night Report­ing System Ready?”

Do not connect elec­tion night report­ing systems to voting systems or the statewide regis­tra­tion system. Elec­tion night report­ing systems (ENRs) are attract­ive targets for cyber­crim­in­als and other nations. Bad actors have success­fully attacked ENRs around the world, includ­ing in Ukraine, Bulgaria, and more recently the United States. By publish­ing unof­fi­cial results through an uncon­nec­ted system, elec­tion offi­cials can minim­ize the poten­tial that a targeted attack on the report­ing system will have any last­ing impact. Knox County, Tennessee, exper­i­enced a DoS attack linked to foreign IP addresses during its May 1, 2018, primary elec­tions. Although this attack likely served as a distrac­tion from a separ­ate attack on the county’s serv­ers, the report­ing website itself did not provide an avenue for future disrup­tion. The county’s deputy director of IT noted that its report­ing system is “not connec­ted to any live data­bases. . . . It’s a repos­it­ory for being able to report to the public, and we have inten­tion­ally kept any primary data extremely isol­ated.” foot­note3_zwkteel 3 Sam Levine, “Hack­ers Tried to Breach a Tennessee County Server on Elec­tion Night: Report,” Huff­ing­ton Post, May 11, 2018, https://www.huff­post.com/entry/knox-county-elec­tion-cyber­at­tack_n_5af5ca21e4b032b10b­fa56ee; and Tyler Whet­stone, “Knox County Elec­tion Night Cyber­at­tack Was Smokescreen for Another Attack,” Knox News, May 17, 2018, https://www.knoxnews.com/story/news/local/2018/05/17/knox-county-elec­tion-cyber­at­tack-smokescreen-another-attack/620921002/.

More Resources

End Notes

Communication Strategy

All good contin­gency plans include a commu­nic­a­tion plan. At its core, a commu­nic­a­tion plan is inten­ded to assist elec­tion offi­cials in distrib­ut­ing essen­tial inform­a­tion in a timely manner and main­tain­ing public confid­ence in the elec­tion’s admin­is­tra­tion. Commu­nic­a­tion plans are import­ant in all unex­pec­ted situ­ations, from equip­ment fail­ures to poten­tial cyber­at­tacks to unin­ten­tional errors.

Draft, review, and approve a commu­nic­a­tion plan prior to Elec­tion Day. Keep­ing voters, poll work­ers, and others informed minim­izes the harm that could arise on Elec­tion Day in the event of negat­ive devel­op­ments. The most basic commu­nic­a­tion plan includes key staff and contacts. A more detailed strategy may include vari­ous response options for poten­tial prob­lems as well as longer-term consid­er­a­tions, such as noti­fic­a­tion require­ments in the event personal voter inform­a­tion has been leaked.

Provide a public website for emer­gency commu­nic­a­tions. Offi­cials should publi­cize links where emer­gency inform­a­tion will be posted on Elec­tion Day, possibly includ­ing offi­cial social media accounts used by state and local elec­tion offi­cials. These can serve as offi­cial sources where voters, candid­ates, media, and advocacy organ­iz­a­tions can find inform­a­tion regard­ing exten­ded polling place hours, polling place relo­ca­tions, and other emer­gency inform­a­tion. Doing this in advance of an elec­tion will make emer­gency commu­nic­a­tions easier for elec­tion offi­cials.

Be trans­par­ent but care­ful. As the Belfer Center for Science and Inter­na­tional Affairs suggests, “Trans­par­ent commu­nic­a­tion builds trust, but in a cyber incid­ent, you will have few facts at hand, espe­cially at the outset. Public comments should demon­strate that you are taking the issue seri­ously but avoid provid­ing any details that may change as the invest­ig­a­tion progresses, so you don’t have to correct your­self down the line. Avoid spec­u­la­tion on the perpet­rator of the incid­ent.” foot­note1_8pmdoze 1 Siobhan Gorman et al., Elec­tion Cyber Incid­ent Commu­nic­a­tions Coordin­a­tion Guide, Belfer Center for Science and Inter­na­tional Affairs, 2018, 12, https://www.belfer­cen­ter.org/sites/default/files/files/public­a­tion/Commu­nic­a­tionsGuide.pdf.

More Resources

End Notes

Acknowledgments

The Bren­nan Center grate­fully acknow­ledges Carne­gie Corpor­a­tion of New York, Change Happens Found­a­tion, Craig Newmark Phil­an­throp­ies, Lee Halprin and Abby Rock­e­feller, the JPB Found­a­tion, Leon Levy Found­a­tion, Open Soci­ety Found­a­tions, Rock­e­feller Broth­ers Fund, and Wallace Global Fund for their gener­ous support of our elec­tion secur­ity work.

The authors would like to thank the many colleagues who collab­or­ated in prepar­ing this tool kit. Derek Tisler, Chris­topher Deluzio, and Wilfred Codring­ton contrib­uted crucial research and edit­or­ial support to this project. Research and Program Asso­ci­ates Brianna Cea, Shyamala Ramakrishna, and Andrea Córdova McCad­ney merit special thanks for their sustained assist­ance in research­ing, fact-check­ing, and edit­ing.

We are also indebted to the many experts and offi­cials whose know­ledge and feed­back helped shape this tool kit. We grate­fully acknow­ledge the follow­ing indi­vidu­als for shar­ing their insights: Pam Smith, senior adviser, Veri­fied Voting; Whit­ney Quesen­bery, codir­ector, Center for Civic Design; Dana Chis­nell, codir­ector, Center for Civic Design; Marcia John­son-Blanco, codir­ector, Lawyers’ Commit­tee for Civil Rights Under Law; Laura Grace, elec­tion protec­tion manager, Lawyers’ Commit­tee for Civil Rights Under Law; Michelle Bishop, disab­il­ity advocacy special­ist for voting rights, National Disab­il­ity Rights Network; Aquene Freech­ild, campaign codir­ector, Public Citizen; Emily Berger, senior fellow, Public Citizen; Susan­nah Good­man, director of elec­tion secur­ity, Common Cause; Neal Kelley, regis­trar of voters, Orange County, Cali­for­nia; Noah Praetz, director of elec­tions, Cook County, Illinois; Matthew Davis, former chief inform­a­tion officer, Virginia Depart­ment of Elec­tions; Dana DeBeau­voir, county clerk, Travis County, Texas; Genya Coulter, precinct clerk at Polk County [Flor­ida] Super­visor of Elec­tions; Tonia A. Tunnell, director of govern­ment rela­tions, Mari­copa County [Arizona] Record­er’s Office and Elec­tions Depart­ment; Maribeth Witzel-Behl, city clerk, Madison, Wiscon­sin; Richard Rydecki, assist­ant admin­is­trator, Wiscon­sin Elec­tions Commis­sion; Susan Green­halgh, national policy director, National Elec­tion Defense Coali­tion; and Maurice Turner, senior tech­no­lo­gist, Center for Demo­cracy & Tech­no­logy.