election security

Mail-in ballots during COVID crisis necessary, but with risk says expert

Noted election security researcher Harri Hursti says mail-in voting is likely the only option for a safe, secure US presidential election, but voter and election worker training needed.

A United States postage stamp displayed against a background of red, white and blue question marks.
Simon2579 / TostPhoto / Getty Images

election security

Show More

One of the foremost topics facing the nation, the security of the 2020 presidential election, has been obscured by the COVID-19 pandemic. Cybersecurity company Grimm brought the topic to the forefront during its virtual GRIMMcon event held April 14 by inviting noted election security specialist, hacker and researcher Harri Hursti to offer his take on the state of US election security.

HBO’s documentary on the weakness of the US election system called Kill Chain, which premiered in late-2019, follows Hursti as he travels the world and across the US exposing voting insecurities. CSO caught up with Hursti after his GRIMMcon talk to discuss the state of US election security, the feasibility of mass mail-in voting during the COVID-19 pandemic, and whether new voting machine standards under development by a revived Election Assistance Commission could make a difference in election security.

US election infrastructure still outdated

Hursti says that despite years of warning and repeated demonstrations of the insecurity of voting systems, “a lot of the infrastructure in the United States has not even been updated since 2002. Nothing has changed since the Help America Vote Act of 2002. The majority of systems are running 2004, 2005 deployments. The vast majority of systems are old and have not been updated.”

Hursti thinks a lot of bad ideas are helping to keep voting systems insecure. An argument has cropped up that the diverse panorama of systems in use, and the widespread crazy quilt of jurisdictions, keep elections secure from hackers. This notion is merely a false sense of security, Hursti says. “Those arguments are not real because of the actual centralization of the voting systems companies.”

Another false argument, according to Hursti, is that voting systems are secure because they are not connected to the internet. “The claim that voting systems are not connected to the internet are categorically wrong. Voting systems are connected to the internet, directly or indirectly.”

Yet another disproven argument is that elections systems are protected by seals and by locks, thereby barring access to those who want to tamper with the systems. “On many occasions, the seals are not installed,” Hursti says.

Risk-limiting audits can mitigate unsolved voting problems

These and other chronic problems that have plagued US elections have yet to be solved. “We have to understand what all is broken so that we can start to think about what the future systems would look like so we can mitigate against this,” Hursti says. “Today, we don’t have anything better than paper ballots. US elections are uniquely complex, and you cannot do elections without technology. While we have to improve the technology, we cannot trust it.”

Instead, what election supervisors and political leaders should push for are risk-limiting audits, Hursti says, echoing what virtually all election security experts recommend. Risk-limiting audits are a means of checking on whether computer tallied election results are accurate by comparing a statistically representative sample of paper ballots to the computer records for those ballots.

Mail-in voting an imperfect COVID response

In the meantime, the COVID-19 pandemic threatens the prospect of in-person voting in most, if not all, jurisdictions in the US for the rest of the year, giving rise to the suggestion that all voting in this year’s presidential election should be conducted by mail. “I don’t think the mail ballot is a desirable method in normal circumstances,” Hursti says, “but I don’t think we have much of an option. Right now, plans should be put into place in anticipation that this needs to happen.”

Those plans should address the known risks of mail-in voting, which include voter coercion and mismanagement of voter centers, which are places that many jurisdictions set up so that voters can drop ballots off in a central location. Voter training is necessary, Hursti says. “A lot of things have to be explained to voters,” such as how to ensure their mail-in ballots are valid.

Local jurisdictions also need a lot of training. In a recent election in Florida, for example, half of the counties followed the instructions of the secretary of state in terms of deciding how to count votes, and the other half did not and tossed out some valid votes as “overvotes.” “You have to follow the process to the letter if you want to make sure your votes count.”

Finally, there is the much-disputed risk of so-called “ballot harvesting,” a voting fear usually raised by Republicans. This harvesting consists of going around neighborhoods and collecting mostly absentee ballots from mailboxes. The only known case where this harvesting occurred was in North Carolina, where a campaign consultant for a Republican running for Congress faced felony charges for collecting absentee ballots.

Voting equipment standards updated

A little-noted element of election security is the voluntary set of standards established by the US Elections Assistance Commission (EAC) that offer blueprints for voting equipment manufacturers to follow to ensure reasonable system security. Late last month, the EAC put out for comments upgrades to those standards, the Proposed Voluntary Voting System Guidelines 2.0 Requirements.

Although impressive sounding and rooted in good intentions, the upgraded standards won’t have much of an impact because they are voluntary, Hursti says. “One of my colleagues checked about a year ago. He found zero systems that met the 1.1 standards. We have a lot of grandfathered systems which have never even met the 1.0 standards.”

“The other part is that the EAC was defunded and without a quorum for years, so there are systems for those years that states needed and circumvented the EAC standards.” Until February 2019, the much-neglected EAC had failed for nearly ten years to achieve a quorum that would have enabled progress on a host of security matters.

However secure or insecure America’s elections systems are today or might be in the future, the fact remains that for the 2020 election, voters will likely have to turn to pen and paper to register their choices. “We really don’t have a choice now,” Hursti says. “Under normal circumstances, mail-in ballots are not desirable, but under COVID-19, it’s our only choice.”

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)