Report finds paper ballots are the future of election security
No one was more surprised than Pitt Cyber’s David Hickton to discover that the future of election security is paper.
Not the hanging chads that caused chaos in the 2000 presidential election, but hand-marked paper ballots for mandatory postelection audits.
Yet there was Mr. Hickton, founding director of the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security, stating definitively that there is no digital solution to election hackers that will work better than a papertrail backup.
That is the main conclusion of the independent, bipartisan Blue Ribbon Commission on Pennsylvania Election Security that released on Jan. 28 after an eightmonth study. Mr. Hickton, the former U.S. attorney for the Western District of Pennsylvania, and Paul McNulty, president of Grove City College, convened the study that was hosted by Pitt Cyber and conducted in collaboration with Verified Voting and Carnegie Mellon University’s Software Engineering Institute.
On Sunday, Mr. Hickton and fellow commission member Sharon Werner, who was chief of staff to then-U.S. Attorneys General Eric Holder and Loretta Lynch, presented the study at the Barbara Daly Danko Forum, cosponsored by the 14th Ward Independent Democratic Club and the 14th Ward Committee.
Mr. Hickton’s next stop is Harrisburg.
“I will be hand-delivering the report to Gov. [Tom] Wolf within a week,” he said.
The commission’s focus was “not about gerrymandering or voter ID or all the ways the system can be hacked,” Mr. Hickton told a gathering of local elected officials and concerned citizens at CMU’s Simmons Auditorium. “It is about giving the state of Pennsylvania
something it can use.”
Some of the commission’s findings were laid out by Mr. Hickton in a Pittsburgh Post-Gazette op-ed on Dec. 16.
The goal was to assess the cybersecurity of Pennsylvania’s election architecture, including voting machines and management systems, the registration system and resilience and recovery in the instance of a cyberattack.
The final report’s recommendations include issuing bonds to help counties purchase updated voting systems with paper ballots as mandatory post-election audits and election emergency plans before the 2020 presidential election.
When the commission released its interim recommendations last year, before the midterm elections, it had urged immediate action. That earlier report began, “There is no publicly available evidence of successful hacking of the 2016 [U.S.] elections, in Pennsylvania or elsewhere. However, there is also no question that Pennsylvania’s elections, like other states, are under threat.”
Ms. Werner demonstrated how serious that threat is by showing a video made by J. Alex Halderman, a University of Michigan professor and expert hacker. He held a mock election for students at his school to vote on whether they prefer Michigan or rival Ohio State, using the Direct Recording Electronic, or DRE, machines used in most states.
He then uses his hacking skills to change what should have been a Michigan landslide to an Ohio State win.
The news has been filled with election security concerns besides hacking. Mr. Hickton mentioned the use of subcontractors, such as the case in Maryland where the FBI discovered links between a Russian oligarch and the software company that services parts of that state’s voter registration systems.
And that brings us back to paper.
The commission estimates that a statewide overhaul of the system, including paper ballots, would cost Pennsylvania $125 million, or $9.76 per person.
As he gets set to go to Harrisburg, Mr. Hickton said cooperation in working with the offices of the governor and Allegheny County Executive Rich Fitzgerald has been “fantastic.”
Mr. Fitzgerald recalled supporting a paper-trail audit when he was on Allegheny County Council, but “that was not allowed when we bought the machines 15 years ago. The State Department disallowed that. They changed that a few years ago, and now they are requiring it.”
He said “there are a lot of good things” in the commission report, but added, “People should know that the county system is not hooked up to the internet, so … there’s reason for confidence in the system. But we can do some things to upgrade the system and do things as far as it being paper-verified.”
“I take the threats as a given, and you should, too,” Mr. Hickton said of election security. “We cannot control what the threats are going to look like. What we can control is what we do to protect ourselves.”