Study details steps to secure elections
IU researchers say paper ballots, other measures can boost voters’ confidence
To secure elections, paper ballots and risk-limiting audits are needed and systems have to be established to contain the spread of misinformation, a recent Indiana University Bloomington study has found.
“Defending Democracy: Taking Stock of the Global Fight Against Digital Repression, Disinformation, and Election Insecurity,” a research paper published by Indiana University Bloomington professors, compares the U.S. to other democratic countries in how each responds to election hacking and the spread of disinformation — and found ways the U.S. can improve its response.
“No system is perfect,” Scott Shackelford, author and chairman of Indiana University Cybersecurity Program, said. “But the trick is, as with so many things in life, just mitigating the risk and just making it a more manageable problem.”
Election security is discussed in two interconnected yet separate areas of research: the security of the system itself, like voting machines and tabulation systems, and digital repression, which includes misinformation on social media platforms. The study found that Russia and China are two main players in hacking elections in other countries.
In the U.S., 14 states use paperless ballots, “preventing an effective post-election audit in the aftermath of a cyber-attack,” according to the study.
Many states and local governments have stepped up to ensure a paper trail exists, including Virginia switching to a statewide paper ballot system and Indiana passing a plan to phase out paperless voting machines fully by 2029, according to the study.
“Among the first lines of defense of election infrastructure security lies primarily in the hands of private voting machine manufacturers, who despite the various stress tests required by many states, produce equipment that may still contain vulnerabilities that can go undetected,” according to the study.
Some steps have been taken to ensure voting machines are safe from cyber attacks, like manufactures not selling paperless machines to localities that do not have paper voting machines as their primary machines and universities helping to certify and test voting machines, according to the study.
A powerful tool to boost confidence in an election, Shackelford said, are risk-limiting audits, in which a statistically significant sample of ballots is compared to the reported results “and that gives you a very clear indication of whether or not anything fishy is
going on without needing to do a manual recount of all the votes that are cast.”
Only a handful of states do audits, Shackelford said, including Colorado and Rhode Island. Another boost in confidence, Shackelford said, would be to automatically register voters when they are 18 years old, which could also increase voter turnout.
Porter County Clerk Jessica Bailey said the county received new voting machines in 2019 that prints out a ballot after a voter marks their choices on voting machine. The voter can verify everything is marked correctly before putting the printed ballots into a tabulating machine, which holds the ballots in a secure box, she said.
The stored ballots would help officials recount votes, if needed, if something were to happen to the machines, Bailey said.
Porter County had to complete a risk-limiting audit following the 2018 election, which saw delayed election results, 12 precincts that stayed open later than planned because they didn’t open on time and absentee ballots not being distributed to precincts to be counted by the time polls closed.
During the audit, the county gathered all ballots in precinct order, Bailey said. Then, eight bipartisan counting teams — four teams made up of county voters and four teams made up of voting machine officials — began going through a statistically probable amount of ballots, Bailey said.
“It was pretty scientific,” Bailey said.
Given the recent study, Bailey said she would agree that paper ballots and risk limiting audits keep elections secure.
“Everybody wants to make sure that their vote counted. Everybody wants to know it was a secure and safe election,” Bailey said.
Lake County Election and Voter Registration Board Director Michelle Fajman said that voters in Lake County don’t vote on a paper ballot, but each voting machine prints an internal audit sheet that tabulates votes.
That way, Fajman said, if there is an issue with a machine or a recount is requested, a paper trail is available. If needed, election officials can print out tapes - that look like long receipts - to go over vote totals from each precinct.
“You can go back and rebuild election results based on the tapes,” Fajman said.
In 2018, Chinese hackers successfully attacked “every layer of Australian government, right down to local councils,” according to the study. The biggest shift Australia made, Shackelford said, was reclassifying its political parties as critical infrastructure.
Australia differs from the U.S. in that voting is mandatory and people get fined for not voting, Shackelford said. Additionally, all Australians vote on paper, their votes are tallied by hand, and “a robust Electoral Commission oversees the process to check for irregularities,” according to the study.
“That means that there is a lot more checks, a lot more security, kind of built in throughout this process. We have, frankly, a more hodgepodge approach here in the states,” Shackelford said.
In the European Union, many countries have “minimized the use of technology in elections,” and the European Parliament adopting the Network Information Security Directive, which was the first comprehensive piece of European Union cyber security legislation, in 2016, according to the study.
To address digital repression, the European Commission pushed Facebook, Google and Twitter to sign the code of practice on disinformation, which committed the companies to increase “transparency around political and issue-based advertising,” according to the study. The code requires, in part, the creation of safeguards against misrepresentation and misuse of automated bots, according to the study.
Since then, the technology industry has agreed “to self-regulatory standards to fight disinformation,” according to the paper. The companies have set up “searchable political-ad databases” and take down “disruptive, misleading or false” information, as well as reject ads that are inconsistent with election integrity policies, according to the paper.
But, the U.S. government’s response to misinformation “remains nascent, which is in part due to demanding requirements of the First Amendment and deep divisions about the proper role of the federal government in policing content,” according to the IU study.
“So far, we’ve left it up to these platforms to figure out for themselves what to do about this,” Shackelford said. “The real issue is when it’s the state coming in and talking about the censorship of speech that you’re going to run up against First Amendment concerns, especially depending on the new make up of the Supreme Court, those could find a receptive audience.”
Beginning to follow other countries, the U.S. did create an information sharing and analysis center for election officials to share cyber threat information and best practices, Shackelford said.
Abbey Stemler, an author of the study and a faculty associate at Harvard University’s Berkman Klein Center for Internet and Society, said academics, computer scientists and hacktivists — hackers who use their skills to bring about political and social change — should be apart of discussions on how to secure elections “to detect vulnerabilities.”
“We need to figure out a way to solve that problem together, because when you have each jurisdiction trying to do the best they can we’re not enjoying the efficiencies of collective action and collective focus on the problem,” Stemler said. “We need computer scientists, hackers and other academics to be heard because they often feel ignored.”
When a group, foreign or domestic, wants to spread misinformation or hack elections, their main goal is to undermine confidence in elections, Shackelford said. So, while there are vulnerabilities, Shackelford said voters should still cast a ballot.
“By not voting, frankly, you’re letting those groups win. The most important thing is to exercise your franchise,” Shackelford said. “By and large, I do have a tremendous amount of confidence in state and local election officials across the country to ensure that this process is played out with a great deal of integrity.”