#PITUN2020 Takes on Election Security

Like a chronic cough that just won’t quit, election security is all many people can think about these days, even though the 2020 election came and went a month ago. On November 13, the topic was fresh on the minds of PIT-UN 2020 attendees, especially those attending that day’s Election Security keynote.

During that event, moderator and election security expert Maurice Turner asked attendees — all of whom are Public Interest Technology University Network members — to discuss how American elections are different than those overseas, how the 2020 elections were different than previous years, how election officials can protect voter and election data, and why Americans should feel confident that the 2020 elections were safe and secure.

The event was more than 90 minutes long. Below, find excerpts from that discussion. Want to watch the entire conversation? Click play above to see more.

Maurice Turner: How do elections work in American in 2020?

Robin Carnahan, fellow, Georgetown University’s Beeck Center for Social Impact and Innovation: If you think about how elections are run they're kind of a miracle in and of themselves because you have…more or less 150 million people wanting to do the same thing on the same day…you're having basically volunteers or part-time workers that are the ones who are treating those customers. Everybody wants to understand the rules, but the average age is 72 of poll workers in our country who have very limited training. And the rules are changing all the time and the machines are changing.Voters want to get in and out in 10 minutes. Ballots are long, and the press wants to get results 30 minutes after polls close so if you think about all of that in a normal election it's a little crazy to think about and then you layer a pandemic on top of that and it makes it really mind-blowing that we got through this as well as we did because we needed to have both safe and secure elections.

Maurice Turner: What does it mean to be able to protect that kind of data so voting officials actually have access to it and the voters can have convenient access to be able to register?

Bruce Schneier, Fellow & Adjunct Lecturer in Public Policy, Harvard’s Kennedy School of Government: Registration is an interesting process. Many countries don't have it. When you become voting age you're automatically eligible to vote. Registration itself is a holdover to suppress votes. It's another barrier that people have to overcome. Certainly disproportionately [it] affects those who are poor, who don't have time. It is a database of people who can vote. In the U.S. we have a lot of databases of citizens. You can think of state databases of people who can drive, national databases, Social Security databases. And yes, it’s vulnerable. The OPM database was hacked by the Chinese a few years ago. We know that Russians have infiltrated it although it seems they have not done any modifications to voter registration databases in the U.S. There's really a lot of good work being done by Latanya Sweeney and others. She's a professor at Harvard looking at the security of those databases from changes. So one of the ways they can be attacked is someone can go in and change your address or your party affiliation, which will affect primaries. We're trying to balance convenience — people want to update their address online or want to update the party affiliation — with security…this year we were worried that there would be attacks against voter registration databases, which could result in chaos. How do you get people interested in cybersecurity and how do you recruit students to work on these interesting problems?

Maurice Turner: What are some of the ways that either local election officials or other organizations can help strengthen that infrastructure so they're better protected against attacks against the voter registration databases or the voting machines themselves?

Bruce Schneier: You know there are things you can do but honestly a voting official in Akron, Ohio against the government of Russia is not a fair fight. We do have this very distributed election system in the United States — 51 individual legal jurisdictions and local jurisdictions but the rules are different where the defenses are all local and we're expecting them to defend themselves against nation states. So we can talk about computer security and things you can do but really the best thing we can do is have some sort of national standard. Some sort of national systems because the threats are national. The distributed local nature of our elections was really well suited to the threats of the mid-1800s. It is secure, largely against those threats. That's why we don't see the kind of retail voting fraud that's often talked about. People going in and voting twice, voting for other people. That kind of stuff tends not to happen [and] when it happens it's very local. It doesn't change anything. It's discovered.

Robin Carnahan: I want to just double down on what Bruce said. It's when you have things that are national security threats done by nation state actors you can't expect some local election official to be up against that, and it makes total sense to have a national response. The good news is that after the threats that we saw homeland security and cyber command really did step in and begin to support state election officials and local election officials in very new ways that had never happened before. They get credit for doing that. I want to point out one other thing and that is that when we think about elections and the ability for bad actors to get in and change things, you know the easy way to do that is through the internet. So it's the features of the election that are connected to the internet — that make it convenient for voters when it's connected to the internet but also makes it convenient for bad guys — and that tends to be a voter registration databases and election night reporting type sites. The voting equipment itself, the machines that you vote on and how those get tallied are not connected to the internet. They are very distributed, and it's a very arduous and step-by-step process to tally those votes but that's not something that's that is connected to the internet. Therefore has a very different threat profile than those things that are [connected].

Maurice Turner: It sounds like we are adding a lot of technology to the election process but we're not necessarily adding a lot of cyber security staff to that so Jake, can you share with us some of your thoughts on what it means to be able to support those state and local election officials specifically when it comes to cyber security?

Jake Braun, Executive Director Cyber Policy Initiative, University of Chicago Harris School of Public Policy: A little bit off topic from your question but just to address the news from yesterday: We had the president come out and make this a completely asinine claim about the machines being hacked and changing all these votes and then you know unfortunately we had DHS come out and make you know a nearly as equally asinine claim that this is the most secure election in U.S. history when — as you're saying there's all this technology that's added — you know obviously the databases can be hacked, the websites can be hacked. We had elections databases and websites you know and and presumably things were actually at least more cyber secure back then…We have the far right who immediately although they've been saying election security stuff is fake news for the last four years agree with the president and the far left to do a 180 that have been saying you know election security is all swiss cheese and immediately agree with homeland security just because they disagree with the president. I think what's really important is what academia does and what you guys are supporting, which is we take a long view or we try to say, ‘Okay let's gather the facts and let's do some research’ and say, ‘Okay is it more secure? Is it not? What do we need to do to make things more secure?’ Now to get into your actual question: One of the biggest challenges that election officials have is workforce and it's not because of them it's everybody has this problem in cybersecurity. The last estimates I saw said cyber jobs that are unfilled across all industries in the United States about one million or about 3.5 million globally a shortage of cyber professionals to open positions.

Maurice Turner: How do you recruit students to work on some of these very interesting problems?

Richard DeMillo, School of Cybersecurity and Privacy Interim Chair; Professor, Georgia Tech: We just started a school here at Georgia Tech to meet the demand that students have for training in careers in cybersecurity. Some of this is driven by digitalization that takes place in the commercial sector and in the government sector. We submitted a proposal to PITUN for a project this year to do COVID-safe secure polling places and kind of made a call to students to participate. We had to shut off the call after we got 30 students. We just had no way of handling the size of the of the turnout that we got and so what that tells me is that is that there is a student-led movement out there to look at societal impact of technology and to do that in a an election year particularly this election year just just blossomed into a project that that was much bigger and much more widespread than we thought.

Maurice Turner: Georgia has certainly seen its share of changes in the way that it actually holds its elections. Can you explain a little bit about how elections in Georgia specifically are different this year and what are some of the challenges or concerns that you're seeing on the ground as a result of those changes?

Richard DeMillo: So this is not the fight that I thought I was going to be having in Georgia when we started looking at the new generation of ballot marking devices that Georgia was considering back in 2018. We thought we were going to be fighting a battle over handmark paper ballots versus machine mark paper ballots and voter verification of ballots and we've been fighting that battle for two years. It's grown pretty contentious here in the state and lo and behold the world changed and the things that we thought were going to be important turned out not to be so important. I will tell you that about half of the ballots cast in Georgia this election cycle were hand marked paper ballots and it had nothing to do with our — well maybe it had a little bit to do with — our advocacy for for safe and secure election technology but it really had to do with the way that the assumptions broke in this in this election.

We started calling voting in the state omnichannel voting [because only] 18% of the votes in this election cycle were cast on November 3. That early voting was kind of a mix of in-person voting at polling centers and handmark paper ballots. The absentee ballots in the state made up the bulk of the way the votes were cast. We were planning on a massive turnout in Atlanta after the June primary...New York Times articles showing these long lines of people waiting in line for eight hours, ten hours. That's what we thought we were going to be facing. Meanwhile, voters looked at that and said, ‘I can see five other ways to spend my time than waiting in line for ten hours,’ and they took it. We had the private sector stepping up the Atlanta Hawks made State Farm arena available for early voting that turned out to be a really, really popular choice for a lot of voters. We had dropboxes…those were really really popular. So as people began to hear that the mail would not be necessarily the safest way to cast their vote they drove 15 minutes to the nearest dropbox and used that.

So all the models that we built — and we spent a lot of time modeling voter turnout and wait times — all the models that we built for the 200 polling places in Fulton county, which was our focus area. resulted in really good software tools that we will make available to election officials, but it turned out not to be where the action was. This election cycle and I think the idea that the scenarios that you plan on based on historical turnouts, historical voter patterns, historical vulnerabilities need to be re-examined because we're not seeing traditional patterns for any time in the future. We will have a January 5 runoff here in Georgia and Heaven knows what the situation is going to be like for that but it won't be anything like what we've seen in prior elections for this election cycle. As you look forward we're going to have to make some conclusions and make some reasonable predictions about where to put our resources going forward.