During the 2016 presidential election, America’s election infrastructure was targeted by a foreign government.1 According to assessments by members of the U.S. Intelligence Community,2 actors sponsored by the Russian government “obtained and maintained access to elements of multiple US state or local electoral boards.”3 While the full
1 For the purposes of this report, election infrastructure is defined as the physical and organizational structures and facilities and personnel needed for the operation of elections.
2 The U.S. Intelligence Community consists of 16 agencies working under the coordination of the Office of the Director of National Intelligence. The 16 agencies are the: Central Intelligence Agency; Defense Intelligence Agency; Federal Bureau of Investigation; National Geospatial-Intelligence Agency; National Reconnaissance Office; National Security Agency/Central Security Service; U.S. Department of Energy; U.S. Department of Homeland Security (DHS); U.S. Department of State; U.S. Department of the Treasury; Drug Enforcement Administration; U.S. Air Force; U.S. Army; U.S. Coast Guard; U.S. Marine Corps; and U.S. Navy.
3 The U.S. Department of Homeland Security (DHS) assessed “that the types of systems Russian actors targeted or compromised were not involved in vote tallying.” See Office of the Director of National Intelligence, “Assessing Russian Activities and Intentions in Recent US Elections, Intelligence Community Assessment,” January 6, 2017, p. iii, available at: https://www.dni.gov/files/documents/ICA_2017_01.pdf. Bolded text is original to the document.
By September 2017, voter registration systems or public election sites in 21 states had been identified by DHS as having been targeted by Russian hackers. See, e.g., National Association of Secretaries of State, “NASS Statement on US Department of Homeland Security (DHS) Outreach to 21 States Regarding Potential Targeting,” September 25, 2017, available at: https://www.nass.org/node/284 and Horwitz, Sari, Ellen Nakashima, and Matea Gold, “DHS Tells States About Russian Hacking During 2016 Election,” Washington Post, September 22, 2017.
Voter registration systems and public election websites (e.g., state “my voter” pages) are election systems. For the purposes of this report, election system is defined as a technology-based
extent and impact of these activities is not known and our understanding of these events is evolving, there is little doubt that these efforts represented an assault on the American system of representative democracy.
The vulnerability of election infrastructure to cyberattacks became a growing concern during the campaign leading up to the 2016 presidential election, and in fall 2016, the federal government took the unusual step of issuing a joint statement from the U.S. Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (ODNI) urging state and local governments to be “vigilant and seek cybersecurity assistance from DHS.”4 In late December 2016, as the extent of Russian activities became apparent, President Barack Obama invoked sanctions against Russia for its efforts to disrupt the presidential election.5 In early 2017, the nation’s election systems were given critical infrastructure status.6
system that is used to collect, process, and store data related to elections and election administration. In addition to voter registration systems and public election websites, election systems include voting systems (the means through which voters cast their ballots), vote tabulation systems, election night reporting systems, and auditing systems.
Whether there were attacks on voting systems or vote tabulation systems is unknown. The committee authoring this report is not aware of an ongoing investigation into this possibility. In 2016, gaps in intelligence gathering, information sharing, and reporting led to problems that were underappreciated at the time of the intrusions leaving considerable uncertainty about what happened, even today. See, e.g., U.S. Senate Select Committee on Intelligence, “Russian Targeting of Election Infrastructure During the 2016 Election: Summary of Initial Findings and Recommendations,” May 8, 2018, pp. 1-2, available at: https://www.burr.senate.gov/imo/media/doc/RussRptInstlmt1-%20ElecSec%20Findings,Recs2.pdf.
4 U.S. Department of Homeland Security and Office of the Director of National Intelligence, “Joint Statement from the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security,” October 7, 2016, available at: https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national.
5 In announcing the sanctions, the president stated, “Today, I have ordered a number of actions in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election. These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior.” See The White House, Office of the Press Secretary, “Statement by the President on Actions in Response to Russian Malicious Cyber Activity and Harassment,” December 29, 2016, available at: https://obamawhitehouse.archives.gov/the-press-office/2016/12/29/statement-president-actions-response-russian-malicious-cyber-activity.
6 Johnson, Jeh, “Statement by Secretary Jeh Johnson on the Designation of Election Infrastructure as a Critical Infrastructure Subsector,” January 6, 2017, available at: https://www.dhs.gov/news/2017/01/06/statement-secretary-johnson-designation-election-infrastructure-critical.
Critical infrastructure refers to “assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” See U.S. Department of Homeland Security, “What Is Critical Infrastructure?,” available at: https://www.dhs.gov/what-critical-infrastructure.
Today, long-standing concerns about outdated and insecure voting systems and newer developments such as cyberattacks, the designation of election systems as critical infrastructure, and allegations of widespread voter fraud, have combined to focus attention on U.S. election systems and operations. The issues highlighted in 2016 add urgency to a careful reexamination of the conduct of elections in the United States and demonstrate a need to carefully consider tradeoffs with respect to access and cybersecurity. This report responds to the needs of this moment.
ELECTIONS IN THE UNITED STATES
Unlike other nations, the United States has no centralized, nationwide election authority. The Constitution leaves it to individual states to run and regulate elections, but Congress may make regulations that supersede state regulations on the conduct of federal contests.7
Motivated to make participation easier and election administration more efficient, some states have introduced new approaches to voting, such as in-person early voting, vote centers, and voting by mail. However, in an era when smart phones have become ubiquitous and the Internet plays an integral part in most people’s lives, citizens must ask whether there are still further new innovative approaches to voting and consider what voting may look like in the future. Can, for example, safe and secure systems be developed to enable Internet or other remote voting in elections?
Efforts to Improve the Administration of Elections
Over the past two decades, numerous initiatives have been launched to improve U.S. election systems, with activity especially intense after the 2000 presidential election. Progress has been made since 2001, but old problems persist and new problems emerge. U.S. elections are subject to aging equipment, targeting by external actors, a lack of sustained funding, and growing expectations that voting should be more accessible, convenient, and secure. The present issues and threat environment provides an extraordinary opportunity to marshal science and technology to create more resilient and adaptive election systems that are accessible, reliable, verifiable, and secure.
Charge to the Committee
In 2016, amid concerns about the state of U.S. election infrastructure, the Carnegie Corporation of New York and the William and Flora Hewlett
7 U.S. Constitution, Article I § 4.
Foundation provided support for the National Academies of Sciences, Engineering, and Medicine to consider the future of voting in the United States. In response, the National Academies appointed an ad hoc committee, the Committee on the Future of Voting: Accessible, Reliable, Verifiable Technology, to:
- Document the current state of play in terms of technology, standards, and resources for voting technologies.
- Examine challenges arising out of the 2016 federal election.
- Evaluate advances in technology currently and soon-to-be available that can improve voting.
- Offer recommendations that provide a vision of voting that is easier, accessible, reliable, and verifiable.
In carrying out its charge, the committee was mindful of the context in which its study was conducted. The committee saw its work as an opportunity to address concerns about the “hard” (e.g., all components of election systems including hardware and software) and “soft” (e.g., education and training of election workforce, law, and governance) issues associated with elections and to address new threats that could erode confidence in the results of elections. The committee recommendations articulated in this report address U.S. elections holistically, as the elections system itself is composed of numerous component systems. Issues related to voting (e.g., voter identification laws, gerrymandering, foreign and domestic disinformation, campaign financing, etc.) not addressed in this report were considered by the committee as outside its charge.
As this report illustrates, voting in the United States is a complicated process that involves multiple levels of government, personnel with a variety of skills and capabilities, and numerous electronic systems that interact in the performance of a multitude of tasks. Unfortunately, our current system is vulnerable to internal and external threats.
For this study, the committee examined the various election systems in use in the United States, the diverse parties involved in the administration of elections, research on elections, the availability of resources, and structural gaps. To create a system of voting for the future, the committee makes the following recommendations.8
8 The initial digit in each numbered recommendation refers to the number of the chapter in this report in which the associated topic is discussed.
RECOMMENDATIONS ON COMPONENTS OF ELECTIONS
Voter Registration and Voter Registration Databases
- 4.1 Election administrators should routinely assess the integrity of voter registration databases and the integrity of voter registration databases connected to other applications. They should develop plans that detail security procedures for assessing voter registration database integrity and put in place systems that detect efforts to probe, tamper with, or interfere with voter registration systems. States should require election administrators to report any detected compromises or vulnerabilities in voter registration systems to the U.S. Department of Homeland Security, the U.S. Election Assistance Commission, and state officials.
- 4.2 Vendors should be required to report to their customers, the U.S. Department of Homeland Security, the U.S. Election Assistance Commission, and state officials any detected efforts to probe, tamper with, or interfere with voter registration systems.
- 4.3 All states should participate in a system of cross-state matching of voter registrations, such as the Electronic Registration Information Center (ERIC). States must ensure that, in the utilization of cross-matching voter databases, eligible voters are not removed from voter rolls.
- 4.4 Organizations engaged in managing and cross-matching voter information should continue to improve security and privacy practices. These organizations should be subject to external audits to ensure compliance with best security practices.
Voting by Mail, Including Absentee Voting
- 4.5 All voting jurisdictions should provide means for a voter to easily check whether a ballot sent by mail has been dispatched to him or her and, subsequently, whether his or her marked ballot has been received and accepted by the appropriate elections officials.
- 4.6 Jurisdictions that use electronic pollbooks should have backup plans in place to provide access to current voter registration lists in the event of any disruption.
- 4.7 Congress should authorize and fund the National Institute of Standards and Technology, in consultation with the U.S. Election Assistance Commission, to develop security standards and verification and validation protocols for electronic pollbooks in addition to the standards and verification and validation protocols they have developed for voting systems.
- 4.8 Election administrators should routinely assess the security of electronic pollbooks against a range of threats such as threats to the integrity, confidentiality, or availability of pollbooks. They should develop plans that detail security procedures for assessing electronic pollbook integrity.
- 4.9 State requirements for ballot design (inclusive of print, screen, audio, etc.) and testing should use best practices developed by the U.S. Election Assistance Commission and other organizations with expertise in voter usability design (such as the Center for Civic Design).
- 4.10 States and local jurisdictions should have policies in place for routine replacement of election systems.
- 4.11 Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner).9 Recounts and audits should be conducted by human inspection of the human-readable por
9 A modern form of optical scanner, a digital scanner, captures, interprets, and stores a high-resolution image of the voter’s ballot at a resolution of 300 dots per inch (DPI) or higher.
tion of the paper ballots. Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible.
- 4.12 Every effort should be made to use human-readable paper ballots in the 2018 federal election. All local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.
- 4.13 Computers and software used to prepare ballots (i.e., ballot-marking devices) should be separate from computers and software used to count and tabulate ballots (scanners). Voters should have an opportunity to review and confirm their selections before depositing the ballot for tabulation.10
Voting System Certification
- 4.14 If the principles and guidelines of the final Voluntary Voting System Guidelines are consistent with those proposed in September 2017, they should be adopted by the U.S. Election Assistance Commission.
4.15 Congress should:
- authorize and fund the U.S. Election Assistance Commission to develop voluntary certification standards for voter registration databases, electronic pollbooks, chain-of-custody procedures, and auditing; and
- provide the funding necessary to sustain the U.S. Election Assistance Commission’s Voluntary Voting System Guidelines standard-setting process and certification program.
- 4.16 The U.S. Election Assistance Commission and the National Institute of Standards and Technology should continue the process of refining and improving the Voluntary Voting System Guidelines to reflect changes in how elections are administered, to respond to new challenges to election systems (e.g., cyberattacks), and to take advantage of opportunities as new technologies become available.
10 Throughout this report, to be counted means to be included in a vote tally. Tally refers to the total number of votes cast. Tabulation refers to the aggregation of the votes cast by individual voters to produce vote totals.
- 4.17 Strong cybersecurity standards should be incorporated into the standards-setting and certification processes at the federal and state levels.
RECOMMENDATIONS ON ENSURING THE INTEGRITY OF ELECTIONS
- 5.1 Election systems should continue to be considered as U.S. Department of Homeland Security-designated critical infrastructure.
- 5.2 The U.S. Election Assistance Commission and U.S. Department of Homeland Security should continue to develop and maintain a detailed set of cybersecurity best practices for state and local election officials. Election system vendors and state and local election officials should incorporate these best practices into their operations.
- 5.3 The U.S. Election Assistance Commission should closely monitor the expenditure of funds made available to the states for election security through the 2018 omnibus appropriations bill to ensure that the funds enhance security practices and do not simply replace local dollars with federal support for ongoing activities.11 The U.S. Election Assistance Commission should closely monitor any future federal funding designated to enhance election security.
- 5.4 Congress should provide funding for state and local governments to improve their cybersecurity capabilities on an ongoing basis.
- 5.5 Each state should require a comprehensive system of post-election audits of processes and outcomes. These audits should be conducted by election officials in a transparent manner, with as much observation by the public as is feasible, up to limits imposed to ensure voter privacy.
- 5.6 Jurisdictions should conduct audits of voting technology and processes (for voter registration, ballot preparation, voting, election
11 See H.R. 1625 - Consolidated Appropriations Act, 2018, Section 501, available at: https://www.congress.gov/bill/115th-congress/house-bill/1625/text.
reporting, etc.) after each election. Privacy-protected audit data should be made publicly available to permit others to replicate audit results.
- 5.7 Audits of election outcomes should include manual examination of statistically appropriate samples of paper ballots cast.
- 5.8 States should mandate risk-limiting audits prior to the certification of election results.12 With current technology, this requires the use of paper ballots. States and local jurisdictions should implement risk-limiting audits within a decade. They should begin with pilot programs and work toward full implementation. Risk-limiting audits should be conducted for all federal and state election contests, and for local contests where feasible.
- 5.9 State and local jurisdictions purchasing election systems should ensure that the systems will support cost-effective risk-limiting audits.
- 5.10 State and local jurisdictions should conduct and assess pilots of end-to-end-verifiable election systems in elections using paper ballots.
- 5.11 At the present time, the Internet (or any network connected to the Internet) should not be used for the return of marked ballots.13,14 Further, Internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place, as no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.15
- 5.12 U.S. Election Assistance Commission standards and state laws should be revised to support pilot programs to explore and validate new election technologies and practices. Election officials are encouraged to seek expert and public comment on proposed new election technology before it is piloted.
12 Risk-limiting audits examine individual randomly selected paper ballots until there is sufficient statistical assurance to demonstrate that the chance that an incorrect reported outcome escaping detection and correction is less than a predetermined risk limit.
13 Inclusive of transmission via email or fax or via phone lines.
14 The Internet is an acceptable medium for the transmission of unmarked ballots to voters so long as voter privacy is maintained and the integrity of the received ballot is protected.
15 If secure Internet voting becomes feasible and is adopted, alternative ballot casting options should be made available to those individuals who do not have sufficient access to the Internet.
RECOMMENDATIONS ON SYSTEMIC ISSUES
Election Administrator and Poll Worker Training
- 6.1 Congress should provide adequate funding for the U.S. Election Assistance Commission to continue to serve as a national clearinghouse of information on election administration.
- 6.2 The U.S. Election Assistance Commission, with assistance from the national associations of state and local election administrators, should encourage, develop, and enhance information technology training programs to educate state and local technical staff on effective election administration.
- 6.3 Universities and community colleges should increase efforts to design curricula that address the growing organizational management and information technology needs of the election community.
The Voting Technology Marketplace
6.4 Congress should:
- create incentive programs for public-private partnerships to develop modern election technology;
- appropriate funds for distribution by the U.S. Election Assistance Commission for the ongoing modernization of election systems; and
- authorize and appropriate funds to the National Institute of Standards and Technology to establish Common Data Formats for auditing, voter registration, and other election systems.
- 6.5 Along with Congress, states should allocate funds for the modernization of election systems.
- 6.6 The U.S. Election Assistance Commission and the National Institute of Standards and Technology should continue to collaborate on changes to the certification process that encourage the modernization of voting systems.
- 6.7 The National Institute of Standards and Technology should complete the Common Data Format standard for election systems.
- 6.8 New election systems should conform to the Common Data Format standard developed by the National Institute of Standards and Technology.
The Federal Role
6.9 To improve the overall performance of the election process:
- The president should nominate and Congress should confirm a full U.S. Election Assistance Commission and ensure that the U.S. Election Assistance Commission has sufficient members to sustain a quorum.
- Congress should fully fund the U.S. Election Assistance Commission to carry out its existing functions.
- Congress should require state and local election officials to provide the U.S. Election Assistance Commission with data on voting system failures during elections as well as information on other difficulties arising during elections (e.g., long lines, fraudulent voting, intrusions into voter registration databases, etc.). This information should be publicly available.
RECOMMENDATIONS ON SECURING THE FUTURE OF VOTING
- 7.1 Congress should provide appropriate funding to the U.S. Election Assistance Commission to carry out the functions assigned to it in the Help America Vote Act of 2002 as well as those articulated in this report.
- 7.2 Congress should authorize and provide appropriate funding to the National Institute of Standards and Technology to carry out its current elections-related functions and to perform the additional functions articulated in this report.
7.3 Congress should authorize and fund immediately a major initiative on voting that supports basic, applied, and translational research relevant to the administration, conduct, and performance of elections. This initiative should include academic centers to foster collaboration both across disciplines and with state and local election officials and industry.
The U.S. Election Assistance Commission, National Institute of Standards and Technology, U.S. Department of Homeland Security, National Science Foundation, and U.S. Department of Defense should sponsor research to:
- determine means for providing voters with the ability to easily check whether a ballot sent by mail has been dispatched to him or her and, subsequently, whether his or her marked ballot has been received and accepted by the appropriate elections officials;
- evaluate the reliability of various approaches (e.g., signature, biometric, etc.) to voter authentication;
- explore options for testing the usability and comprehensibility of ballot designs created within tight, pre-election timeframes; • understand the effects of coercion, vote buying, theft, etc., especially among disadvantaged groups, on voting by mail and to devise technologies for reducing this threat;
- determine voter practices regarding the verification of ballot marking device–generated ballots and the likelihood that voters, both with and without disabilities, will recognize errors or omissions;
- assess the potential benefits and risks of Internet voting;
- evaluate end-to-end-verifiable election systems in various election scenarios and assess the potential utility of such systems for Internet voting; and
- address any other issues that arise concerning the integrity of U.S. elections.
As a nation, we have the capacity to build an elections system for the future, but doing so requires focused attention from citizens, federal, state, and local governments, election administrators, and innovators in academia and industry. It also requires a commitment of appropriate resources. Representative democracy only works if all eligible citizens can participate in elections, have their ballots accurately cast, counted, and tabulated, and be confident that their ballots have been accurately cast, counted, and tabulated.