LANSING—Around 50 elections officials and analysts met at an outpost of the Lansing City Clerk’s office in June, eagerly awaiting the day’s activity: Piloting a relatively new method for ensuring accurate election results.
The volunteers — from as near as Delta Township and as far as California — were there to learn an election audit method considered the “gold standard” for verifying votes as the nation barrels toward its first presidential election following widespread Russian tampering in 2016.
The method is known as a risk-limiting audit, which essentially involves hand-counting a statistically significant sample of ballots to be confident election results are accurate.
A spokesman for the Michigan Secretary of State said it’s one of a handful of techniques the state is testing ahead of the 2020 statewide election, when it will be required to audit elections across the state — a legacy of Proposal 3, the citizen-initiated constitutional amendment passed last November.
The fact that the state is required to audit is a new phenomenon; before the amendment passed last fall, the state audited a fixed percentage of precincts after each election but wasn’t bound by law to do so.
And that change is good news, elections security experts told Bridge. A robust post-election audit is one of the best ways the state can make sure state elections are protected against hacking or manipulation by foreign or domestic adversaries.
“Michigan is already in a really good position compared to most other states,” said J. Alex Halderman, a computer science and engineering professor at the University of Michigan who specializes in election security. He is co-chair of a commission of state and national security experts formulating recommendations for the Secretary of State on how to improve Michigan’s election security, which are expected to issue findings by year’s end.
Michigan has paper ballots (as opposed to an electronic-only record of votes), which allows the state to double check election results. Under previous Secretary of State Ruth Johnson, the state purchased new voting machines in 2018, which promised better technology and fewer breakdowns. Michigan is also updating its voter registration system to improve security, Halderman said.
“That means we are very close to being well-protected against cyber attacks that could try to change results,” he said.
The operative phrase: Very close.
Volunteers unpack ballots from the City of Lansing’s May 7 election to conduct a risk-limiting audit, one of three the state Bureau of Elections planned for June to test whether risk-limiting audits (considered the “gold standard” of elections verification) are feasible for statewide elections. Madison McFarland, right, came from Greene County, Missouri, where she works as an election coordinator to experience the cutting-edge audit method. (Bridge photo by Riley Beggin)
Michigan has $11 million in federal funds to help secure state elections, which Secretary of State Jocelyn Benson said will probably not be enough to implement all the needed changes, “but it’s enough to get us started.” Gov. Gretchen Whitmer approved another $2.5 million to implement Proposal 3 on June 24.
Michigan still faces vulnerabilities state officials hope to close, however. In interviews with Bridge Magazine, Halderman and Benson outlined the kind of security threats that give them heartburn ahead of the 2020 election.
“Our goal is to be prepared for the threats we know and also be prepared for emerging threats,” Benson said. “The challenging thing here is the threats are evolving as quickly as we prepare for them.”
Here are three:
Despite computer scientists’ best efforts, there’s no such thing as a hack-proof voting machine. But it’s implausible for hackers to try to access each machine individually, Halderman said. Instead, hackers might look for centralized places where they can access multiple machines at once.
That place, Halderman said, is likely to be an election management system, which elections officials use to program the ballot ahead of an election (for example, to plug in the names of who is running for Governor or state Representative.)
In Michigan, each county is responsible for programming its ballot ahead of elections. Many use an in-house election management system specific to the county, but many others outsource the job to one of the nation’s three largest elections technology companies.
“If an attacker can get into one of those election management systems, they can spread malicious code to change the way the voting machines count to all of the voting machines in the area that that system covers,” Halderman said. “So the question becomes, how locked down are our election management systems?”
That varies dramatically from place to place. The more decentralized the management systems are, the less likely it is an attacker will be able to affect broad areas.
Not every state is good about this, Halderman said. In the most egregious case, a single election management system operating out of an office park in Omaha, Neb. programs machines in 34 states and 2,000 jurisdictions.
“You had better believe that there is an enormous bullseye for the world’s best attackers painted on that central facility.” Halderman said.
In 2016, roughly 75 percent of Michigan counties outsourced their ballot programming to election management vendors, he said. Now around 63 percent of counties rely on elections technology companies to program their ballots each election, according to data provided by the Michigan Secretary of State’s office — including some of the state’s largest counties such as Wayne and Macomb.
Michigan counties that program their own ballots
Overcentralization of election management systems is a potential security threat, said J. Alex Halderman, an election security expert at the University of Michigan. The level of security in each system (used to program ballots ahead of elections) varies from county to county, but counties that program their own ballots help prevent an attack on their system from affecting other areas.
These Michigan counties program all of their own elections:
- Grand Traverse
Source: Michigan Secretary of State
Counties that program their ballots in-house help assure an attack on their system won’t affect other areas of the state. Though a breach in even a single, highly-populated county (say, Kent, Wayne or Oakland counties) could have a major impact on state results.
Benson said in May she plans to hire someone to oversee election security statewide and improve and standardize training so local elections officials are prepared for attacks.
“The people operating the machines need to be trained in how to ensure that they are properly secured, that our ballots are secured, that they can be recounted,” Benson said.
That’s a reference to Michigan’s recount law, which outlines a number of ways precincts can be made ineligible for recount. In 2017, a fifth of Detroit precincts weren’t eligible for a recount in a tight city clerk race due to poll worker errors.
Voter registration records
State voter registration systems are also centralized by nature and usually connected to the Internet, Halderman said. A U.S. Senate committee investigation into the 2016 election found that Russian hackers accessed voter registration records in a small number of states and had the ability to change or destroy the data.
“They chose not to pull the trigger for reasons that have not been publicly disclosed,” Halderman said. If they had, it could have been Election Day chaos: people showing up at the polls only to be told they’re not on the voter registration list.
“We skirted with disaster in 2016 that way and, fortunately, now that everyone in the election system community is aware that voter registration systems are a potential target, most states are taking steps to better monitor or better secure those systems,” Halderman said.
Michigan is among those states. In January, Michigan joined the Electronic Registration Information Center, which allows member states to cross-check voter registration data to ensure the rolls are accurate.
“Although it doesn’t directly guard against cyber intrusions into the voter file – we have other safeguards against that activity, and are considering more – having an accurate and up-to-date voter list could mitigate the damage of any effort to alter or manipulate voter records by making it more noticeable if it were to occur,” said Shawn Starkey, spokesman for Benson’s office.
Over the last few years, the SOS and Department of Technology, Management and Budget have begun upgrading Michigan’s voter rolls “to prevent unauthorized access and reduce other vulnerabilities,” said another SOS spokesman, Michael Doyle, including changes to who can get into the system and how.
As of March, the state had spent $10.5 million upgrading the system. The department will consider other security measures once the commission Halderman helps lead releases its recommendations.
A democratic government’s legitimacy is only as strong as the faith voters have in it — and as of late, that faith is weak. According to an NPR/Marist poll conducted ahead of the 2018 midterm elections, nearly two in five Americans said elections are unfair.
The 2016 attack on U.S. elections showed that even without hacking, attackers can cause widespread distrust in government, Halderman said.
“There’s all kinds of ways that adversaries could try to discredit elections just by making up things that aren’t true,” he said. “If you’re an attacker, the next best thing to actually changing votes is making people think you did change votes.”
That’s a serious problem, Halderman and Benson said. The best defense, Halderman said, is re-engineering the elections system to make it one based on evidence rather than faith.
Risk-limiting audits use statistical methods that rely on both computer programs and human-generated keys — including a random number compiled by 20 die-rolling volunteers, in the case of the Lansing audit pilot — to ensure election results are accurate. (Bridge photo by Riley Beggin)
Using a risk-limiting audit method, such as the type piloted in Lansing, Halderman said, is one way to ensure the state can give voters confidence that those in office were actually chosen to be there.
And there’s reason to believe Michiganders yearn for greater security and faith in their elections: Proposal 3, which implemented a variety of voting rights, passed in November with nearly 70 percent of the vote.
“We all need confidence in our voting system,” said Chris Swope, Lansing City Clerk. “In any sort of election you should have some sort of assurance that the reported winner is the actual winner.”
Experts coordinating the audit trial said conducting risk-limiting audits isn’t particularly difficult or expensive — it just requires a lot of preparation. In Colorado, the first state to require statewide risk-limiting audits, it took around eight years to get the system up and running. “It’s definitely a big undertaking,” Swope said, but “hopefully we can learn from them and it won’t take eight years.”
In the meantime, “it’s really important that people still exercise their right to vote,” Halderman said. “If they don’t, then well, you’ve just guaranteed your vote isn’t going to be counted.”