Bad Watchdog Season 2 launches June 20.

Analysis

Congress Needs to Build Up Election Security Protections, and Also Contingencies

In 2018, we continued to see serious threats to undermine our elections, such as hack-attempts against Senators and malicious infiltration of the National Republican Congressional Committee. Voting machines and systems are also vulnerable. It’s critical for our government to maintain its vigilance in combatting election threats and better securing our election systems.

The problem isn’t that states are indifferent to cybersecurity concerns; most provisional ballot laws were created nearly two decades ago.

Last week, the House Committee on Homeland Security held the first hearing of the new Congress focused on election security. Fortunately, many measures under consideration—such as creating systems for paper ballots and audits—have bipartisan support.

One key area of election security that often receives less attention than voting machines is protecting registration databases. If hackers infiltrated a state’s registration database and the list of registered voters, it would have a catastrophic effect on elections. Without registration data, in most states the only way to proceed with an election would be the widespread use of provisional ballots.

Ideally, we will continue to strengthen our election systems and will never find ourselves in this scenario. But Congress and the states need to do more than try to prevent an election-security disaster: they also need to build contingencies to minimize damage if one does occur.

A recent report by the Project On Government Oversight revealed most states are not capable of implementing a contingency plan using provisional voting if the need ever arose. Our analysis of states where provisional voting would likely be the only option in the wake of a compromise of registration data revealed that a majority of states examined are unprepared or appear unable to use provisional ballots on a broad scale in response to a debilitating attack.

Fifteen of the 29 states we examined have laws that would prohibit provisional voting by anyone whose registration status cannot be determined, as would be the case for all voters following a successful attack that compromised the state’s registration data. Additionally, in six states, legal ambiguities create uncertainty about whether provisional ballots could be used broadly. Those states’ laws use registration status as the basis for both accepting and rejecting provisional ballots, with no clear default rule about how to act if that cannot be determined.

There is no silver bullet for election security. Lawmakers and election officials must instead diligently build up a stockpile of silver BBs that can respond to a wide array of ever-evolving threats.

The problem isn’t that states are indifferent to cybersecurity concerns; most provisional ballot laws were created nearly two decades ago with the expectation of only applying to small-scale problems. But the government now needs to step up and address how these laws connect to current threats.

Fortunately, the remedy to this problem is simple. States with rules that would prevent broad provisional balloting should amend their laws so that registration status is not the only means of verifying a voter’s authenticity and counting the provisional ballot. Congress could fix this problem nationwide by amending the Help America Vote Act—which requires states to maintain provisional ballot laws—to say that these laws must have some means of counting ballots that does not depend on checking against registration databases. And because this applies to a backup ballot system that would only be broadly used in response to an attack on registration systems, this legal update should have no impact on the regular conduct of elections.

There is no silver bullet for election security. Lawmakers and election officials must instead diligently build up a stockpile of silver BBs that can respond to a wide array of ever-evolving threats. Improving the laws for provisional voting so that this system can serve as a response to a successful attack against registration databases may seem like a small step, but it is an important one for enhancing election security.