A group of Democratic senators is introducing a bill aimed at securing U.S. elections from hacking efforts, the latest response to attempted Russian interference in the 2016 presidential vote. The bill introduced Tuesday is specifically designed to ensure the integrity of and bolster confidence in the federal vote count. It would require state and local governments to take two steps to ensure that votes are counted correctly. Under the legislation, states would have to use voting systems that use voter-verified paper ballots that could be audited in the event a result is called into question. State and local officials would also be required to implement what are known as “risk-limiting audits” — a method that verifies election outcomes by comparing a random sample of paper ballots with their corresponding digital versions — for all federal elections.
Colorado became the first state in the nation after this month’s election to complete a “risk-limiting” audit, according to the Secretary of State’s Office. Such an audit, ordered by the Colorado Legislature in 2009, is a procedure designed to provide statistical evidence that the election outcome is correct, and has a higher-than-normal probability of correcting a wrong outcome. Risk-limiting audits require human beings to examine and verify more ballots in close races, and fewer ballots in races with wide margins. “Colorado is a national leader in exploring innovative solutions for accessible, secure and auditable elections,” said Matt Masterson, chairman of the U.S. Election Assistance Commission, who witnessed the audit. “Colorado’s risk-limiting audit provided great insights into how to conduct more efficient and effective post-election audits. (The commission) is eager to share some of the lessons learned with election officials across America.”
Colorado: State embarks on a first-of-its-kind election audit that’s drawing interest from out of state | The Denver Post
Colorado is embarking on a first-of-its-kind, statewide election audit that seeks to validate the accuracy of the state’s ballot-counting machines amid national concern about election integrity. The so-called risk-limiting audit involves a manual recount of a sample of ballots from 56 counties that had elections this year to compare them with how they were interpreted by tabulating machines. The exercise is drawing observers from Rhode Island, as well as top federal voting-oversight officials. “It’s a huge deal in the election world,” said Lynn Bartels, spokeswoman for the Colorado Secretary of State’s Office, which is implementing the audit.
States across the nation are ramping up their digital defenses to prevent the hacking of election systems in 2018. The efforts come in the wake of Russia’s interference in the 2016 presidential election, which state officials say was a needed wake up call on cybersecurity threats to election systems and infrastructure. … Security experts are still divided over the extent of hacking risks to actual voting machines. Some say that because many different voting machines are used across the country and because they are not connected to the internet, that would make any large scale attack hard to carry out. … But others contend that digital voting machines are vulnerable and could be targeted to influence actual election outcomes. “Some election functions are actually quite centralized,” Alex Halderman, a University of Michigan computer science professor, told the Senate Intelligence Committee in June. “A small number of election technology vendors and support contractors service the systems used by many local governments. Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters.”
Colorado on Monday said it will become the first state to regularly conduct a sophisticated post-election audit that cybersecurity experts have long called necessary for ensuring hackers aren’t meddling with vote tallies. The procedure — known as a “risk-limiting” audit — allows officials to double-check a sample of paper ballots against digital tallies to determine whether results were tabulated correctly. The election security firm Free & Fair will design the auditing software for Colorado, and the state will make the technology available for other states to modify for their own use. The audit will allow Colorado to say, “with a high level of statistical probability that has never existed before,” that official election results have not been manipulated, said Colorado Secretary of State Wayne Williams in a statement.
The state of Colorado is moving to audit future digital election results, hiring a Portland-based startup to develop software to help ensure that electronic vote tallies are accurate. The startup Free & Fair announced on Monday that it had been selected by the state to develop a software system for state and local election officials to conduct what are called “risk-limiting audits.” A risk-limiting audit, or RLA, is a method that checks election outcomes by comparing a random sample of paper ballots to the accompanying digital versions. The development comes amid deepening fears on Capitol Hill about the possibility of foreign interference in future elections, following Russia’s use of cyberattacks and disinformation to influence the 2016 presidential election. According to the U.S. intelligence community, Moscow’s efforts also included targeting state and local election systems.
American voting relies heavily on technology. Voting machines and ballot counters have sped up the formerly tedious process of counting votes. Yet long-standing research shows that these technologies are susceptible to errors and manipulation that could elect the wrong person. In the 2016 presidential election, those concerns made their way into public consciousness, worrying both sides of the political fence. The uncertainty led to a set of last-minute, expensive state recounts—most of which were incomplete or blocked by courts. But we could ensure that all elections are fair and accurate with one simple low-tech fix: risk-limiting audits. Risk-limiting audits are specific to elections, but they are very similar to the audits that are routinely required of corporate America. Under them, a random sample of ballots is chosen and then hand-counted. That sample, plus a little applied math, can tell us whether the machines picked the right winner.
After extensive ups and downs, the election recount efforts in Michigan, Wisconsin, and Pennsylvania have concluded. The main lesson: ballot audits should be less exciting and less expensive. Specifically, we need to make audits an ordinary, non-partisan part of every election, done efficiently and quickly, so they are not subject to emergency fundraising and last-minute debates over their legitimacy. The way to do that is clear: make risk-limiting audits part of standard election procedure. After this year’s election, EFF joined many election security researchers in calling for a recount of votes in three key states. This was partly because of evidence that hackers affected other parts of the election (not directly related to voting machines). But more than that, it was based long-standing research showing that electronic voting machines and optical scanners are subject to errors and manipulation that could sway an election. In response to that call, Green Party candidate Jill Stein’s campaign raised more than $7 million to fund the recounts.
Standardizing voter registration processes, voting machines and vote tabulation is the key to eliminating most vulnerabilities plaguing U.S. elections, according to several cybersecurity experts. These standardizations would embed security, enable backups and eliminate many backdoors through which hackers and vote fraudsters currently can warp the results of an election. While voting is administered at the state and local levels, these remedies would need to be applied nationwide. The current web of diverse processes may increase the difficulty for wide-scale election tampering, but they also ensure that achieving security is too broad a challenge for any single remedy to be applied. This diversity also virtually ensures that some location will have a vulnerability that, if exploited effectively, could cast doubt on a nationwide election result. … Auditing capabilities are important, says Ron Bandes, network security analyst in the CERT division of the Software Engineering Institute of Carnegie Mellon University. He also is president of VoteAllegheny, a nonpartisan election integrity organization.
The Secretary of State’s Office chose a Denver-based company Tuesday to supply future voting machines for the state’s 64 counties, and Mesa County Clerk Sheila Reiner couldn’t be more pleased. That’s because Reiner used voting machines from that company, Dominion Voting Systems, as part of a three-year pilot project to test various machines for a uniform voting system. Having all counties use the same machines not only will allow each to get them cheaper, but also help save costs in maintenance, supplies and training time for election workers, Reiner said. She said Dominion, more than any of the other companies that were included in the pilot study, had a product that was ready to go. “Dominion … was by far the most developed and appropriate system for our state,” Reiner said. “I say that because from the simplicity of building the ballot definition all the way through the risk-limiting audit that we’re going to be required to do by statute in 2017, everything just fit with Colorado laws and current needs. The other vendors are still developing things to fit our model.”