Office Hours: Election Security

The best way I can think to define election security is as a process to make sure every legal vote cast is counted in the way it was intended.

Associate professor Natalie Scala and I started working together on election security research around 2017.

I think seeing election security as primarily a cyber effort is the general public’s perception. Where our research slightly differs is that our definition includes more than just a hacker getting into a machine and changing votes. It’s also the risks introduced by setting up the equipment incorrectly, by using a bag of ballots that the tamper tape has been broken or leaving a machine on or plugged in where it shouldn't be.

Initially, I was almost shocked at all the ways something could go wrong with an election. In a presidential election cycle, there are more than 110,000 polling places and a million people are poll workers—my mother was a poll worker. These people are seasonal, not given a lot of training and not very technically savvy. Even worse, some places, like Baltimore City, hire poll workers the day of the election.

“Just because it’s a threat doesn’t mean it’s malicious.”

So how are they to know what’s a threat? Workers may walk away from a pollbook without locking it up—we do this with our computers all the time— but this introduces a threat. Unplugging a USB or plugging one into the vote-counting machine—they may not know this is a threat.

Another way threats can be introduced is through individual states’ election processes and procedures. Elections are not federally run. There isn’t a whole lot of coordination in and between states. That’s how our country was designed.

Maryland, mostly, uses common equipment across the state. It has a manual on how elections should be run. That’s not the case everywhere. However, using common equipment makes Maryland more vulnerable to adversarial attacks.

A lot of the modernization of our election equipment came out of the Bush–Gore election. The Help America Vote Act in 2002, which came out of the hanging chad situation, put a whole bunch of funding into using more electronic equipment.

When Natalie and I started working on this, we used documentation from the Election Assistance Commission—the federal agency that helps understand where threats are. Their last threat analysis was 2009. A big part of our work is to look at what the equipment is for Maryland, as well as the mail-in voting process, and update the threats that have changed in the last 13 years, which are significant.

What we see is a lot of homegrown solutions to secure things—rather than a broad, equal security stance across the state. That is good at preventing coordinated attacks, but it’s also bad because some places don’t do election security very well. We're trusting many local solutions to be secure.

That’s an area Natalie and I wanted to focus on with our training materials. We started with Harford County, and then we continued with Anne Arundel County, which used our training materials the summer prior to the 2020 election.

Our initial work was, “Can we develop materials to get poll workers a base level of knowledge of: ‘Here’s the potential threats’ or ‘Here’s the cyber threats or the physical or insider threats.’” Maybe my mother, when she was a poll worker, was doing something that was a threat that she didn’t even realize. Just because it’s a threat doesn’t mean it’s malicious. It could be totally accidental.

Our online training materials—based on research conducted by TU faculty and students—operate on a “see something, say something” premise and have been shown to increase participants’ knowledge of election security.

What we’re doing is addressing the issue of, if you can’t give the local precincts or the local boards of elections some tools to secure their process, it doesn’t matter what the hardware is or what the larger national systems are in terms of protection.

Working with the hundreds, and maybe even thousands, of people who used our training modules up to the 2020 election and seeing how it helped them understand what those threats are so they could apply them on election day was one of the most rewarding things I’ve done in my career.