Exercising our right to vote is the purest expression of our faith in democracy. Without a shared sense of trust in the integrity of that vote, we risk becoming a nation dangerously divided against itself. Great vigilance would be in order, then, even if Pennsylvanians could rely on secure, resilient election systems and architecture. The reality, however, is otherwise. Today our state is among the most vulnerable in the country to hacking and cyber attack – a democratic four-alarm blaze just waiting to happen.
Pennsylvania’s role as a perennial swing-state brings with it high stakes, close presidential elections, and even closer scrutiny. In 2016, Donald Trump’s margin of victory here – fewer than 70,000 votes – was barely one percent of the nearly six million votes cast statewide. We know that faith in the validity of our elections is a quality much harder to earn than to lose.
That’s why, as proud Pennsylvanians who have dedicated our careers to justice, law, and education, we feel strongly that the time is now to address this vulnerability. We must come together as a commonwealth, as communities, and as citizens to make an honest assessment of Pennsylvania’s election security architecture, to diagnose and discuss its strengths and weaknesses, and to plan for a better, more secure future.
This is why we are launching a nonpartisan, independent Blue Ribbon Commission on Pennsylvania’s Election Security designed to bring about concrete improvements before the next presidential election in 2020. With support from The Heinz Endowments, and collaboration between University of Pittsburgh’s Institute for Cyber Law, Policy, and Security, Carnegie Mellon’s Software Engineering Institute CERT Division, and Verified Voting, we will convene experts and leaders from across the state with a clear goal: strengthening the security of the systems on which Pennsylvanians rely to exercise their right to vote.
The causes of our voting woes are many and complex. It is beyond the scope of any single commission to seek to address them all. But the growing concerns over our current election security must not go unaddressed.
What are the concerns about Pennsylvania’s election security?
Pennsylvania uses at least 10 different models of voting machines, many of them more than a decade old and particularly vulnerable to hacking. In 2016, a Princeton University computer scientist, Andrew Appel, and his graduate student, Alex Halderman, demonstrated how to gain access to the memory and software of a voting machine in just minutes. They showed that modifying vote counts would be easy, while detecting the manipulation would be difficult. These same machines are in use in over 500 precincts in Pennsylvania today. In fact, Verified Voting estimates that 83 percent of Pennsylvania voters use electronic voting machines without voter-verified paper ballots—the machines that security experts warn are most hackable.
Understanding this risk, on April 12, the Secretary of State’s office required that all Pennsylvania voting machines offer a verifiable paper trail by the end of 2019, and encouraged counties to do so before the November election. This is a crucial step, and we applaud Gov. Wolf and Acting Secretary of State Robert Torres for this effort. New federal funding will offset $13.5 million of the cost and the administration says that it is committed to working with the legislature to help fund these upgrades, of which the state estimates outright purchasing could cost between $95-153 million statewide, though outside expert estimates have found this could be lower.
However, there is far more to the security of Pennsylvania’s elections than its voting machines. In September 2017, federal authorities formally notified 21 states, including Pennsylvania, that Russian hackers tried unsuccessfully to penetrate their voter registration systems. While it does not appear that voting rolls were affected, the concern remains that these actions were essentially a trial run for more aggressive efforts in future elections.
Like nearly all states’ voter registration systems, our own is at risk. Hackers could target our voter rolls to alter them; or to create chaos and confusion among poll workers and voters, leading to a loss of faith in the election results.
Pennsylvania must also continue to plan and prepare for its resiliency and recovery in the face of an incident targeting our elections, including through direct cyber attacks and through disinformation. This requires efforts and coordination from the precinct level on up through the federal level.
The persistence and sophistication of hackers and cyber adversaries is growing at an ever faster rate. Time is not on Pennsylvania’s side. But with the continued efforts of our hardworking state and local officials, we are confident the Keystone State can indeed lead the country as an example of effective election security—once again leading this American experiment in democracy.
David Hickton is the founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security and the former U.S. attorney for the Western District of Pennsylvania. Paul McNulty is the president of Grove City College and the former deputy attorney general of the United States. They are co-chairs of the Blue Ribbon Commission on Pennsylvania’s Election Security. The commission will accept public comment at www.cyber.pitt.edu/commission beginning May 3.