The N.C. Board of Elections introduced a new voter confidence campaign Thursday to showcase the steps it is taking to secure the state’s elections.
A press conference featured Elections Board Executive Director Karen Brinson Bell, backed by representatives from six other county, state and federal organizations that work together to run the state’s elections.
The campaign will encourage eligible voters to register and to go vote. This same point has been made by several election security experts and by national political figures like Sen. Ron Wyden, D-Ore., in the last year: If you do not vote, the groups trying to interfere in election integrity will win.
Brinson Bell also demonstrated what North Carolina is doing to secure the vote, given that the state has been at the center of several election controversies in the last three years.
“Over the past few years, there have been both foreign and domestic efforts to erode voter confidence and undermine our elections,” she said.
Those efforts include the election interference by Russia in 2016, the criminal election fraud like that in the 9th Congressional District, and the run-of-the-mill yet persistent misinformation on elections that spread around social media, according to the state Board of Elections public information officer, Pat Gannon.
In response to foreign interference, the U.S. Department of Homeland Security has designated elections as part of the nation’s “critical infrastructure” since 2017.
“This designation means elections are as vital to our nation as food, energy and emergency services,” Brinson Bell said.
“Additionally, this designation provided the opportunity to expand our resources and develop partnerships with state and federal agencies experienced in securing and defending our country.”
Balancing elections security and transparency
The Elections Board’s campaign and the press conference announcing it Thursday are intended to increase trust in the legitimacy of elections.
Trust is the magic word for Gregory Miller, the co-founder and chief operating officer of the Open Source Election Technology Institute, a nonpartisan, nonprofit organization that is a national leader in increasing the integrity and security of election technology.
“Do you trust the system?” Miller said.
“Trust is the combination of transparency and communication. … As long as the Board of Elections for any jurisdiction are being transparent as possible, being as communicative as possible with regard to what they do and how they do it, the degree to which they do both of those things will translate into the degree of trust we should have.”
Transparency and security do not always go hand in hand. Maria Thompson, the state’s chief risk officer in the Department of Information Technology, discussed the Department of Homeland Security’s role in scanning the internet-facing parts of the election systems such as the voter registration pages and the election-night reporting site. Homeland Security also does “penetration testing” on the security of those same systems.
The results of those scans and the testing are confidential, so the public cannot know how the state is performing on those security measures. Some of the information is sensitive because if some weaknesses were found, they could not be reported until they were fixed, at the risk of announcing an attack vector to the world, Thompson said.
“They certainly can publish summaries,” Miller said.
“They certainly can give recaps. Maybe they can’t show you the sources and methods of their testing, that might make sense to me, but surely they can give you the results of the test. Here’s what we found, here’s what we’re correcting, here’s what’s working right.”
Thompson said that discussions of disclosure are happening at a high level at the moment, though policies about what can be released and how have not been solidified.
“We do have to be very mindful of it, and it is a fine line that we have to walk to ensure that we do have transparency to citizens as well as to make sure that we’re protecting them at the same time,” Thompson said.
“At the end of the day, we’re really protecting them, it’s not necessarily protecting the organization because their data is at risk.”
Risk of underestimating foreign threats?
Brinson Bell stressed that North Carolina is taking a number of precautions to ensure that elections are secure.
The state uses federal standards for testing voting equipment, it tests the equipment for certification in the state, then each county tests tests the equipment when it is delivered from the manufacturer, tests the equipment ahead of the election, and performs audits that check for ballot stuffing, equipment tampering and tabulation error.
But Susan Greenhalgh, the vice president of policy and programs at the National Election Defense Coalition, which seeks to build bipartisan interest to secure election technology, told Carolina Public Press that she thinks the efforts made by the Board of Elections are important, yet outdated, especially when facing “foreign nation-state hackers from Russia, Iran, China and others,” Greenhalgh wrote in an emailed statement.
“They are bringing a knife to a gunfight.”
“Prior to 2016, these best practices may have been considered sufficient, but in today’s threat environment, our adversaries are well-equipped to defeat all of these defenses,” Greenhalgh wrote.
Part of the problem, Greenhalgh argues, is that state officials like those in North Carolina are not being educated about the level of risk facing elections today, which is a responsibility of the federal Elections Assistance Commission.
“I put that at the feet of the EAC and the Department of Homeland Security,” Greenhalgh said.
In response to Greenhalgh’s criticism, Gannon also emailed a written statement to CPP.
“We are fortunate to have some of North Carolina’s top cybersecurity professionals and their staffs working with the state and county boards to secure our elections, as you saw at today’s press conference,” he said.
“We take security threats very seriously. We are working to improve and expand upon our logic and accuracy procedures and postelection audits. Improvement is an ongoing process.”
Audits and elections security
At the press conference, Brinson Bell also described the legislatively required hand-eye audit of ballots that must take place in at least two precincts per county after any election.
The N.C. Board of Elections’ own staff, though, sees that audit as insufficient. It does not follow best practices for a random-sample audit and, for very close elections, may not sample enough ballots.
NC elections board Chairman Damon Circosta announced at the Aug. 23 board meeting that he was directing board staff to pursue the possibility of more robust audits.
That process, according to state staff, is ongoing, with a general consensus to improve audit procedures but no definitive direction yet about how that will be done for the 2020 elections.
Changes in elections equipment coming
The state Board of Elections is pursuing a number of changes to the election security landscape in addition to more robust audits.
First, the state is getting rid of some of its old voting machines that did not produce a paper ballot.
Instead, iVotronics, bought in 2006 from voting machine vendor Elections Systems and Software, printed out every selection a voter made on a receipt that stayed behind a glass window.
The consensus among election security experts is that these machines are vulnerable to tampering and they have been removed from use around the country – though tens of thousands of voters still use them in other states.
About a quarter of North Carolina’s counties will be getting new voting equipment to replace iVotronics. Every new system in North Carolina will produce a paper ballot, though some counties will use voting machines that mark the ballot instead of a voter doing it by hand.
There is some debate among election experts over the security of voting machines for all voters. Carolina Public Press previously reported on those concerns when the NC Board of Elections decided to approve those systems for use.
Voter registration changes coming
Voter registration systems are often overlooked in the conversation about election security, though they are also widely seen by election security experts as the most vulnerable part of the election infrastructure.
If voter registration information is tampered with, blocked or called into doubt, it could introduce confusion at a polling place over who is allowed to vote, which in turn quickly creates long lines.
Durham County saw that type of chaos when the poll books provided by the vendor VR Systems went down on Election Day in 2016, causing hours-long delays preventing voters from casting ballots. The reason for the pollbook failure is still under federal investigation.
After that incident, North Carolina stopped contracting out “electronic poll book” solutions, instead creating its own poll book system and deploying it across the state.
Now, another change is in the works.
Brian Neesby, the chief information officer at the N.C. Board of Elections, described two projects to Carolina Public Press: the migration and modernization of the voter registration system.
The N.C. Board of Elections plans to move, or “migrate,” every county’s voter registration and other election data from county servers to the cloud.
“Migration will enhance our ability to maintain standardization and configuration management across all counties,” Neesby said.
This move is hailed by Miller, though with a caveat.
“That’s a great first step,” Miller said.
“You are going to get a lot of benefit from doing that: elastic, on-demand services. No more aged-out PCs on desktops with cables snaking across the floor into overheated server closets.”
However, Miller said, the state needs to be sure that the vendor hosting the cloud provides the right administrative services and is approved by the Federal Risk and Authorization Management Program, or fedRAMP.
Neesby confirmed that the state will use a cloud service that is fedRAMP-compliant, though he was unable to comment on the exact timeline for the procurement process or to confirm details of administrative services that will be provided by the vendor while the procurement process is ongoing.
The Board of Election plans for the migration of the data to be complete by the November 2020 elections.
Next, the N.C. Board of Elections is modernizing the voter registration system. The modernization will come after the 2020 elections and will help make voter registrations more efficient and will streamline the process of adjusting to redistricting changes.
Upgrades and security will not matter, though, if people do not go to the polls.
“I think everyone has to get out and vote,” Miller said.
“Voter turnout is going to be essential for this election, of all elections that we’ve had at least in my lifetime. Listen, no election is ever going to be perfectly secure. I think if we get wrapped around the axle of whether or not it’s secure or not, we’re going to be going crazy.”
You can strengthen independent, in-depth and investigative news for all of North Carolina
Carolina Public Press is transforming from a regionally focused nonprofit news organization to the go-to independent, in-depth and investigative news arm for North Carolina. You are critical to this transformation — and the future of investigative and public interest reporting for all North Carolinians.
Unlike many others, we aren’t owned by umbrella organizations or corporations. And we haven’t put up a paywall — we believe that fact-based, context-rich watchdog journalism is a vital public service. But we need your help. Carolina Public Press’ in-depth, investigative and public interest journalism takes a lot of money, persistence and hard work to produce. We are here because we believe in and are dedicated to the future of North Carolina.
So, if you value independent, in-depth and investigative reporting in the public interest for North Carolina, please take a moment to make a tax-deductible contribution. It only takes a minute and makes a huge difference. Thank you!