As millions of Americans prepare to vote this election season, the security and integrity of our elections is a topic at the forefront of many people’s minds.
Will there be voter fraud or voter suppression? Could hackers try to tamper with voter rolls or even votes? How will the COVID-19 pandemic affect my ability to vote?
As people ponder these questions, thousands of election managers across the United States are already grappling with these issues and many more. For these election officials, their roles have grown increasingly challenging over the years as election systems have become more complex and technology has become more widely used in elections and their management.
It’s for that reason that a new interdisciplinary collaboration is combining two of Auburn University’s greatest strengths in the interest of securing our elections.
The McCrary Institute for Cyber and Critical Infrastructure Security is teaming up with Auburn University’s Election Administration Initiative, housed in the Department of Political Science, to integrate its cyber expertise into established certification and academic programs offered by Auburn University.
“Having both the McCrary Institute and the Election Administration Initiative under one roof at Auburn University is absolutely exceptional. No other university has this combined level of expertise,” said Kathleen Hale, professor of political science and the initiative’s director.
Auburn has been a national leader in election administration for decades. The university has the nation’s largest group of faculty in the field of political science and public administration that focus on election administration.
The university offers the only national certification program for election officials through its 25-year partnership with the Election Center – known more commonly as the National Association of Election Officials. In addition to the certification program, Auburn is also one of two universities that offer a graduate certificate in election administration, either as a stand-alone program like Auburn’s or in conjunction with a Master of Public Administration program.
Given its focus and national prestige, partnering with the Election Administration Initiative was a natural fit for the McCrary Institute and its affiliated Center for Cyber and Homeland Security.
“They’re doing amazing work already, and we at the McCrary Institute saw lots of opportunities to plug our work into theirs,” McCrary Institute Director Frank Cilluffo said. “We have had a number of conversations with government entities that are involved with this, including federal, state and local officials, who expressed real interest and excitement about our teams collaborating on these activities.”
The Election Administration Initiative’s work is largely focused on professionalizing the field of election administration and building capacity across state and local election offices. Its training covers everything from maintaining election systems to continuity of operations planning. With the McCrary Institute’s help, the initiative hopes to layer in additional training on IT systems in election administration, election vulnerabilities, and detecting and responding to cyber breaches.
These issues present challenges to election offices of all sizes and across all jurisdictions.
“Despite the differences in laws and institutions across the states and even within states, the problems are all exactly the same,” said Mitchell Brown, professor of political science. “What this certification and this community of election officials offers is cross-fertilization of best practices and adapting other people’s best practices to different contexts.”
As the collaboration between the Election Administration Initiative and the McCrary Institute continues to unfold, aspirations include the development of a free-standing graduate certificate that focuses on cybersecurity in elections from a policy and governance perspective.
Some of that curriculum could potentially dovetail into the certification training offered through the Election Center.
“The exciting part of this partnership with the McCrary Institute and developing the synergy that comes from these two expert areas working together is that we will build new capacity for preparedness, build new capacity for continuity of operations as well as for administrative practices and for thinking about how people can vote safely and securely,” Hale said.
By adding additional curricula and training to address these evolving threats to our election systems, the Election Administration Initiative and the McCrary Institute are aiming to ensure the kind of elections that Americans expect – ones that are secure, transparent and where every vote is counted.
“We’re talking about arming and educating our administrators with knowledge to better maintain the trust and efficacy of our election systems,” Cilluffo said. “At the end of the day, our election systems are all about trust.”
Lessons in Election Security learned from Estonia
The Baltic nation of Estonia turned heads in 2005 when it became the first country in the world to implement internet voting in national elections.
Some of the heads turned were those of information security professionals and researchers such as Drew Springall, assistant professor of computer science and software engineering.
Researchers have scrutinized various online voting systems over the years looking for flaws that could be exploited. As a graduate student at the University of Michigan, Springall was part of a team that went a step further and analyzed the system from the perspective of its realistic threats: nation-state actors.
Using open-source components and reverse engineering techniques, the team was able to replicate the Estonian internet voting system in their research lab.
“What we found was that there were a lot of really good things about that system,” said Springall, who joined the Auburn faculty in January following nearly two years working on Google’s Production Security team. “They did a lot of things right, but the system just didn’t stand up to the realistic threats it faced. If you have a top-tier, nation-state intelligence organization coming after it, there’s a lot of ways that it could be compromised without anyone ever knowing.”
Springall and his colleagues found deficiencies not only in the technical aspects but also in its implementation and procedures. In the spirit of transparency, Estonian election officials recorded the process from start-to-finish and published it on YouTube. These videos included setup, maintenance and auditing as well as unintended elements such as administrator passwords.
In another instance, an error exporting the vote tally was remediated on-the-fly by transferring the official results using a personal USB drive fetched from an official’s own pocket. Although easily addressable, these instances, along with others, showed that instead of treating the system as a matter of national security, it was often treated as a standard IT operation.
So what lessons can be applied from the Estonian model to help secure elections in the U.S.?
“Don’t try to vote over the internet,” Springall quipped.
“But in all seriousness, the best we can do at this point is paper ballots with risk-limiting audits. There are a lot of fundamental security problems we have to solve before internet voting is feasible.”
