A paper record for every voter: It’s time for Congress to act

Along with mandatory machine testing, it’s the only way to secure our nation’s democracy.

An editorial by Tom Burt, President and Chief Executive Officer of Election Systems & Software.

Published June 6, 2019, Roll Call

A paper record for every voter: It’s time for Congress to act

OPINION — Over the last few years, policymakers, election security experts and voting equipment vendors have examined how we can continually ensure our elections and voting machines remain safe and secure.

Recently, we’ve seen many lawmakers — from bipartisan members of the Senate Intelligence Committee to presidential candidates — call for reforms to secure the integrity of our elections. When it comes to the machines that count votes and the people who make those machines, there are a few things that must happen to ensure faith in our system of democracy continues.

First, Congress must pass legislation establishing a more robust testing program — one that mandates that all voting machine suppliers submit their systems to stronger, programmatic security testing conducted by vetted and approved researchers. Voting machines may not be connected to the internet, but there are non-internet types of security testing necessary to protect elections.

Second, we must have physical paper records of votes. Our company, Election Systems & Software, the nation’s leading elections equipment provider, recently decided it will no longer sell paperless voting machines as the primary voting device in a jurisdiction. That’s because it is difficult to perform a meaningful audit without a paper record of each voter’s selections. Mandating the use of a physical paper record sets the stage for all jurisdictions to perform statistically valid post-election audits.

Third, let’s build on the elements of our nation’s voting infrastructure that are working well.

There are about 10,000 jurisdictions in America that manage nearly 117,000 polling locations and utilize more than 560,000 voting machines (manufactured by multiple suppliers) on Election Day. That’s what you call a highly distributed and differentiated infrastructure, which is great for security because it’s virtually impossible for a bad actor, or even a troupe of bad actors, to attack on a large scale due to the complex differences across the nation.

Voting machines are, in fact, tested. Manufacturers submit their systems to the Election Assistance Commission, or EAC, which conducts lengthy testing and grants certification to those machines.

But we need to enhance federal- and state-level tests, which focus on functional and environmental testing, with further mandatory security testing. Machine penetration tests, for example, simulate attacks on election equipment by people who gain physical access to the voting machines or their components. Although elections suppliers and jurisdictions alike go to great lengths to physically secure election equipment, human beings still interact with these machines before, during and after Election Day. That means the machines must be secure enough to resist attacks at any point in the process.

Most voting system providers already voluntarily perform their own security testing or hire independent firms to do it — ES&S just submitted its equipment to the Idaho National Lab, in cooperation with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), for extensive penetration testing. But there is a clear need for the establishment of standards for machine penetration testing. That’s what is missing and what needs to change.

If Congress can pass legislation that requires a paper record for every voter and establishes a mandated security testing program for the people making voting machines, the general public’s faith in the process of casting a ballot can be restored. And that’s not just a good thing, it’s essential to the future of America.

Tom Burt is the President and Chief Executive Officer of Election Systems & Software.