For the Press

First of all, thank you for covering the risks and safeguards related to secure, accurate election results. Our voting rights don't stop when we cast our ballots. Voting rights include having our votes counted accurately, and we are glad you're on the story!

The election-security story is actually TWO different stories, about two completely separate systems.

Reporter.jpg Two entirely separate computer systems run Wisconsin elections. The risks, safeguards, and issues are very different for each system. Be specific when talking to election officials, because answers about one system will not apply to the other.

One system, WisVote, is owned and operated by the State of Wisconsin, specifically by the Wisconsin Elections Commission with support from the Division of Enterprise Technology. This system manages voter registration and other elections-administration functions, but not vote tabulation.

The vote-tabulation system consists of the voting machines and the computers used to update and maintain their software. This system is owned and operated by private companies and our local governments. Neither WEC nor DET have direct responsibility for the design, creation, updating, maintenance, operation or security of the vote-tabulation system. Therefore, state election officials will not be able to speak about voting-machine security in anywhere near the depth and authority with which they can speak about the WisVote system.

July 2018 Voter-registration system Vote-tabulation system

 Name of system

WisVote

One system, the DS200, counts 60-70% of Wisconsin’s votes;
'ICE' is the second most popular.

What does it do? Records voter registrations; keeps them up to date; prints the poll books you get your name checked off on when you vote, among other election-administration tasks Reads our ballots, counts our votes, determines who wins our elections.
Most knowledgeable
source for reporters
WEC is your primary source for this information. They know this system inside-out. Vendors (ES&S, Dominion, Command Central, and Clear Ballot) are the only primary source regarding tabulation-system security. Local election officials
know only their own security practices, which don't address the most critical risks.
Developer

State of Wisconsin; a collaboration between WEC and Division of Enterprise Technology 

Any of several private companies; not always the current vendor
Owner State of Wisconsin

Software is owned by vendors;
Hardware is mostly owned by local governments

System updates managed by State of Wisconsin

Four vendors
(In a few counties, county officials handle prep for each election's new ballot.)

Security managed by State of Wisconsin

Software security:
Vendors, primarily, but local officials right before each election and on Election Day.

Hardware security:
Municipal clerks for voting machines;
county officials for central computer

General security program Has all five standard components actively in place: 1) Risk identification;
2) Safeguards; 3) Monitoring to detect events; 4) Response plan;
5) Recovery plan
We have only vendors’ assurances about their practices for risk
identification or safeguards.
Local officials rely on only minimal, informal detection practices, and have no clear plans for response or recovery
Who would know if it was hacked?

The State of Wisconsin, specifically the DET and WEC, continuously monitor all cyber activity, with the assistance of the federal DHS.

Voters will notice if their registration disappears, but they can re-register at the polls.

We don’t know whether the voting machine companies would know if the
software was hacked.
Local officials cannot assess the software; hacks wouldn’t show up in the pre-election test; and they don’t use our paper ballots in routine pre-certification audits.

Voters have no way to tell if their votes were miscounted.
Has it ever been hacked,
in Wisconsin?

State officials know that hackers are continuously trying, and that none have succeeded.

US DHS has determined that some attempts came from Russia.

No one knows, because no one examines the software (a copy is in every machine), and no one routinely checks the machines’ Election-Day accuracy against the paper ballots.

There have been electronic miscounts, but none that appear, on their face, to be deliberate.

What election officials can tell you about security...and what they cannot

Professional-level IT skills are prerequisite for neither the job of municipal nor county clerk. Do not expect election officials to be able to speak with much depth and understanding about IT-related matters. Even at the top, staff of the Wisconsin Elections Commission has not until recently included anyone with professional-level education or experience in IT. Your coverage of election-security issues will nearly always be better if you seek out comment from actual IT professionals.

Here are some things you will hear from Wisconsin's election officials, and what your follow-up questions should include:

  • "The voting systems are federally certified."
    Election clerks will mention this, but will not be able to answer any follow-up questions about the federal certification criteria relating to security (as opposed to accessibility, reliability, etc.); controversies regarding the current value of outdated federal certification standards; and how exactly years-old federal certification of the design of each system protects the actual machines and software used in the next election. (It doesn't).
  • "The voting systems are certified by the state elections agency."
    As with federal certification, local election officials are typically unaware that state certification is based on whether the systems meet standards in Wisconsin law, which focus on features other than security. Contact WEC staff for more information. If you are interested in a particular system (such as AVC Edge or M-100), ask about the security criteria used at the time the system was certified.
  • "Voting machines are never connected to the Internet."
    Don't count on local election officials to mention that their voting machines are programmed with software that originates in the vendors' computers, the security of which the local officials have no knowledge. Neither state nor local officials can speak authoritatively about the security of the software at any time before it comes into their possession before each election.
    Also be aware that the polling-place voting machines communicate (either wirelessly or by use of portable digital media) with a central county elections-management computer. Wisconsin officials do not inspect these county computers for remote access software, and therefore cannot know for sure whether they are connected to the Internet. 
  • "Every machine is publicly tested before each election."
    Municipal clerks reliably perform voting-machine tests required by s.5.84, Wis. Stats within 10 days before every election. Most genuinely believe these tests would detect hacked software. In reality, the tests fall far short of any standards for computer "logic and acceptance testing" (LAT) used outside elections and are useless in deterring or detecting hacks.
    Two of the many limitations are: 1) No effort is made to fool the voting machines into thinking they are counting votes on Election Day, and some machines are even deliberately tested in a test mode. Because malicious code would be designed to operate only on Election Day and in Election-Day mode, a test done on any other day could not detected a hack. 2) Municipal clerks also typically cast only one vote for each candidate in the pre-election test, so that if the machine was programmed to 'flip' votes--that is, county one candidate's votes for another and vice-versa (a predictable programming error, if not a hack), the pre-election test could not detect it.
  • "We verify that the machines counted correctly on Election Night, and double-check during the canvass."
    If you hear this from an elections official, ask a follow-up question to clarify whether they are talking about ballots or votes. All Wisconsin jurisdictions routinely check and double-check that ballots were counted correctly; none routinely check that votes were counted correctly during their canvass.
    Verifying that machines counted ballots correctly (but not votes) is equivalent to a bank verifying that an ATM counted the correct number of transactions, without verifying that the dollars were debited/credited to the correct accounts. For voting machines, ask the elections officials whether they check that the votes were credited to the correct candidates.
    County canvasses also typically double-check their addition of the vote totals from the precincts' results tapes, but they do not check the accuracy of the vote totals printed on any of the voting machines' output tapes.
  • "The state orders voting-machine audits."
    These voting machine audits, as they were performed before this year, serve no election-security function. Among other limitations, they occurred only after November elections in even-numbered years; included only about 100 of the state's 3,500 voting machines, and were completed only after the election results were certified final--too late to correct any miscounts detected and therefore too late to deter hacking. And those were only a few of their limitations as a security measure.

The key security question to ask local election officials:

"As you sign the certification statement, how do you know the voting machines credited all the votes to the correct candidates' totals?"

Probe for more information for any answers that would make you uncomfortable if you heard them from a banker explaining how he or she knows the ATMs credited deposits to the correct accounts.


For more information, contact us at WiscElectionIntegrity@gmail.com or call WEI Coordinator Karen McKim at 608-212-5079.

Be the first to comment

Please check your e-mail for a link to activate your account.