Election Security in Pennsylvania
As Americans, we all share the magnitude of the importance of defending the integrity and security of our elections, to ensure both our right to vote and our confidence that our vote will be counted accurately.
Reports of attempted foreign interference in our electoral process have only reinforced our dedication to protecting election integrity. Since 2016, the Pennsylvania Department of State has greatly intensified its election security efforts with increased monitoring, fortified voting system defenses, and added layers of protection to the commonwealth’s voter registration database.
We have also built the relationships and technical infrastructure necessary to sustain this high level of vigilance.
Innovation & National Outreach
As an innovator in election security and co-chair of the Elections Committee of the National Association of Secretaries of State (NASS), PA Secretary of State Kathy Boockvar was recently invited to testify before the U.S. House Judiciary Committee.
“Election security is a race without a finish line, and our adversaries are continuously advancing their technologies. We must do the same and more,” Secretary Boockvar told the committee. “Our success is dependent on substantial and sustained dedication of resources.”
New, More Secure Voting Systems in PA
In April 2018, the Department of State directed all PA counties to select
new voting systems with voter-verified paper records by Dec. 31, 2019, and implement them no later than the 2020 primary election. These systems will ensure that Pennsylvanians are voting on the most secure, accessible and auditable equipment available.
In 2018 and 2019, the department certified seven new voting systems that provide a paper record, meet the latest standards of security and accessibility, and can be thoroughly audited. In addition, in Pennsylvania every voting system and paper ballot must include plain text that voters can read to verify their choices before casting their ballot, and every system has successfully completed penetration testing, access control testing, and testing to ensure that every access point, software and firmware are protected from tampering.
To date, about 80 percent of Pennsylvania's 67 counties, including the three most populous —Philadelphia, Allegheny and Montgomery — have taken official action toward selecting a new voting system that meets these standards. The remainder of the counties are in the process of finalizing their selections. In 2019, 45 counties across the Commonwealth used their new voting systems, largely with remarkably smooth transitions and positive feedback, with infrequent issues in a handful of counties. This is a testament to the many local election directors, volunteer poll workers, and dedicated staff at Department of State and our state partners such as the Pennsylvania National Guard, who work extraordinarily hard to ensure that our elections are run effectively and securely.
To assist counties further, Act 77, signed into law by Governor Wolf on October 31, allocates $90 million in bond funding to reimburse counties for up to 60 percent of their allowable costs for replacing old voting machines with new systems that meet current security and accessibility standards by the 2020 primary. These funds are in addition to $14.15 million in federal funding and a state match that Gov. Wolf set aside in 2018 for distribution to counties for new voting systems meeting these standards and timelines. Any remaining bond proceeds may be used for the Department to fund grants to purchase county election security equipment.
Election Security at the State Level
Election Security at the Local Level
More Robust Post-Election Audits
Pennsylvania's new voting system initiative enabled the Department of State and Mercer and Philadelphia counties to pilot a cutting-edge security measure –
the risk-limiting audit. This "smart" audit is scientifically designed to check the accuracy of election outcomes and is new to Pennsylvania and much of the country.
A Washington Post editorial lauded the commonwealth for adopting this "no-brainer" advance in election security. "Pennsylvania is only able to start testing risk-limiting audits now because it is transitioning to paper from all-electronic systems. This represents another encouraging trend," the editorial noted.
County election officials, Department of State staff and election experts from the U.S. Election Assistance Commission, the University of Michigan, the Brennan Center for Justice at NYU School of Law, the Democracy Fund, VotingWorks, and Verified Voting participated in developing and implementing the pilot audit process using the new paper-based voting systems in Mercer County and Philadelphia.
Both pilots demonstrated how a risk-limiting audit
can be used to
provide a high-level of confidence and statistical verification that the outcome of the election is accurate. By 2022, all counties will be conducting post-election audits that exceed the current requirements set in the state's Election Code.
Learn more about how enhanced post-election audits advance election security and assure Pennsylvanians that their votes count.
Safe and Secure Voter Registration and Voting Systems
Some of the many ongoing steps being taken to ensure that Pennsylvania’s voter registration and voting systems remain safe and secure:
utilizes multiple layers of protection, including
- 24/7 continuous network monitoring,
- password protection,
- multi-factor authentication, and
- continuity of operations (COOP) planning, among other controls to protect our systems.
All certified voting systems in Pennsylvania, including the election management system and vote-tallying components, are never connected to or permitted on internet-facing networks, which significantly decreases opportunities to be hacked.
A layered set of protections is in place to secure voter registration databases.
Appropriate use of encryption technology and other tools raises the bar on protecting systems.
Continuous monitoring of the commonwealth's technical environment means alerts are reviewed and acted upon quickly.
Independent vulnerability assessments are frequently performed to verify established protections.
There is no evidence that Pennsylvania’s voter rolls or vote results have ever been hacked or compromised.
Pennsylvania has partnered with the U.S. Department of Homeland Security to conduct multiple in-depth vulnerability assessments of the commonwealth's cybersecurity posture.
Counties strictly secure their voting systems. Every county election board inspects and tests each piece of voting and tabulating equipment before an election and places locks with tamper-evident seals on all voting machine access points.
Precinct election results are not submitted through a network. They are physically delivered by precinct officials to county election officials, and duplicate copies of the printed results are retained. Official election results are then certified under the seal of the county and are physically delivered to the state.
The Department of State directed all PA counties to select new voting systems with voter-verified paper ballots by the end of 2019 to ensure that Pennsylvania voters are voting on the most secure, accessible, and auditable equipment available.
The Department of State has issued guidance to counties on the following topics for election preparedness and security:
- Pre-election testing
- Password and permissions management
- Restricting access
- File transfers
- Vote canvassing
Collaboration and Communications
The Department of State works closely with all 67 county boards of elections, as well as experts from:
the state and federal Departments of Homeland Security,
Center for Internet Security (CIS),
the National Guard,
the Office of Administration (OA),
the PA Emergency Management Agency (PEMA),
state and county IT staff,
...and other key partners to maintain and enhance the security of our election process.
Engaging in Strategic Data Sharing
Pennsylvania works with CIS's Multi-State Information Sharing and Analysis Center (MS-ISAC) to gather and share intelligence about cyber threats (such as website defacement) that target government or government-affiliated systems.
We also participate in CIS's Elections Infrastructure Information Sharing and Analysis Center (EI- ISAC), an elections-focused cyber defense suite providing additional free support and resources including forensic analyses and emergency response teams.
Pennsylvania, like many states, continues to see increasing MS-ISAC and EI-ISAC membership among its counties.
Select PA Department of State staff have national security clearances to extend our access to classified information and bolster our election security.
In August 2019, Secretary Boockvar was appointed to serve as the Elections Committee Co-Chair for the National Association of Secretaries of State (NASS). She also serves as a NASS representative on the Election Infrastructure Subsector Government Coordinating Council (EIS-GCC). The EIS-GCC is a first-of-its-kind collaboration among federal, state and local officials to secure elections by formalizing and improving intelligence-sharing and communication protocols to ensure that all election officials can respond to threats as they emerge.
Developing and Maintaining Crucial County Partnerships
In 2017, the Department of State formed an election security workgroup of County Commissioners Association of Pennsylvania (CCAP) representatives, county election directors, Department of State staff and county and state IT directors to discuss security issues, share training resources and conduct security self-assessments on each participating county's security posture.
In 2018, the Wolf Administration formed an Executive Interagency Workgroup to further fortify our election security by bringing together experts from the Department of State, Homeland Security, Emergency Management Agency, Information Technology, State Police, National Guard, Office of State Inspector General and the Department of Military and Veterans Affairs. This team of key agencies collaborates on increasing security resources, training, support, communication and preparation.
The PA National Guard’s Cyber Defense Team was recently chosen to be the first National Guard team to participate in a new U.S. Department of Homeland Security (USDHS) program to train third parties to conduct Risk and Vulnerability Assessments (RVA) to USDHS standards.
Providing Ongoing Training Opportunities
Pennsylvania has committed to an election security protocol that includes continuously monitoring the commonwealth’s technical environment; sharing intelligence and best practices with county, state and federal partners; routinely training state and county election and IT personnel on security measures; regularly assessing system vulnerabilities; and being prepared to immediately respond to any threats that arise.
In April 2018, The Department of State co-hosted a free election security webinar for state and county election and IT personnel, in conjunction with the USDHS, the state Office of Homeland Security, the FBI, CIS and other experts.
Department staff have participated in nationally recognized election cybersecurity trainings, including a table-top training exercise by Harvard Kennedy School’s Belfer Center. We have collaborated with our partners to provide similar trainings, mock election exercises, and other resources to PA counties.
In August, September, and December 2018, and June 2019, the Department co-hosted table-top exercises in conjunction with PEMA, OA, National Guard, state and federal offices of Homeland Security, the Governor’s Office, and personnel from numerous counties, to train election, information technology, and security personnel in incident response and preparation, simulating scenarios that could impact voting operations.
The Department of State has provided guidance, training and resources to counties on strong cybersecurity practices for voting system and network preparation, including pre-election testing, password and permissions management, restricting access, file transfers and vote canvassing. We are also providing anti-phishing and security training and tools to all 67 counties at no cost to them.
The state partners with County Commissioners Association of Pennsylvania (CCAP) to offer comprehensive phishing and social engineering email exercises, to provide testing and security awareness training to all county employees,
at no cost to counties. Additionally, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) offers a range of cybersecurity services that evaluate and advise on operational resilience and cybersecurity practices, also with no cost to state and local election jurisdictions.
Election security video prepared by the Election Assistance Commission (EAC)
The EAC produced this video that summarizes the measures employed by state and local election officials across the nation to safeguard elections, voter registration data, voting systems and more.
EAC Election Security Video