In separate interviews this month, three election-security experts told Crosscut that Washington state is widely regarded as a national leader when it comes to election security. A fourth expert said the state appears to be taking the right steps to ensure the integrity of its voting systems.
Additionally, in response to a set of questions from Crosscut, county officials around the state reported implementing many election-security measures that are considered best practices.
“It definitely seems like Washington is ahead of the curve and continuing the commitment to improving cybersecurity,” said Maurice Turner, the deputy director of the Election Security and Privacy Project at the Center for Democracy and Technology, a Washington, D.C.-based think tank.
The importance of paper ballots
Unlike some states, Washington state — which runs its elections entirely by mail — already uses paper ballots that can be reviewed and audited after an election.
Requiring the use of paper ballots was a key reform sought in an election-security bill that passed the U.S. House this past summer, as well as in a bipartisan proposal introduced last year in the U.S. Senate. However, a deal recently struck in the Senate to boost election funding by $250 million wouldn't implement those reforms.
Using paper ballots avoids some of the issues that can arise with using voting machines that merely record voters’ choices into a computer system, said Barry Burden, a political science professor and director of the Elections Research Center at the University of Wisconsin-Madison.
As of August, 11 states were still using electronic machines that leave no voter-verifiable paper record, according to the Brennan Center for Justice, a nonpartisan law and policy institute in New York.
When jurisdictions use paper ballots, by contrast, “They are more difficult to hack, and easier to verify after the fact,” Burden said.
Because Washington was one of the first states to move to a vote-by-mail system, local elections officials are experienced at working with paper ballots, as well as storing them securely so they can be audited, recounted and double-checked after an election, said David Becker, executive director and founder of the Center for Election Innovation & Research.
Of the 26 Washington counties that responded to questions from Crosscut about election security, all confirmed they do not employ any voting machines that fail to produce a readable paper ballot. Throughout Washington, in cases where people with disabilities use a computer or machine to vote, those machines still produce a regular ballot that is processed and counted just like any other, officials said.
Those types of precautions leave Washington “in good shape” as far as election security goes, Becker said.
“Washington voters should feel confident when they fill out their ballot that their ballot is going to count,” Becker said.
Even the rare issues that have emerged with paper ballots in other states are unlikely to be issues in Washington, Burden said. In North Carolina, for instance, state officials overturned the results of a congressional race in 2018 after an investigation found evidence that absentee ballots had been improperly collected and possibly tampered with.
Burden said that would be unlikely to happen with paper ballots in Washington because of how each ballot envelope has a unique barcode and tracking system, which voters can use to monitor their ballot’s progress via an online portal.
“Those things are really essential to a state that relies on mail,” Burden said.
Improvements made since 2016
At the same time, Washington state has been taking steps to improve the security of its voter registration system.
National intelligence officials say Russian actors appear to have targeted elections systems in all 50 states in 2016. Washington was among the states that had its voter registration system scanned by the Russians.
State officials said they were able to detect the activity, and hackers weren’t able to gain access to Washington’s voter rolls.
But other states weren’t so lucky. In Illinois, hackers infiltrated the state’s voter registration website and extract information, according to a July report by the Senate Intelligence Committee.
Illinois officials said no voter records were altered; similarly, the Senate Intelligence Committee report from July found “no evidence that any votes were changed or that any voting machines were manipulated.”
Still, Washington officials decided it was time to update the state’s aging voter registration system, which dated to the mid-2000s. Some of the systems used by individual counties were even older.
The new VoteWA system, which went live in June, took more than 30 voter registration systems used by Washington counties and centralized them.
Unlike before, the new system employs an extra layer of security known as two-factor authentication. That means local elections officials must use a physical token or card to access the database, in addition to their other login credentials.
Turner, Burden and Becker all identified two-factor authentication as one of the most important security practices local elections officials can adopt.
The added level of security makes it difficult for someone to access or alter the voter registration database remotely, or by using just a stolen username and password, said Justin Burns, chief information security officer of Washington’s Office of the Secretary of State.
“We like to joke that you could write down your username and password and send it to the Kremlin, and it would not let them into the system,” Burns said.
He said the new system is also more secure because it puts state officials in charge of ensuring that the voter registration system stays up to date. That means the state installs the latest security patches and upgrades, rather than leaving those security measures up to 39 county elections offices.
State officials similarly make sure the voter registration database is backed up multiple times a day, while conducting regular penetration testing to check for cybersecurity weaknesses, Burns said.
Matt Bishop, a professor of computer science at the University of California, Davis, said that kind of regular testing and installation of security patches is “absolutely imperative” to ensure election security.
“One of the problems is the counties don’t always have the resources for this sort of thing,” Bishop said. “The state does, typically.”
Ways the state can improve
Despite Washington state’s many strengths when it comes to election security, there still are a few emerging best practices that aren’t in place to the extent they could be.
For instance, only a handful of counties appear to be using two-factor authentication for elections officials' email systems — even as two-factor authentication has become required for accessing the state's new voter registration system.
Of the 26 county election offices that responded to Crosscut, only six said they use two-factor authentication for their email, or are in the process of expanding two-factor authentication to their email and other computer systems. (Eight counties confirmed they don’t use two-factor authentication for election officials' email, while others hesitated to share that information, citing security concerns.)
Yet using multifactor authentication for email and other election systems, not just for the statewide voter database, is important in helping to limit the damage online phishing attacks can cause, Burden said.
Three years ago in Florida, for instance, Russian hackers posing as an election vendor sent emails to elections officials with a malicious link or attachment. At least one or two local election officials appear to have fallen for the phishing attempt, giving an outsider access to their counties' election systems, Burden said.
An attack that installs malware through a malicious attachment or link could be used to steal usernames and passwords. But the attacker’s access to important systems would be limited if another form of authentication, such as a physical card or access token, was required in addition to those stolen credentials, said Thurston County Auditor Mary Hall, whose elections employees already use two-factor authentication to access their computers.
“If there is someone in Russia or Korea or China, they’re not going to have that physical card or token that you need,” Hall said.
Burns, the chief security officer in the secretary of state’s office, said his agency is working to help county elections officials expand multifactor authentication to their other systems, including email.
Similarly, Washington state is not quite on the cutting edge when it comes to a new practice called risk-limiting audits, which the Brennan Center lists as the “gold standard” for auditing and confirming election results.
Turner, with the Center for Democracy and Technology, said risk-limiting audits have a distinct advantage over other types of audits: They allow a smaller sample of ballots to be counted to check for accuracy, while still achieving a high level of confidence in the election results.
The new auditing tool is already being used by elections officials in Colorado and Rhode Island, as well as in some smaller jurisdictions around the country.
Lori Augino, elections director with the Washington Secretary of State’s Office, said her agency is working to help counties increase their use of risk-limiting audits in the future. A state law passed in 2018 allows local elections officials to use a risk-limiting audit, or RLA, as one of several options to meet the state’s mandatory, post-election audit requirements.
“We stand ready to support RLAs in any counties that choose those as their election audit method,” Augino wrote in an email.
Other improvements are also underway in preparation for the 2020 election.
Right now, the state is using part of an $8 million federal grant to roll out a new sensor network throughout all 39 Washington counties. Called Albert sensors, they're designed to alert state and local officials to attempted intrusions and potential digital threats.
The new sensor network is slated to be up and running by the middle of next year.
This story has been updated to reflect additional responses from two counties, which provided more details about their cybersecurity measures after the story was published.