Election Security in Pennsylvania
As Americans, we all share the magnitude of the importance of defending the integrity and security of our elections, to ensure both our right to vote and our confidence that our vote will be counted accurately.
Reports of attempted foreign interference in our electoral process have only reinforced our dedication to protecting election integrity. Since 2016, the Pennsylvania Department of State has greatly intensified its election security efforts with increased monitoring, fortified voting system defenses, and added layers of protection to the commonwealth’s voter registration database.
We have also built the relationships and technical infrastructure necessary to sustain this high level of vigilance.
New, More Secure Voting Systems in PA
In April 2018, the Department of State directed all PA counties to select
new voting systems with voter-verifiable paper records by Dec. 31, 2019, and implement them no later than the 2020 primary election. These systems will ensure that Pennsylvanians are voting on the most secure, accessible and auditable equipment available.
In 2018 and 2019, the department certified seven new voting systems that provide a paper record, meet the latest standards of security and accessibility, and can be thoroughly audited. In addition, in Pennsylvania every voting system and paper ballot must include plain text that voters can read to verify their choices before casting their ballot, and every system has successfully completed penetration testing, access control testing, and testing to ensure that every access point, software and firmware are protected from tampering.
To assist counties further,
Act 77, signed into law by Governor Wolf on October 31, allocates $90 million in bond funding to reimburse counties for up to 60 percent of their allowable costs for replacing old voting machines with new systems that meet current security and accessibility standards by the 2020 primary. These funds are in addition to $14.15 million in federal funding and a state match that Gov. Wolf set aside in 2018 for distribution to counties for new voting systems meeting these standards and timelines. Any remaining bond proceeds may be used for the Department to fund grants to purchase county election security equipment.
As of the June 2, 2020, primary election,
all 67 of the Pennsylvania's counties have deployed voting systems that produce voter-verifiable paper records and meet 21st-century standards of security, auditability and accessibility.
Election Security at the State Level
Election Security at the Local Level
More Robust Post-Election Audits
Pennsylvania counties conduct two types of
post-election analyses: a 2% statistical sample required by state statute, and a statewide risk-limiting audit (RLA), which counties have been directed to conduct for the November 2022 general election.
As currently required as part of the computation and canvass of returns, counties must complete the statistical sample required by law (25 P.S. § 3031.17). County boards of elections are required to conduct a statistical recount of a random sample of at least 2% of the ballots cast or 2,000 ballots, whichever number is fewer.
Risk-limiting audits are scientifically designed procedures that use statistical methods to confirm election outcomes and to detect possible interference. RLAs examine a random sample of paper ballots, comparing the votes on paper to the totals reported by the vote-counting machines to ensure that the reported outcome of the contest being audited is correct. These types of audits can confirm that voting systems tabulated the paper ballots accurately enough that a full hand count would produce the same outcome.
Safe and Secure Voter Registration and Voting Systems
Some of the many ongoing steps being taken to ensure that Pennsylvania’s voter registration and voting systems remain safe and secure:
utilizes multiple layers of protection, including
- 24/7 continuous network monitoring,
- password protection,
- multi-factor authentication, and
- continuity of operations (COOP) planning, among other controls to protect our systems.
All certified voting systems in Pennsylvania, including the election management system and vote-tallying components, are never connected to or permitted on internet-facing networks, which significantly decreases opportunities to be hacked.
A layered set of protections is in place to secure voter registration databases.
Appropriate use of encryption technology and other tools raises the bar on protecting systems.
Continuous monitoring of the commonwealth's technical environment means alerts are reviewed and acted upon quickly.
Independent vulnerability assessments are frequently performed to verify established protections.
There is no evidence that Pennsylvania’s voter rolls or vote results have ever been hacked or compromised.
Pennsylvania has partnered with the U.S. Department of Homeland Security to conduct multiple in-depth vulnerability assessments of the commonwealth's cybersecurity posture.
Counties strictly secure their voting systems. Every county election board inspects and tests each piece of voting and tabulating equipment before an election and places locks with tamper-evident seals on all voting machine access points.
Precinct election results are not submitted through a network. They are physically delivered by precinct officials to county election officials, and duplicate copies of the printed results are retained. Official election results are then certified under the seal of the county and are physically delivered to the state.
The Department of State directed all PA counties to select new voting systems with voter-verifiable paper ballots by the end of 2019 to ensure that Pennsylvania voters are voting on the most secure, accessible, and auditable equipment available.
The Department of State has issued guidance to counties on the following topics for election preparedness and security:
- Pre-election testing
- Password and permissions management
- Restricting access
- File transfers
- Vote canvassing
Collaboration and Communications
The Department of State works closely with all 67 county boards of elections, as well as experts from:
the state and federal Departments of Homeland Security,
Center for Internet Security (CIS),
the National Guard,
the Office of Administration (OA),
the PA Emergency Management Agency (PEMA),
state and county IT staff,
...and other key partners to maintain and enhance the security of our election process.
Engaging in Strategic Data Sharing
Pennsylvania works with CIS's Multi-State Information Sharing and Analysis Center (MS-ISAC) to gather and share intelligence about cyber threats (such as website defacement) that target government or government-affiliated systems.
We also participate in CIS's Elections Infrastructure Information Sharing and Analysis Center (EI- ISAC), an elections-focused cyber defense suite providing additional free support and resources including forensic analyses and emergency response teams.
Pennsylvania, like many states, continues to see increasing MS-ISAC and EI-ISAC membership among its counties.
Select PA Department of State staff have national security clearances to extend our access to classified information and bolster our election security.
Developing and Maintaining Crucial County Partnerships
In 2017, the Department of State formed an election security workgroup of County Commissioners Association of Pennsylvania (CCAP) representatives, county election directors, Department of State staff and county and state IT directors to discuss security issues, share training resources and conduct security self-assessments on each participating county's security posture.
In 2018, the Wolf Administration formed an Executive Interagency Workgroup to further fortify our election security by bringing together experts from the Department of State, Homeland Security, Emergency Management Agency, Information Technology, State Police, National Guard, Office of State Inspector General and the Department of Military and Veterans Affairs. This team of key agencies collaborates on increasing security resources, training, support, communication and preparation.
The PA National Guard’s Cyber Defense Team was recently chosen to be the first National Guard team to participate in a new U.S. Department of Homeland Security (USDHS) program to train third parties to conduct Risk and Vulnerability Assessments (RVA) to USDHS standards.
Providing Ongoing Training Opportunities
Pennsylvania has committed to an election security protocol that includes continuously monitoring the commonwealth’s technical environment; sharing intelligence and best practices with county, state and federal partners; routinely training state and county election and IT personnel on security measures; regularly assessing system vulnerabilities; and being prepared to immediately respond to any threats that arise.
Department of State staff have participated in nationally recognized election cybersecurity trainings, including a table-top training exercise by Harvard Kennedy School’s Belfer Center. We have collaborated with our partners to provide similar trainings, mock election exercises, and other resources to PA counties.
Since 2018, the Department of State has co-hosted several table-top exercises and election-security trainings in conjunction with PEMA, OA, National Guard, state and federal offices of Homeland Security, the Governor’s Office, and personnel from numerous counties. These events train election, information technology, and security personnel in incident response and preparation, simulating scenarios that could impact voting operations.
The Department of State provides guidance, training and resources to counties on strong cybersecurity practices for voting system and network preparation, including pre-election testing, password and permissions management, restricting access, file transfers and vote canvassing. We are also providing anti-phishing and security training and tools to all 67 counties at no cost to them.
The state partners with the County Commissioners Association of Pennsylvania (CCAP) to offer comprehensive phishing and social engineering email exercises and testing and security awareness training to all county employees,
at no cost to counties. Additionally, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) offers a range of cybersecurity services that evaluate and advise on operational resilience and cybersecurity practices, also with no cost to state and local election jurisdictions.
Election security video prepared by the Election Assistance Commission (EAC)
The EAC produced this video that summarizes the measures employed by state and local election officials across the nation to safeguard elections, voter registration data, voting systems and more.
EAC Election Security Video