EXPERT SIGN-ON LETTER TO CONGRESS:
SECURE AMERICAN ELECTIONS
June 21, 2017
Dear Member of Congress:
Faith in American democracy rests on the integrity of our elections. So it stands to reason that lawmakers and administrators from both political parties should prioritize efforts to minimize election security risks. While there has been encouraging progress to improve election security in recent years, too many polling stations across the nation are still equipped with electronic machines that do not produce voter-verified paper ballots. Many jurisdictions are also inadequately prepared to deal with rising cybersecurity risks.
We are writing to you as members of the computer science and cybersecurity communities, together with statisticians and election auditing experts, to convey our concern about these and other vulnerabilities in our voting system and to urge you to take the following simple, straightforward, and cost-effective actions to set meaningful standards to protect American elections. We represent both major political parties, independents, and a range of academic institutions and private sector organizations, but we are united in our belief that the United States, the world’s oldest representative democracy, needs prompt action to ensure prudent elections security standards.
Specifically, we recommend action to accomplish the following objectives:
1. Establish voter-verified paper ballots as the official record of voter intent.
· Phase out the use of voting technologies such as paperless Direct Recording Electronic voting machines that do not provide a voter-verified paper ballot.
2. Safeguard against internet-related security vulnerabilities and assure the ability to detect attacks.
· Create firewalls (software barriers) between internet and all voter registration, vote-tabulating machines, ballot delivery, and election management systems. Require layered backup systems to ensure that intrusions and corruption of the databases can be detected and corrected.
· Review and document compliance with the recommendations and checklists prepared by the US Department of Homeland Security for security, penetration testing, network scanning, and detection and management of potential cyber-attacks. Review and track FBI security alerts.
· Ensure that voting systems and information technology that supports voting systems have the latest security patches, and that those patches have been provided from trusted sources on trusted media. Limit physical access and regularly audit sensitive and critical election systems.
· Discourage voters from voting online in any form—via web, email or fax—even in states where it is legal. Inform voters that electronically submitted ballots can be modified, copied, rerouted or simply deleted during transmission.
3. Require robust statistical post-election audits before certification of final results in federal elections.
· Compare random samples of voting system totals to hand counts of the votes on the corresponding paper ballots.
· Audit in a way that has a large chance of detecting and correcting any incorrect electoral outcomes, whatever their cause.
· Recruit technical experts to assist with tests and audits. Resources for finding experts, many of whom may provide pro bono services, include the Election Verification Network, professional societies such as the American Statistical Association, and academic institutions.
· Allow public oversight of all audits, and prominently publicize all testing and audit results.
· Report and publicize ballot accounting and final results in detail before certification
This is not an exhaustive list of recommendations. However, the above items can form the basis of robust, enforceable, sensible federal standards that can restore needed confidence in American elections.
1. Ben Adida, Vice President, Engineering, Clever
2. Andrew W. Appel, Professor of Computer Science, Princeton University
3. Arlene Ash, Professor and Division Chief, Biostatistics and Health Services Research, Department of Quantitative Health Sciences, University of Massachusetts Medical School
4. Michael Bailey, University of Illinois at Urbana-Champaign
5. Ron Bandes, Cybersecurity member of the Pennsylvania Joint State Government Commission's Advisory Committee on voting system technology
6. Mary K. Batcher, Founding Partner, BDS Data Analytics and Former Executive Director, Ernst & Young
7. Steven M. Bellovin, Percy K. and Vida L.W. Hudson Professor Computer Science, Columbia University
8. Jan BenDor, MI Elections Administrator, MI Election Reform Alliance
9. Matt Bishop, Professor, Department of Computer Science, University of California, Davis
10. Matthew Blaze, Associate Professor of Computer and Information Science, University of Pennsylvania
11. Scott Bradner, Professor, Information Science Department, Harvard University Extension School
12. Harvey H. Branscomb, Election Quality, Colorado Voter Group
13. Duncan Buell, Professor, Computer Science and Engineering and NCR Chair in Computer Science and Engineering, University of South Carolina
14. Eric W. Burger, Research Professor and Director, Security and Software Engineering Research Center, Georgetown University
15. David Chaum, ScanTegrity and Random-Sample Voting Projects
16. Stephen Checkoway, Assistant Professor, Department of Computer Science, University of Illinois at Chicago
17. Bryan Cunningham, Executive Director, Cybersecurity Policy & Research Institute, University of California, Irvine
18. Robert K. Cunningham, Chair, IEEE Cybersecurity Initiative
19. Reza Curtmola, Associate Professor, Department of Computer Science, New Jersey Institute of Technology
20. David L. Dill, Donald E. Knuth Professor in the School of Engineering, Stanford University and Founder of VerifiedVoting.org
21. Peter Eckersley, Chief Computer Scientist, Electronic Frontier Foundation
22. David Evans, Professor of Computer Science, University of Virginia
23. David J. Farber, Moore Professor Emeritus of Telecom, University of Pennsylvania and Adjunct Professor of Internet Studies, Carnegie Mellon University
24. Ariel Feldman, Assistant Professor of Computer Science, University of Chicago
25. Edward W. Felten, Robert E. Kahn Professor of Computer Science and Public Affairs at Princeton University; former Deputy United States Chief Technology Officer
26. Bryan Ford, Associate Professor of Computer and Communications Sciences, Swiss Federal Institute of Technology Lausanne, Switzerland
27. Carrie Gates, CEO, Securelytix Inc.
28. Jeremy Gillula, Senior Staff Technologist, Electronic Frontier Foundation
29. Alex Glaros, CEO, Center for Government Interoperability
30. Ian Goldberg, Professor and University Research Chair, Cheriton School of Computer Science, University of Waterloo
31. Sharon Goldberg, Associate Professor of Computer Science, Boston University
32. Edward Gracely, Associate Professor of Epidemiology and Biostatistics, School of Public Health, Drexel University
33. Matthew Green, Assistant Professor, Department of Computer Science, Johns Hopkins University
34. J. Alex Halderman, Professor, Computer Science and Engineering and Director, Center for Computer Security and Society, University of Michigan
35. Joseph Lorenzo Hall, Chief Technologist, Center for Democracy & Technology
36. Eleanor O. Hare, Associate Professor Emerita, Department of Computer Science, Clemson University
37. Candice Hoke, Co-Director, Center for Cybersecurity & Privacy Protection, Cleveland State University
38. Ryan Hurst, Product Manager, Google
39. Harri Hursti, Founding Partner, Nordic Innovation Labs
40. David Jefferson, Visiting Scientist, Lawrence Livermore National Laboratory, Board of Directors, VerifiedVoting.org
41. Jonathan Katz, Professor, Department of Computer Science, University of Maryland and Director, Maryland Cybersecurity Center
42. Joe Kiniry, CEO and Chief Scientist, Free & Fair
43. Alex Kreilein, Managing Partner and Cofounder, SecureSet Accelerator
44. Jack I. Lerner, University of California, Irvine, Director, UCI Intellectual Property, Arts, and Technology Clinic
45. Mark Lindeman, Adjunct Assistant Professor, Department of Political Science, Columbia University
46. Victoria Collier, Director, National Election Defense Coalition
47. Margaret MacAlpine, Election Auditing Specialist and Systems Testing Technologist, Nordic Innovation Labs
48. David A. Marker, Senior Statistician and Associate Director, Westat
49. Marilyn Marks, Executive Director, Rocky Mountain Foundation
50. Morgan Marquis-Boire, Director of Security, First Look Media
51. Neal McBurnett, Independent Election Integrity Consultant; Colorado Risk-Limiting Audit Representative Group member; Board of Directors, Center for Election Science
52. Bruce W. McConnell, Global Vice President, EastWest Institute and Former Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security
53. Patrick McDaniel, Distinguished Professor of Computer Science and Engineering and Director, Institute for Networking and Security Research, Pennsylvania State University
54. Aleecia M. McDonald, Non-resident Fellow, Stanford Center for Internet & Society
55. Walter Mebane, Professor, Department of Political Science and Department of Statistics, University of Michigan
56. Sascha Meinrath, Director, X-Lab, Palmer Chair in Telecommunications, Penn State University
57. Suzanne Mello-Stark, Associate Teaching Professor and Cybersecurity SfS Program Manager, Computer Science Department, Worcester Polytechnic Institute
58. Gregory A. Miller, Chief Election Technology Strategist, OSET Institute
59. Justin Moore, Software Engineer, Google and Member of the Board of Advisors, VerifiedVoting.org
60. Deirdre K. Mulligan, Associate Professor, School of Information and Faculty Director, Berkeley Center for Law and Technology, University of California, Berkeley
61. Clifford Neuman, Director, Center for Computer Systems Security, University of Southern California
62. Peter G. Neumann, Senior Principal Scientist, SRI International Computer Science Lab and Moderator, ACM Risks Forum
63. Brian Nussbaum, Assistant Professor of Homeland Security and Cybersecurity, University at Albany
64. Ben Ptashnik, Executive Director, National Election Defense Coalition, Retired Vermont State Senator
65. Cooper Quintin, Technologist, Electronic Frontier Foundation
66. Ronald L. Rivest, Institute Professor, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology
67. Phillip Rogaway, Professor, Department of Computer Science, University of California, Davis
68. Paul Rosenzweig, Professorial Lecturer in Law, George Washington University and Former Deputy Assistant Secretary for Policy, Department of Homeland Security
69. Gabe Rottman, Deputy Director, Freedom, Security and Technology Project, Center for Democracy & Technology
70. Avi Rubin, Professor, Computer Science and Technical Director, Information Security Institute, Johns Hopkins University
71. Peter Ryan, Professor of Applied Security, University of Luxembourg
72. Andy Sayler, Security Engineer, Twitter
73. Fritz Scheuren, Former President, American Statistical Association (2006)
74. Jeffrey I. Schiller, Computer Scientist, Massachusetts Institute of Technology and Former Internet Engineering Steering Group Area Director for Security (1994-2003)
75. Bruce Schneier, Fellow, Harvard Kennedy School
76. Alexander A. Schwarzmann, Professor and Head of Computer Science and Engineering Department, Director of the Center for Voting Technology Research, University of Connecticut
77. E. John Sebes, Chief Technology Officer, OSET Institute and TrustTheVote Project
78. Lt. Col. Tony Shaffer (retired), Senior Fellow, London Center for Policy Research
79. Micah Sherr, Provost’s Distinguished Associate Professor, Department of Computer Science, Georgetown University
80. Barbara Simons, IBM Research (retired)
81. Ashkan Soltani, Former Chief Technologist, Federal Trade Commission
82. Richard Spires, Former Chief Information Officer, U.S. Department of Homeland Security
83. Philip B. Stark, Associate Dean, Mathematical and Physical Sciences and Professor, Department of Statistics, University of California
84. Paul Stokes, United Voters of New Mexico
85. Justin Talbot-Zorn, Truman National Security Fellow
86. Vanessa Teague, Senior Lecturer, School of Computing and Information Systems, The University of Melbourne
87. Brad Templeton, Computing Chair, Singularity University and Chairman Emeritus, Electronic Frontier Foundation
88. Zeynep Tufekci, Associate Professor, School of Information and Library Science, University of North Carolina
89. Jessica Utts, President, American Statistical Association and Professor, Department of Statistics, University of California, Irvine
90. Giovanni Vigna, Professor, Computer Science, University of California, Santa Barbara
91. Poorvi L. Vora, Professor of Computer Science, The George Washington University
92. Dan Wallach, Professor, Computer Science and Rice Scholar, Baker Institute for Public Policy, Rice University
93. Mark Weatherford, Chief Cybersecurity Strategist, vArmour and Former Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security
94. Luther Weeks, Executive Director, Connecticut Citizen Election Audit
95. Daniel Weitzner, Founding Director of the MIT Internet Policy Research Initiative and Principal Research Scientist, Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab
96. Kenneth White, Director, Open Crypto Audit Project
97. Filip Zagorski, Assistant Professor, Wroclaw University of Science and Technology
98. Daniel Zappala, Associate Professor, Computer Science, Brigham Young University
99. Amy B. Zegart, Co-Director and Senior Fellow, Center for International Security and Cooperation, Stanford University and Davies Family Senior Fellow, Hoover Institution
100. Daniel M. Zimmerman, Principled Computer Scientists, Free & Fair
101. Philip R. Zimmermann, Cryptographer, Creator of PGP, Associate Professor, Delft University of Technology, Netherlands
102. Mary Ellen Zurko, Independent Cybersecurity Consultant
103. Trevor Zylstra, President and CEO, IDVector
Please note: Individual affiliations are for identification purposes only and do not signify organizational endorsement.
The National Election Defense Coalition (NEDC) and coalition partners compiled signatures for this letter.