N.H.'s Paper Ballots Are Hard to Hack, But That's Only Part of the Election Security Puzzle | New Hampshire Public Radio

N.H.'s Paper Ballots Are Hard to Hack, But That's Only Part of the Election Security Puzzle

Jan 23, 2020

New Hampshire Secretary of State Bill Gardner has long projected confidence about the security of the state’s elections. In the fall of 2016, as national security officials were warning state elections offices to “be vigilant and seek cybersecurity assistance” from federal partners, Gardner declined — saying New Hampshire didn’t need the extra help.

“We have a system that, we don’t have to be concerned that it’s going to be something different this time because of some imaginary foreign element out there or something that might be interfering with this election,” Gardner said at the time.

Since then, Gardner — the nation’s longest serving elections chief — continued to downplay the risk facing New Hampshire. When asked about election security at a meeting of the state’s Ballot Law Commission a few months before the 2018 midterms, he had a simple response.

“You want to know about being hacked? You see this pencil here?” Gardner said, holding one up for emphasis. “Want me to give it to you and see if you can hack this pencil? We have this pencil. This is how people vote in this state. And you can’t hack this pencil.”

And there is reason to be confident about New Hampshire’s election security — if you’re only looking at the act of voting.

New Hampshire is still old school compared to many other states, where election officials have to worry about tampering with electronic voting machines, online registration and other election technology.  With few exceptions, voters here register and cast ballots on paper, in pencil — or pen — and in person. That will still be the case when voters head to the polls for the presidential primary on February 11.

But according to Denis Goulet, who is in charge of information technology for New Hampshire, that’s not all the state has to worry about.

“I've said this to the Secretary of State: I think our biggest risk isn't in the sense that the election results could be affected, because it would be really hard to do that,” Goulet said. “But what could happen is undermining the confidence of the system, which I think is at least as bad.”

Gardner’s election security strategy was called into question by both of the opponents who tried to unseat him as Secretary of State in 2018, a race he ultimately won by only a handful of votes. One of those opponents, Peter Sullivan, called for a “comprehensive, statewide security audit.” The other, Colin Van Ostern, criticized Gardner’s unwillingness to accept cybersecurity assistance from the federal government.

Since 2018, the Secretary of State’s office has, with the help of the state’s IT team, stepped up its election security measures on several fronts: investing in new software to protect its voter database, more cybersecurity training for local pollworkers, and programs to monitor the so-called “dark web” for looming hacking threats. 

At the same time, New Hampshire election officials have turned down more hands-on cybersecurity assessments from federal and state agencies, instead contracting with private vendors to perform what it says are similar security tests.

“We want to make sure that we're the ones that are responsible for our elections,” Deputy Secretary of State Dave Scanlan said. “I think we have a healthy distrust of outside agencies trying to get access to our databases to perform certain functions.”

But heading into the upcoming primary, some have continued to worry that Gardner’s office was too slow to acknowledge the scale of the problem. 

“New Hampshire is a top tier target as a first in the nation primary state,” says Democratic State Senator Jon Morgan, who also works for the cybersecurity company that just discovered a major Russian hack into the Ukrainian company at the center of the ongoing impeachment case. “We need to be taking that much more seriously than we are.”

Morgan’s biggest concern isn’t that hackers might target elections operations at the state level. Instead, it’s that they could target what amounts to the front lines of New Hampshire’s elections: the local pollworkers who actually oversee Election Day. Those looking to create chaos around the election could hold cities or towns hostage with ransomware attacks, or trying to scam a local pollworker into giving up access to the state’s voter files.

The state elections office has significantly expanded its cybersecurity training for local pollworkers in the last few years, but that training isn’t mandatory. Some pollworkers are also preparing for the upcoming primary election on computers with expired security protections. 

The New Hampshire Secretary of State got $3.1 million from the federal government in 2018 to help make these kinds of improvements, but most of its spending so far has gone toward security and equipment expenses at the state level. While state elections officials have warned cities and towns that they need to patch up their election security protections, it hasn’t provided any financial support to help offset the costs of those local upgrades.

If there is a security breach, Scanlan says the state has plans in place to make sure the election still proceeds. Local voter lists are backed up on a daily basis in the final weeks leading up to the vote. If someone shows up to the polls to find their registration is missing, they can still register on the day of the election. 

“We're confident that we're going to conduct an election on February 11th regardless of what else might happen,” Scanlan said. “And I say that with the understanding that we have to be vigilant and that any electronic system can be targeted.”

While many communities here still count votes by hand, most of New Hampshire’s ballots are counted by a scanner that is no longer on the market. If one of those ballot-counting machines breaks down, the results can be tallied by hand — and already are in many towns. 

David Becker, with the nonpartisan Center for Election Innovation and Research, says there are good reasons to use ballot-counting devices: they can be faster and, in some cases, more accurate than a hand count. But, he cautioned, these electronic devices can be vulnerable to either malicious tampering or simple mechanical error. 

“Malfunction is at least as much a concern as an attack,” Becker said. “And unless there’s some kind of audit done to make sure the tabulators work correctly, you might not even have adequate information to decide whether a recount is appropriate.”

Becker and other election policy experts recommend post-election audits as a way to both ensure the election is decided fairly and instill greater public confidence in the vote. But New Hampshire is one of about a dozen states without any standardized post-election audit procedure.

The New Hampshire Secretary of State has been wary of past efforts to bring the practice to the Granite State, though the office has more recently said it would be open to audits under the right conditions. The office has also opposed local voting activists — like Deborah Sumner — who have pushed for more transparency in the ballot counting process.

“I know this is heresy,” Sumner said. “I would rather we gave up the New Hampshire primary and had elections we have reason to trust in New Hampshire.”

But to both Sumner and Becker, the case for post-election audits is only strengthened because of the national spotlight on New Hampshire races — not just in the primary, but also the general elections. In 2016, the race for president and U.S. Senate here were decided by less than one percent.