For more information, contact or call WEI Coordinator Karen McKim at 608-212-5079.

Sept 16 press advisory about story about lapses in Wisconsin voting-machine security.

First of all, thank you for covering these issues.

Election-integrity advocates hope that you will:
1) hold election managers to the same standards of prudent IT management you expect of other local government officials; and 
2) understand that the information-technology story cannot be obtained by talking only to election officials.

About upholding standards:  You know how you would respond if a city parking manager told you, “Audits always find some parking ticket payments were lost, but it has never affected the overall solvency of the transportation fund.” Respond that same way the next time an election officials tells you something like, “Recounts always find miscounted votes, but it has never affected the outcome.”

If you discovered a parking manager with an unreliable, unaudited system for tracking parking-ticket receipts, you wouldn’t need a Democrat-versus-Republican angle. Approach the story as if every ballot was as important as every parking ticket, and deserved the same level of carefully verified accounting. 

 Voter-registration systemVote-tabulation system
Name of systemWisVoteOne system, the DS200, counts
60-70% of Wisconsin's votes;
'ICE' is the second most popular.
What does it do?Records voter registrations; keeps
them up to date; prints the poll
books you get your name checked
off on when you vote, among other
election-administration tasks
Reads our ballots, counts our
votes, determines who wins our
Most knowledgeable
source for reporters
WEC is your primary source for
this information. They know
this system inside-out.
Vendors (ES&S, Dominion,
Command Central, and Clear
Ballot) are the only primary source
regarding tabulation-system
security. Local election officials
know only their own security
practices, which don't address the
most critical risks.
DeveloperState of Wisconsin; a collaboration
between WEC and Division of
Enterprise Technology
Any of several private companies;
not always the current vendor
OwnerState of WisconsinSoftware is owned by vendors;
Hardware is mostly owned by
local governments
System updates managed byState of WisconsinFour vendors
(In a few counties, county officials
handle prep for each election's
new ballot.)
Security managed byState of WisconsinSoftware security:
Vendors, primarily, but local
officials right before each election
and on Election Day.

Hardware security:
Municipal clerks for voting
county officials for central
General security programHas all five standard components
actively in place: 1) Risk
2) Safeguards; 3) Monitoring to
detect events; 4) Response plan;
5) Recovery plan
We have only vendors’ assurances
about their practices for risk
identification or safeguards.
Local officials rely on only minimal,
informal detection practices, and
have no clear plans for response or
Who would know if it was hacked?The State of Wisconsin,
specifically the DET and WEC,
continuously monitor all cyber
activity, with the assistance of the
federal DHS.

Voters will notice if their
registration disappears, but they
can re-register at the polls.
We don’t know whether the voting
machine companies would know if
the software was hacked. Local
officials cannot assess the software;
hacks wouldn’t show up in the
pre-election test; and they don’t use
our paper ballots in routine
pre-certification audits.

Voters have no way to tell if their
votes were miscounted.
Has it ever been hacked,
in Wisconsin?
State officials know that hackers
are continuously trying, and that
none have succeeded.

US DHS has determined that some
attempts came from Russia.
No one knows, because no one
examines the software (a copy is in
every machine), and no one
routinely checks the machines’
Election-Day accuracy against the
paper ballots.

There have been electronic
miscounts, but none that appear,
on their face, to be deliberate.

About covering IT issues: 

First, remember that state and local election officials are not IT professionals and are therefore not able to speak about voting-machine security with much depth and authority. Don’t rely exclusively on them. Include genuine IT professionals among your sources.

Second, be aware that Wisconsin elections rely on two entirely separate systems. One handles voter registration and is a good model of how elections technology should be managed. The other counts our votes, and is not. Please keep these two systems separate: their stories are very different. The admirable security of the WisVote system does not protect our vote-tabulation system.

The key security question to ask local election officials:

“When you sign that certification statement, how do you know the voting machines identified the right winners?”

As you assess their answers, remember that voting machines have no special magic that makes them more reliable than any other computer. 

Compare the clerks’ answers to what you would expect to hear from a banker talking about checking ATM transactions, or a convenience-store manager talking about nightly cash-register reconciliation. Don’t settle for less.

Here are some things you will hear from Wisconsin’s election officials, and what your follow-up questions should include:

  • “The voting systems are federally certified.”
    Election clerks will mention this, but will not be able to answer any follow-up questions about the federal certification criteria relating to security (as opposed to accessibility, reliability, etc.); controversies regarding the current value of outdated federal certification standards; and how exactly years-old federal certification of the design of each system protects the actual machines and software used in the next election. (It doesn’t).
  • “The voting systems are certified by the state elections agency.”
    As with federal certification, local election officials are typically unaware that state certification is based on whether the systems meet standards in Wisconsin law, which focus on features other than security. Contact WEC staff for more information. If you are interested in a particular system (such as AVC Edge or M-100), ask about the security criteria used at the time the system was certified.
  • “Voting machines are never connected to the Internet.”
    Don’t count on local election officials to mention that their voting machines are programmed with software that originates in the vendors’ computers. Neither state nor local officials can speak authoritatively about the security of the software at any time before it comes into their possession before each election. 
    Also be aware that the polling-place voting machines communicate (either wirelessly or by use of portable digital media) with a central county elections-management computer. Ask how and when Wisconsin officials inspect these county computers for remote access software. If they don’t, they cannot confirm that they are not connected to the Internet. 
  • “Every machine is publicly tested before each election.”
    Municipal clerks reliably perform voting-machine tests required by s.5.84, Wis. Stats within 10 days before every election. Most do not understand that their tests fall far short of any standards for computer “logic and acceptance testing” (LAT) used outside elections and that they are useless in deterring or detecting hacks. 
    Two of the many limitations are: 1) No effort is made to fool the voting machines into thinking they are counting votes on Election Day, and some machines are even deliberately tested in a test mode. Because malicious code would be designed to operate only on Election Day and in Election-Day mode, a test done on any other day could not detected a hack. 2) Municipal clerks also typically cast only one vote for each candidate in the pre-election test, so that if the machine was programmed to ‘flip’ votes–that is, county one candidate’s votes for another and vice-versa (a predictable programming error, if not a hack), the pre-election test could not detect it.
  • “We verify that the machines counted correctly on Election Night, and double-check during the canvass.”
    Your follow-up question should ask them to clarify whether they are talking about verifying ballot totals or vote totals. All Wisconsin jurisdictions routinely check and double-check that ballots were counted correctly; none routinely check that votes were counted correctly during their canvass. 
    Verifying that machines counted ballots correctly (but not votes) is equivalent to a bank verifying that an ATM counted the correct number of transactions, without verifying that the dollars were debited/credited to the correct accounts.
  • “The state orders voting-machine audits.”
    These voting machine audits, as they were performed before 2018, serve no election-security function. Among other limitations, they occurred only after November elections in even-numbered years; included only about 100 of the state’s 3,500 voting machines, and were completed only after the election results were certified final–too late to correct any miscounts detected and therefore too late to deter hacking. For the November 2018 elections, WEC ordered more voting-machine audits and ordered them to be completed before results are certified, but these audits still do not verify the correct winners and so have limited value as a security measure.