It’s been roughly two years since the first signs that Russia had launched an interference campaign aimed at the 2016 presidential race, and now the United States is hurtling toward a set of pivotal midterm elections in November. But while some states have made an earnest effort to secure the vote, the overall landscape looks troubling—and in some cases, it’s too late to fix it this year.
While Russian meddling inspired many election officials to take cyberthreats seriously and double down on security, each state oversees its own elections process. In the limited window to make defense improvements before the midterms, regional officials can approach the risk in whatever way they see fit.
As a result, some citizens will go to the polls in precincts and states that have audited their systems and plugged holes. Some will vote in places that have strong protections on digital election assets, like results-reporting websites and voter registration databases. Some will vote with paper ballots—that’s good—or on machines that automatically generate a paper backup. But election officials and security experts who have participated in or observed the scramble to improve defenses agree that most voters will encounter a mishmash, with some of these protections in place, and some still years away.
In the meantime, the threats to US elections are real. When the BBC asked CIA Director Michael Pompeo last week whether he foresaw Russia continuing to pursuing election meddling during the 2018 midterm elections, he said, “Of course. I have every expectation that they will continue to try and do that.” Likewise former State Department cyber coordinator Christopher Painter said in Congressional testimony on Tuesday that, “The lack of a sufficiently strong, timely, and continuing response to Russian interference with our electoral process virtually guarantees that they will attempt to interfere again.”
And time is running short. Though the full midterm elections are still nine months away, primaries kick off on March 6 in Texas.
Some states have moved quickly to enact large-scale changes. Virginia memorably took the plunge this fall, rushing to finish a decade-long process of replacing all of its digital-only touchscreen voting machines with voter-marked paper ballots. Shortly after at the end of November, Colorado completed a large-scale election system integrity audit (known as a “risk-limiting audit”) first mandated by the state legislature in 2009 and delayed from an original 2014 goal. Rhode Island is working to implement risk-limiting audits for this year’s elections. And Michigan is on track to replace all of its aging and unsupported voting machines with new paper ballot systems in time for the state’s August primaries.
‘Congress has really dragged its feet.’
Lawrence Norden, Brennan Center
You might have noticed a common thread: Experts agree that a critical step for security is ensuring that all precincts in all states use paper ballots and optical scanners, or have digital voting machines that produce voter verified paper backups. Heading into 2018, five states—Delaware, Louisiana, Georgia, South Carolina, and New Jersey—all still use digital voting without paper backups. Nine other states have a mix, in which some precincts still don’t have any type of paper ballot or backup. Delaware has worked to replace its digital voting machines, but the change is only slated to arrive in time for the 2020 presidential election season.
“First we need to replace these older systems that don’t have a paper record, then we need to replace the other states’ older equipment that’s vulnerable based on its age,” says Marian Schneider, president of Verified Voting, a group that promotes election system best practices. “There are recommendations to move in that direction, the question is whether they are going to be able to do it before 2018. You’d have to move pretty quickly to do it now.”
Not surprisingly, funding presents the main hurdle for buying new voting machines, as well as for risk-limiting audits and hiring professionals to improve election-related network security. In a poll released on Thursday by the Brennan Center’s Democracy Program at New York University School of Law, 229 officials from 33 states said that they need to replace their aging voting machines by the 2020 elections, but most don’t currently have the money to do so.
More than a year after the 2016 presidential election, a handful of bipartisan bills like the Secure Elections Act are pending before Congress to unlock more money for state election security initiatives. But those bills only surfaced in the last few months, and no hearings have yet been set to consider them. Even if new legislation does pass before the midterm elections, it’s unlikely that a freshly minted law would meaningfully impact preparation with the 2018 primaries so close.
“There are lots of really important improvements, lots of people are taking this seriously, especially local election officials, but there’s also lots that’s not happening,” says Lawrence Norden, the deputy director of the Brennan Center. “Part of that is just the decentralized nature of our elections, but part of it is that nobody is stepping in like Congress to make sure some minimums are hit. Congress has really dragged its feet.”
Secretaries of state, who largely control the electoral process, also largely oppose new election infrastructure funding bills. The National Association of Secretaries of State would prefer to minimize federal influence and new requirements on states by instead unlocking funding that was authorized but never appropriated from the 2002 Help America Vote Act.
At the very least, though, communication channels between federal security agencies and state and local election officials has markedly improved since 2016. As foreign election system probing played out in at least 21 states during the 2016 presidential campaign season and election, federal authorities and state officials had limited ways of communicating about even publicly available information, much less internal and classified findings. The Obama Administration hoped to bridge this divide by designating election systems as critical infrastructure—a decision the Trump Administration has upheld. The move has allowed the Department of Homeland Security to offer more extensive support to states, and has facilitated better and more efficient information sharing.
“As a result of our conversations in that committee, every Secretary that wants to get a national security clearance is applying and, for example, I already have an interim clearance,” says Connie Lawson, NASS president and Secretary of State of Indiana. Work to improve communication and broader security efforts “may not be as full-blown as I’m sure it will be by 2020, but it is definitely going to be progress since 2016—absolute progress,” she says.
While Indiana is one of seven pilot states receiving election system network monitoring from the Multi-State Information Sharing and Analysis Center, a cybersecurity group mostly funded by DHS, Lawson hints that not all tensions have been resolved between federal actors—like Congress and DHS—and state election officials . “Elections are the constitutional responsibility of the states and we did not want that to be subverted in any way,” Lawson says. “We have our regular duties and these additional requirements sometimes are impossible to meet.”
Meanwhile, the Department of Homeland Security says it is happy with the work it has done to ramp up security offerings to states. The agency provides free remote-network scanning to any state that asks for it. Thirty-two states and 31 local governments have so far. And after months of backlogs, DHS says it finally has the resources and staffing available to offer on-site security assessments and penetration testing to any states that want it. These reviews take weeks, and there’s no guarantee that states will act to resolve the vulnerabilities DHS finds, but the agency says that so far 16 states or localities have asked for the evaluations.
Jeanette Manfra, DHS’s chief cybersecurity official, notes that the agency respects states’ autonomy in organizing elections and simply aims to offer support for this work. Just because a state hasn’t received an on-site evaluation from DHS, for example, that doesn’t mean it hasn’t paid to receive one from a private security company or other entity.
“We’re not trying to solve everything related to election security in the next couple of months,” Manfra says. “For me the most important thing to get done quickly is that information sharing—ensuring that both the clearances and the protocols are in place and agreed upon between DHS and state and local agencies so that we can ensure that the right people will get the information when they need it.”
‘We’re not trying to solve everything related to election security in the next couple of months.’
Jeanette Manfra, DHS
In the time since the 2016 presidential election, experts have worked on a new wave of election security best practices and guidelines, like the well-regarded Election Security Plan developed by Cook County, Illinois elections director Noah Praetz, which advocates network monitoring and threat intelligence sharing, equipment updates and system audits, and paper records as the crucial pillars of election defense. There are also forthcoming recommendations from the Center for Internet Security (the group behind the MS-ISAC) and the Senate Intelligence Committee. But adopting these types of standards remains optional, and observers note that while many states have made some progress in addressing the numerous components of securing election infrastructure, it doesn’t add up to consistent baseline improvement across the country.
“If you really want to get at this problem, we need a HAVA-scale bill that basically moves all states to paper, moves all states to mandatory risk-limiting audits, and moves all states to implementing at least the top five critical cybersecurity controls on their networks and databases,” says Jake Braun, a cybersecurity professor at the University of Chicago who served as a senior DHS cybersecurity consultant during the Obama Administration. “Once those three things are in place, which would probably cost a few billion dollars, then I will feel like we’ve made the progress we need to. And exactly zero of those things have happened so far.”
Security advocates emphasize that though some projects are probably too big to accomplish at this point before the midterms, basic steps like risk assessment, implementing cybersecurity best practices, committing to post-elections audits, and increased cooperation and communication from voting machine vendors could still have a positive impact on this year’s overall election security.
The last thing election systems professionals want to do is undermine confidence in the structure they work hard to maintain—and still believe in. But progress has come too slowly. “There has to be a sense of urgency and there doesn’t seem to be,” as Verified Voting’s Schneider puts it. “People just need to put aside politics for one second and look at this in terms of a national security issue for our democracy. We really need to shore up election security, because this is the foundation on which everything rests.”