Brennan Center Quick Take: Senate Intelligence Committee’s Election Security Recommendations

The Senate Select Committee on Intelligence's recommendations on ways to better defend voting infrastructure are crucial steps we need to take to shore up elections, and ensure their integrity moving forward.

March 21, 2018

The Senate Select Committee on Intelligence (SSCI) released this week its recommendations on ways to better defend the nation’s election infrastructure against a hostile nation-state who may seek to undermine our democracy. These are crucial steps in shoring up our nation’s elections and ensuring their integrity moving forward.

Below, we outline some of the lawmakers’ key recommendations for more secure and reliable elections, and where things stand now in light of recent progress:

SSCI Recommendation: “States should rapidly replace outdated and vulnerable voting systems. At a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability.”

According to our analysis, here’s where things stand:

  • This year, 41 states will be using systems that are at least a decade old, and officials in 33 say they must replace their machines by 2020. In most cases, elections officials do not yet have adequate funds to do so.
  • In 2018, 13 states will still use paperless voting machines, and five will continue to use such systems statewide. Only Virginia decertified and replaced all of its paperless systems since 2016.
  • In 43 states and the District of Columbia, some residents will still use machines that are no longer manufactured.
  • Today only 26 states require election officials to conduct post-election audits of paper records, and in many of those states, the audits are not comprehensive enough to be likely to detect the use of election-changing software.

SSCI Recommendation: “States should consider implementing more widespread, statistically sound audits of election results.”

Audits allow states to verify that the electronic totals coming from machines match tallies of paper ballots. Not only do audits help verify vote counts, but any inconsistences could allow officials to more easily detect an intrusion if one occurs.

  • Today, only three states – Colorado, New Mexico, and Rhode Island – use risk limiting audits, which employ statistical models to consistently provide a high level of confidence in the accuracy of the final vote tally.
  • And since 2016, only Rhode Island passed legislation to require risk-limiting audits.

SSCI Recommendations: “The Committee recommends [that] DHS . . . [w]orking closely with election experts, develop a risk management framework that can be used in engagements with state and local election infrastructure owners to document and mitigate risks to all components of the electoral process.” 

As we wrote in a recent report, there is a consensus among experts we have interviewed that many states are unlikely to have completed this kind of comprehensive risk assessment in the last few years, even though cyberthreats evolved enormously over that time.

  • Chris Krebs, a DHS official, told members of Congress in February that the department had completed five security risk assessments of state election systems, and planned to complete remaining requests from 11 states by mid-April.

SSCI Recommendation: “DHS must create clear channels of communication between the Federal government and appropriate officials at the state and local levels. We recommend that state and local governments reciprocate that communication.” 

There have been several important developments over the last year:

  • DHS and key state and local officials have convened the Government Coordinating Council to share threat information.
  • DHS has also met with private sector election industry representatives.

We also think it’s imperative that private vendors and contractors working on elections are mandated to report any security breach they uncover. As we’ve noted in the past, vendors often don’t have any legal obligation to share such details. If passed, the Secure Elections Act would require them to do so.

SSCI Recommendations: “The Committee recommends Congress urgently pass legislation increasing assistance and establishing a voluntary grant program for the states.” 

“States should use grant funds to improve cybersecurity by hiring additional Information Technology staff, updating software, and contracting vendors to provide cybersecurity services, among other steps.” 

“Funds should also be available to defray the costs of instituting audits.”

The fact that SSCI recommended allocating  funding to election systems security is an important development. Two pieces of legislation going through Congress right now would do so:

  • The Secure Elections Act in the Senate would authorize $386 million in grants from DHS to upgrade election infrastructure and increase security for it, including replacing antiquated paperless touchscreen machines.
  • The PAPER Act in the House would aid states that comply with security recommendations issued by the EAC, including replacing older voting equipment with systems that use a voter-verified paper record which can be audited to check electronic totals.

However, the bills — if passed — can’t be the end of the story. Cyberthreats are evolving rapidly, and updating and securing our election infrastructure will require long-term vigilance. The federal government should provide regular and ongoing support to states.

***

Overall, the Senate Intelligence Committee’s recommendations — which were wholeheartedly backed by a bipartisan group of lawmakers on the panel — are a good step forward. It’s clear that members recognize the threat and understand that Congress has a role to play in securing voting infrastructure, a key engine of democracy in the United States. But much more needs to be done, including but not limited to providing resources for the states to make some of the changes outlined in the recommendations.