Earlier this year, the federal government set aside $380 million for states to spend on shoring up the country’s aging election machines and computers. With the threat of foreign hacking and equipment breakdowns looming, the money is a critical down payment on securing our elections (though it’s not quite enough to replace all the country’s most vulnerable equipment).
Two months since, most states have requested their share. Here are five ways they can spend those funds to best protect the vote this November.
Replace paperless voting machines
Thirteen states still use electronic voting machines that have no voter-verifiable paper record. Security experts warn against continued use of these machines, which do not allow election officials and the public to confirm electronic vote totals. If officials discover that voting machine software has been corrupted or data has been lost, it may be impossible to recover the lost votes without a paper record.
Of the 13 states that continue to use paperless equipment, seven have not yet requested their share of the federal money made available this year. Of the five states that use such systems statewide, only one has done so. This might be in part because, in most states, the money will not be enough to replace all their outdated voting equipment. But even these states could replace at least some paperless systems in 2019.
For example, in New Jersey, the recently proposed Elections Security Act would replace all paperless voting equipment across the state over a four-year period, starting with just three counties in the first year. New Jersey’s $9.7 million grant could cover year one of the state’s estimated equipment transition costs — roughly $5.8 to $9.1 million, depending on which counties the state chooses. It may now be too late to replace equipment before the 2018 general election, but anything a state can do between now and November matters.
Conduct Post-Election Audits
Even among states that use equipment with paper ballots, many do not conduct post-election audits to check the electronic totals and make sure the vote was counted properly.
Thirty-two states and the District of Columbia mandate post-election audits. Most of these states require traditional post-election audits in which only ballots from a set percentage of precincts are reviewed. Only two of these states — Colorado and Rhode Island — mandate “risk-limiting” audits, designed to provide a high level of statistical confidence that a software hack or bug did not produce the wrong outcome. In comparison to traditional audits, risk-limiting audits not only detect a broad array of intentional bad acts and errors that result in inaccurate election outcomes but also greatly improve audit efficiency. These audits are now considered the “gold standard” of post-election audits.
Not surprisingly, several jurisdictions around the country are planning to stage pilots of this critical security measure. In May, Marion County, Indiana, completed a successful risk-limiting audit pilot. Separately, multiple localities in Virginia and California and across the country plan to conduct pilots this summer and after the November elections. More states should use federal grants to conduct post-election audit pilots, with an eye to making this practice widespread by 2020.
Upgrade and secure voter registration databases
Approximately 40 states are using voter registration databases that were initially created at least a decade ago. Many of these aging databases were not designed to withstand 21st century cybersecurity threats and desperately need to be upgraded and strengthened.
The Minnesota secretary of state identified upgrades to his state’s voter registration database, built in 2004, as the election system’s greatest security need and requested $1.4 million in the state budget even before the federal government offered grant money for election security improvements. But last month, Gov. Mark Dayton vetoed the bill that could have authorized the $6.6 million grant from the federal government to pay for these improvements.
The number of national security experts who identify state voter registration databases as one of the biggest security risks of the 2018 election cycle continues to grow. Recent election-day pollbook failures in states like California and South Dakota highlight the importance of securing voter registration databases to protect voters’ information.
Secure election websites
Election websites are high-profile targets for cybercriminals, foreign governments, and hackers. These attackers are becoming increasingly sophisticated and have successfully targeted election agencies and infrastructure around the world, as well as state and local election authorities here in the United States.
Just last month, hackers associated with non-U.S. IP addresses successfully attacked the Knox County, Tennessee, elections website on election night and, at minimum, caused the website to crash.More recently, a cybersecurity firm uncovered vulnerabilities in the state election websites of Alabama and Nevada while doing research for marketing purposes. Though Nevada election authorities discovered this vulnerability back in December 2017, the state has yet to fix the problem, citing “budgetary concerns.”
But given the near certainty of future attempts to interfere in U.S. elections and the grave consequences of a successful cyberattack, states should make website security a top budgetary priority. As John Bennett, deputy chief of staff for Alabama’s secretary of state, said, “[W]e’re at the point with elections where we are acknowledging that one of the biggest battles is to protect perception.”
Hire additional cybersecurity staff
In Florida, Gov. Rick Scott announced the hiring of five cybersecurity specialists to assist with this year’s election. Illinois is engaging cybersecurity specialists, referred to as “cyber navigators,” to assist counties directly with their efforts to “defend against cyber breaches and detect and recover from cyberattacks.”
States that haven’t asked for their money need to do so – now.
While states may have good reasons to wait on spending their security grant funds, such as time-intensive procurement policies or hiring procedures, it’s not clear why 17 states and the District of Columbia have not yet requested the funds when submitting a one-page form is all that’s necessary.
The Election Assistance Commission (EAC) and the federal government made the funds available just 30 days from the date the bill was signed. To further expedite the process, the EAC gave the states until July 16 to submit their detailed plan for spending the money. In moving so quickly, the EAC highlighted the urgency of threats to election security across the U.S. Every state can make immediate and high-impact expenditures that will make their elections more secure, and we encourage state leadership to do so as soon as possible.
Stay tuned to find out how states decide to improve election security across the country as we approach the 2018 November general election.