Election officials warn that the time is running out for Congress to bolster security before the 2020 race. The warnings follow a recent statement from a senior U.S. intelligence official confirming that Russia, China, and Iran are attempting to manipulate public opinion ahead of the 2020 elections. And earlier this year, the Department of Homeland Security and the FBI reported that Russian hacking efforts in 2016 were more extensive than originally understood, targeting elections in all 50 states.
Congress took a major step last year toward helping states boost their election security efforts by approving $380 million in grant funds through the Help America Vote Act (HAVA). States have started to put that funding to work and are expected to spend 85 percent of that money by the 2020 election, much of it on cybersecurity, updated voting equipment, and election audits, according to estimates by the Elections Assistance Commission (EAC).
But despite those efforts, many election security projects at the state level remain unfunded or underfunded, as outlined in Defending Elections, a new paper authored by a bipartisan group of organizations including the Brennan Center, the Alliance for Securing Democracy, R Street Institute, and the University of Pittsburgh Institute for Cyber Law, Policy, and Security. Defending Elections provides case studies from six states analyzing how they allocated their HAVA grants and the outstanding needs for additional election security funding. “State and local election officials need support from the federal government,” said Liz Howard, who is a counsel in the Brennan Center’s Democracy Program, was the former deputy commissioner for the Virginia Department of Elections, and co-authored the Defending Elections report. “They are on the front lines, yet many, especially those in rural localities, simply lack the resources to implement additional election security projects to further strengthen our election infrastructure.”
Many states have outdated election security infrastructure
Despite making some notable progress since the 2016 election, many states continue to face infrastructure challenges and funding shortages for their election security projects. For example, most states are using outdated voting machines that are more than a decade old and in many cases are no longer manufactured. Worryingly, there are 11 states that still use paperless electronic voting machines, which are especially vulnerable to hacking because they do not produce a paper record to help election officials detect and respond to a cyberattack. There is a widespread consensus on the need to replace paperless voting machines, which includes the support of the U.S. Senate and House Intelligence Committees and a 2018 report by the National Academies of Sciences, Engineering, and Medicine.
Additionally, many states are using voter registration databases that are out of date and are ill-equipped to address current cybersecurity threats. Leading up to the 2016 election, Russian operatives attempted to infiltrate state voter registration systems. In Illinois, for example, the hackers were able to access voter files, undetected, for nearly three weeks, and attempted to modify records in the state’s voter registration database. But as of May 2017, 41 states were still using voter registration systems that were created more than a decade ago. These outdated systems are potentially vulnerable to foreign manipulation and could prevent voters from successfully casting a ballot on Election Day.
States also need additional funding to provide cybersecurity support for local election officials, many of whom do not have dedicated IT staff or adequate resources to respond to cyberattacks. One potential model way to address this shortcoming is through a state
“cyber navigator program,” which would delegate state employees to provide election security and cybersecurity professional services to local election officials. Such a program, which has recently been developed in Illinois, would help election officials shift from a reactive approach of responding to threats in real-time toward a proactive approach of creating a good cybersecurity environment longer-term.
Finally, more than half of states do not currently require post-election audits — which verify whether voting machines are recording and tallying votes correctly — before certifying election results. Furthermore, only two states, Colorado and Rhode Island, will by 2020 require risk-limiting audits, the gold standard recommended by the Brennan Center and many cybersecurity experts for post-election audits. Risk-limiting audits can help confirm for voters that the outcome of an election was not affected by a counting error or a malicious attack.
Congress can help protect U.S. elections from foreign interference
There are many measures that officials can take to protect the integrity of U.S. elections. However, the timeline is limited and many of the efforts are underfunded, making it all the more urgent for Congress to intervene. “Election security is national security, and we are only as strong as our weakest link,” said Howard. “Congress must act now to ensure that states have what they need to fight back against any foreign attacks on our democracy.”
Read the full Brennan Center paper, Defending Elections: Federal Funding Needs for State Election Security.