Skip Navigation
Analysis

U.S. Elections Are Still Vulnerable to Foreign Hacking

With the 2020 election looming, state and local election officials are short on funding to boost election security and protect democracy.

July 18, 2019

Elec­tion offi­cials warn that the time is running out for Congress to bolster secur­ity before the 2020 race. The warn­ings follow a recent state­ment from a senior U.S. intel­li­gence offi­cial confirm­ing that Russia, China, and Iran are attempt­ing to manip­u­late public opin­ion ahead of the 2020 elec­tions. And earlier this year, the Depart­ment of Home­land Secur­ity and the FBI repor­ted that Russian hack­ing efforts in 2016 were more extens­ive than origin­ally under­stood, target­ing elec­tions in all 50 states.

Congress took a major step last year toward help­ing states boost their elec­tion secur­ity efforts by approv­ing $380 million in grant funds through the Help Amer­ica Vote Act (HAVA). States have star­ted to put that fund­ing to work and are expec­ted to spend 85 percent of that money by the 2020 elec­tion, much of it on cyber­se­cur­ity, updated voting equip­ment, and elec­tion audits, accord­ing to estim­ates by the Elec­tions Assist­ance Commis­sion (EAC).

But despite those efforts, many elec­tion secur­ity projects at the state level remain unfun­ded or under­fun­ded, as outlined in Defend­ing Elec­tions, a new paper authored by a bipar­tisan group of organ­iz­a­tions includ­ing the Bren­nan Center, the Alli­ance for Secur­ing Demo­cracy, R Street Insti­tute, and the Univer­sity of Pitt­s­burgh Insti­tute for Cyber Law, Policy, and Secur­ity. Defend­ing Elec­tions provides case stud­ies from six states analyz­ing how they alloc­ated their HAVA grants and the outstand­ing needs for addi­tional elec­tion secur­ity fund­ing. “State and local elec­tion offi­cials need support from the federal govern­ment,” said Liz Howard, who is a coun­sel in the Bren­nan Center’s Demo­cracy Program, was the former deputy commis­sioner for the Virginia Depart­ment of Elec­tions, and co-authored the Defend­ing Elec­tions report. “They are on the front lines, yet many, espe­cially those in rural local­it­ies, simply lack the resources to imple­ment addi­tional elec­tion secur­ity projects to further strengthen our elec­tion infra­struc­ture.”

Many states have outdated elec­tion secur­ity infra­struc­ture

Despite making some notable progress since the 2016 elec­tion, many states continue to face infra­struc­ture chal­lenges and fund­ing short­ages for their elec­tion secur­ity projects. For example, most states are using outdated voting machines that are more than a decade old and in many cases are no longer manu­fac­tured. Worry­ingly, there are 11 states that still use paper­less elec­tronic voting machines, which are espe­cially vulner­able to hack­ing because they do not produce a paper record to help elec­tion offi­cials detect and respond to a cyber­at­tack. There is a wide­spread consensus on the need to replace paper­less voting machines, which includes the support of the U.S. Senate and House Intel­li­gence Commit­tees and a 2018 report by the National Academies of Sciences, Engin­eer­ing, and Medi­cine.

Addi­tion­ally, many states are using voter regis­tra­tion data­bases that are out of date and are ill-equipped to address current cyber­se­cur­ity threats. Lead­ing up to the 2016 elec­tion, Russian oper­at­ives attemp­ted to infilt­rate state voter regis­tra­tion systems. In Illinois, for example, the hack­ers were able to access voter files, undetec­ted, for nearly three weeks, and attemp­ted to modify records in the state’s voter regis­tra­tion data­base. But as of May 2017, 41 states were still using voter regis­tra­tion systems that were created more than a decade ago. These outdated systems are poten­tially vulner­able to foreign manip­u­la­tion and could prevent voters from success­fully cast­ing a ballot on Elec­tion Day. 

States also need addi­tional fund­ing to provide cyber­se­cur­ity support for local elec­tion offi­cials, many of whom do not have dedic­ated IT staff or adequate resources to respond to cyber­at­tacks. One poten­tial model way to address this short­com­ing is through a state
“cyber navig­ator program,” which would deleg­ate state employ­ees to provide elec­tion secur­ity and cyber­se­cur­ity profes­sional services to local elec­tion offi­cials. Such a program, which has recently been developed in Illinois, would help elec­tion offi­cials shift from a react­ive approach of respond­ing to threats in real-time toward a proact­ive approach of creat­ing a good cyber­se­cur­ity envir­on­ment longer-term.

Finally, more than half of states do not currently require post-elec­tion audits — which verify whether voting machines are record­ing and tally­ing votes correctly — before certi­fy­ing elec­tion results. Further­more, only two states, Color­ado and Rhode Island, will by 2020 require risk-limit­ing audits, the gold stand­ard recom­men­ded by the Bren­nan Center and many cyber­se­cur­ity experts for post-elec­tion audits. Risk-limit­ing audits can help confirm for voters that the outcome of an elec­tion was not affected by a count­ing error or a mali­cious attack.

Congress can help protect U.S. elec­tions from foreign inter­fer­ence

There are many meas­ures that offi­cials can take to protect the integ­rity of U.S. elec­tions. However, the timeline is limited and many of the efforts are under­fun­ded, making it all the more urgent for Congress to inter­vene. “Elec­tion secur­ity is national secur­ity, and we are only as strong as our weak­est link,” said Howard. “Congress must act now to ensure that states have what they need to fight back against any foreign attacks on our demo­cracy.”

Read the full Bren­nan Center paper, Defend­ing Elec­tions: Federal Fund­ing Needs for State Elec­tion Secur­ity.

(Image: bestdesigns)