Skip Navigation
Expert Brief

2020’s Lessons for Election Security

This year’s unprecedented vote showed what works, what doesn’t, and what we need to do to keep future elections secure.

voting
Pacific Press/Contributor/Getty

The Novem­ber 2020 elec­tion has been called the “most secure in Amer­ican history” by the federal govern­ment’s cyber­se­cur­ity agency. This is good news that all Amer­ic­ans should celeb­rate, but it does not mean the work to protect our elec­tions is done. Elec­tion secur­ity is a race without a finish line. 2020 offers import­ant lessons for how to protect future elec­tions from cyber­at­tacks and tech­nical fail­ures. We detail five of them below.

Prepar­a­tion is key to elec­tion secur­ity

While there were reports of mali­cious activ­ity from foreign actors in the weeks lead­ing up to Elec­tion Day, we avoided the type of debil­it­at­ing attack that many experts feared. This was not just good fortune. After a wake-up call in 2016 — when Russian agents engaged in extens­ive prob­ing of the coun­try’s elec­tion infra­struc­ture — elec­tion offi­cials worked with federal author­it­ies and secur­ity experts to under­stand vulner­ab­il­it­ies in their systems, upgrade infra­struc­ture, invest in train­ing and tech­nical support, and put in place backup meas­ures to recover from tech­nical fail­ures.

Greater collab­or­a­tion between the federal govern­ment and state and local elec­tion author­it­ies repres­en­ted one of the most crit­ical areas of progress. In Janu­ary 2017, the Depart­ment of Home­land Secur­ity (DHS) desig­nated the nation’s elec­tion systems as “crit­ical infra­struc­ture.” Since then, federal agen­cies like the Cyber­se­cur­ity and Infra­struc­ture Secur­ity Agency (CISA) have stepped up to increase inform­a­tion shar­ing, support, and resources to help elec­tion offi­cials under­stand and meet the chal­lenges of cyber­se­cur­ity. The agency deployed intru­sion detec­tion sensors on elec­tion related systems, conduc­ted risk and vulner­ab­il­ity assess­ments, and helped train elec­tion offi­cials on cyber­se­cur­ity best prac­tices.

Attacks against our elec­tions didn’t stop after 2016. But we are now better prepared to defend ourselves against these intru­sions. As former deputy director of CISA Matt Davis noted, “there were intru­sion attempts and other kinds of mischief on elec­tion day [in 2020],” but states were “better prepared” and were able to “[bat] them down” before they caused any harm.

While our invest­ment and prepar­a­tion paid off this year, threats will evolve and that means our defenses must too. Recent reports that Russian govern­ment hack­ers breached Treas­ury and Commerce Depart­ment networks — and possibly those of other federal agen­cies — are a wake-up call that we still have much work to strengthen cyber­se­cur­ity nation­ally.

What more can be done to protect our elec­tion infra­struc­ture in the coming years?

Most import­antly, Congress must make a long-term commit­ment to fund­ing elec­tion secur­ity. Before 2018, Congress had not appro­pri­ated funds for elec­tions since the Help Amer­ica Vote Act passed in 2002. Since 2018, Congress has inves­ted $805 million to secure our elec­tions. While this fund­ing helped states put them­selves in a much stronger posi­tion to face cyber­se­cur­ity threats in 2020, onetime invest­ments without the certainty of contin­ued fund­ing can mean that import­ant invest­ments are never made. Indeed, elec­tion offi­cials are often wary of imple­ment­ing systems and processes that require long-term main­ten­ance for fear that they will be left to pick up the tab once federal funds run out. Sustained federal fund­ing would allow offi­cials to create programs with longev­ity in mind.

Elec­tion secur­ity promotes voter access, and voter access promotes secur­ity

Elec­tion secur­ity improve­ments not only made our elec­tions more resi­li­ent, but also had the welcomed effect of increas­ing voter access. Strengthened infra­struc­ture meant that when govern­ment offices closed due to Covid-19, upgraded elec­tion websites were equipped to handle the increased demand caused by voters shift­ing to online regis­tra­tion. And when voters showed up to their polling places, recently upgraded voting machines were less likely to malfunc­tion and cause voters to wait in long lines.

Elec­tion offi­cials also prepared for a poten­tial cyber­at­tack by supply­ing polling places with paper-based backups. While we didn’t see a cyber­at­tack shut down equip­ment this year, these contin­gency plans meant that voting could continue on Elec­tion Day during routine tech­nical glitches. This fall, elec­tion work­ers in Fulton County, Geor­gia, provided voters with emer­gency paper ballots when voting equip­ment was slow to start; Frank­lin County, Ohio, switched to paper backup poll­books when elec­tronic poll­books malfunc­tioned; and voters in Chester­field County, Virginia, had the option to vote on provi­sional ballots when the state’s voter regis­tra­tion data­base became inac­cess­ible during early voting.

Crit­ic­ally, the spillover bene­fits worked both ways in 2020: not only did efforts to strengthen elec­tion secur­ity promote voter access, but increased voter access in turn promoted secur­ity and resi­li­ency. In response to the Covid-19 pandemic, states expan­ded access to mail votingexten­ded early in-person voting peri­ods, and opened early more loca­tions. These efforts paid off, as states saw record levels of early and mail voting.

More voting options meant that the impact and stress on elec­tion systems was spread out over a longer period and that there were more oppor­tun­it­ies to discover and resolve issues before the end of the voting period. For instance, after over­whelmed elec­tronic poll­book systems drastic­ally slowed voting during the start of early voting in Geor­gia, the secret­ary of state’s office worked with the vendor and resolved the issue by the third day of early voting. Record-setting early voting meant that chal­lenges that might have other­wise appeared for the first time on Elec­tion Day were detec­ted earlier, when there was still time to fix them before most voters had cast their ballots. In states like Geor­gia, voters that showed up to the polls on Elec­tion Day exper­i­enced shorter wait times than they had in previ­ous elec­tions.

Congress failed in its oblig­a­tion to adequately fund the 2020 elec­tion

When the pandemic reached the United States back in March, the Bren­nan Center estim­ated that elec­tion offi­cials would face about $2 billion in extra costs to take the steps neces­sary to hold safe and secure elec­tions in Novem­ber (and up to $4 billion for all elec­tions in 2020). That was on top of the normal costs of elec­tion admin­is­tra­tion that would exist even without a public health crisis. But states received just a frac­tion of that amount from Congress.

So how did elec­tion offi­cials manage? In part by rely­ing on private actors to fill the gaps left by poli­cy­makers. This included a $400 million contri­bu­tion from Mark Zuck­er­berg — an amount equal to what Congress contrib­uted — to fund elec­tion admin­is­tra­tion grants in more than 2,500 juris­dic­tions across the coun­try.

And Zuck­er­berg was not the only private contrib­utor to elec­tions this year. The Schwar­zeneg­ger Insti­tute at the Univer­sity of South­ern Cali­for­nia distrib­uted more than $2.5 million in grant fund­ing for activ­it­ies such as hiring addi­tional elec­tion work­ers and keep­ing polling places open, accord­ing to the insti­tute. NBA owners opened up their stadi­ums for free use as polling places or canvassing facil­it­ies. A coali­tion of busi­nesses led by Busi­ness for Amer­ica and the National Elec­tion Defense Coali­tion donated PPE and other crit­ical supplies to polling places. Numer­ous busi­nesses and nonprofit organ­iz­a­tions took on the role of public educa­tion to help voters navig­ate their safe voting options this year and ensure that their ballot would be coun­ted.

Further, hundreds of thou­sands of indi­vidu­als stepped up to become first time poll work­ers in place of high-risk indi­vidu­als, even when juris­dic­tions were unable to provide hazard or increased incent­ive pay for this work. Through initi­at­ives like Time to Vote, private compan­ies aided these efforts by paying employ­ees who took Elec­tion Day off to work as poll work­ers.

To under­stand what Novem­ber could have looked like without these volun­teer and char­it­able efforts, we only need look at the primary elec­tions from earlier in the year. Before addi­tional assist­ance arrived, voters across the coun­try dealt with polling place clos­ures, fewer early voting oppor­tun­it­ies, long lines, and mail ballot delays that led to their vote not being coun­ted. All of these issues occurred when most states exper­i­enced turnout that was less than half of the record break­ing activ­ity we saw for the general elec­tion.

Absent a once in a life­time pandemic, it is not at all clear the private actors will again jump into the void to ensure local juris­dic­tions can run their elec­tions. And even if they are will­ing, it is a danger­ous game to force juris­dic­tions to become reli­ant on private actors to be able to perform the most basic func­tion of ensur­ing free and fair elec­tions for all Amer­ic­ans. In a demo­cracy, running and paying for elec­tions is a core govern­mental respons­ib­il­ity. Congress must make sure that juris­dic­tions have the funds they need to run their elec­tions going forward.

Paper ballots are neces­sary to secure voting equip­ment and build public confid­ence

Few aspects of our elec­tion system have received as much atten­tion and ire from secur­ity experts as paper­less voting machines. These machines pose a signi­fic­ant risk to elec­tion integ­rity: if elec­tion offi­cials were to discover a hack of these machines, paper­less systems provide no inde­pend­ent record that can be used to verify their accur­acy.

States have prior­it­ized the replace­ment of anti­quated paper­less voting machines over the past four years. In 2016, 14 states used paper­less voting machines as the primary equip­ment in at least some of their counties and towns. Eight states have since replaced these machines, and the states that didn’t still saw more votes on paper ballots that in the previ­ous elec­tion due to increased absentee voting.

The broad avail­ab­il­ity of paper records is one reason that former CISA director Chris Krebs said that this year’s elec­tion was our most secure ever. He noted that 95 percent of the ballots cast had a paper record asso­ci­ated with it in 2020, compared to only 82 percent of ballots cast in the 2016 elec­tion.

Even when a hack does not occur, elec­tion offi­cials can increase confid­ence in elec­tion results by check­ing the paper records during an audit after the elec­tion. Within a week of Elec­tion Day, Geor­gia conduc­ted a statewide audit of paper ballots, a historic first for the state, which reaf­firmed the outcome of the pres­id­en­tial race as origin­ally repor­ted. Arizona, Nevada, Michigan, Pennsylvania, and Wiscon­sin — battle­ground states where partis­ans have ques­tioned the valid­ity of results without evid­ence — all have paper records and will conduct postelec­tion audits.

But while there’s been a lot of progress in getting rid of paper­less machines since 2016, six states still don’t have a paper record for every vote. In 2019, the Bren­nan Center found that many elec­tion offi­cials wanted to replace their equip­ment before the 2020 elec­tions but did not have the funds to do so.

Elec­tion admin­is­tra­tion is increas­ingly reli­ant on private vendors who face little over­sight and account­ab­il­ity

Cyber­at­tacks are not the only cause of tech­nical fail­ures. Whether the source of a fail­ure is mali­cious or not, the impact on voters can be the same: making it diffi­cult or impossible to cast a valid ballot. This year we once again saw prob­lems with voting equip­ment, demon­strat­ing the need for more robust stand­ards for elec­tion systems. But the most common tech­nical prob­lems we saw came from elec­tronic poll­books used to check in voters, for which there are currently no federal stand­ards.

Many of these elec­tronic poll­books were manu­fac­tured by a single vendor, a stark reminder of how wide­spread prob­lem can become when there are issues with just one product or provider.

Private vendors play a crit­ical role in every aspect of our elec­tions. This was more appar­ent than ever in 2020, as elec­tion offi­cials depended on private vendors to adjust their systems and meet the chal­lenges of Covid-19. Most of these vendors came through. But some juris­dic­tions saw prob­lems with voters receiv­ing the wrong ballotsballot track­ing systems malfunc­tion­ing, and ballot print­ers back­ing out of oblig­a­tions.

Elec­tion vendors face little federal over­sight. Unlike in compar­able crit­ical infra­struc­tures sectors, elec­tion system vendors are under no oblig­a­tion to disclose owner­ship, report cyber­se­cur­ity incid­ents, prac­tice secure hiring prac­tices, or ensure supply chain integ­rity. Because of this, state and local elec­tion offi­cials often have no inde­pend­ent source to assist them as they outsource crit­ical elec­tion work.

Congress must play a more aggress­ive over­sight role in this space and ensure that vendors are taking the steps neces­sary to mitig­ate secur­ity risks.

It’s possible to make the next elec­tion even more secure. The key is to learn from the last one, keep invest­ing in infra­struc­ture, and build off the progress we’ve made.