Skip Navigation
Expert Brief

How to Secure Elections for 2020 and Beyond

States urgently need federal funding to prepare for the cyberattacks that are likely to come. The danger to democracy is too great to wait until it’s too late.

Published: October 23, 2019

After months of endur­ing the “Moscow Mitch” label, Senate Major­ity Leader Mitch McCon­nell surprised many observ­ers in Septem­ber by throw­ing his support behind a proposal to provide $250 million in funds for state elec­tion secur­ity, some­thing he had assidu­ously rejec­ted all year. The move was only a partial conces­sion, and many rightly argue it is hardly enough.

McCon­nell still rejects the need for compre­hens­ive secur­ity legis­la­tion that many experts say we need. The proposal he supports would provide far less money than a House appro­pri­ations bill passed in June, which would not only provide the states with a much more robust $600 million, but also includes meas­ures meant to ensure that all of the money is spent on elec­tion secur­ity meas­ures rather than non-secur­ity related items.

The Wash­ing­ton Post has noted that McCon­nell’s sudden conver­sion “is likely just the start of what could be a battle royal in Congress” over these differ­ences. Still, the move by McCon­nell makes it much more likely states will see addi­tional money they can use for elec­tion secur­ity ahead of Novem­ber 2020. The House and Senate will need to comprom­ise to pass a budget, and for now, both sides finally seem to agree that states need more resources to ensure that Amer­ican elec­tions remain free, fair, and secure from cyber­at­tack.

One ques­tion we’re hear­ing a lot at the Bren­nan Center is: even if there is agree­ment, is it too late to make a differ­ence for 2020? The answer is no.

The Bren­nan Center has estim­ated that the national cost for some of the most crit­ical elec­tion secur­ity meas­ures to be approx­im­ately $2.2 billion over the next five years. Below I detail each of those items and explain why there is still time for an infu­sion of cash from Congress to make signi­fic­ant improve­ments in protect­ing our elec­tion from cyber­at­tacks.

Upgrad­ing voting machines and other crit­ical elec­tion infra­struc­ture

Most of the public dialogue around elec­tion secur­ity centers on secur­ing our voting machines. This is not partic­u­larly surpris­ing, as the easi­est attack to under­stand — and in many ways, the most night­mar­ish — is the inser­tion of malware onto voting machines that changes elec­tion results without detec­tion. 

The most crit­ical step we need to take around voting machines is repla­cing paper­less voting machines with systems that have a voter-veri­fied paper backup of every vote. Without that, we do not have an inde­pend­ent record that we can use to make sure we can trust the soft­ware totals provided by voting machines. The good news is that we’ve made substan­tial progress in repla­cing these machines, nearly halv­ing the number used since 2016. Still, unless more states and counties move to replace them, the Bren­nan Center estim­ates that approx­im­ately 16 million Amer­ic­ans will vote on paper­less systems in 2020.

More broadly, paper backup or not, many voting machines in the United States are so old they pose a secur­ity risk. At a certain point, older compu­ter­ized systems are more likely to fail and diffi­cult to main­tain. They use outdated hard­ware and soft­ware that are no longer serviced, mean­ing that some elec­tion offi­cials have to turn to eBay for replace­ment parts and cannot patch vulner­ab­il­it­ies when they are discovered. Elec­tion offi­cials know these machines should be replaced. In a survey last year, local offi­cials in 31 states told the Bren­nan Center they needed to replace their equip­ment before the 2020 elec­tion, but two-thirds said they did not have the funds to do so.

In addi­tion to voting machines, other crit­ical elec­tion infra­struc­ture, like voter regis­tra­tion data­bases, need to be upgraded for better secur­ity. It is worth remem­ber­ing that while there is no evid­ence that voting machines were targeted in 2016, voter regis­tra­tion data­bases certainly were, as they have been in other coun­tries around the world. We use voter regis­tra­tion data­bases to determ­ine who can vote and where. An attack on them, such as chan­ging or delet­ing files, could disen­fran­chise huge numbers of voters unless states take steps to prevent that. Many statewide voter regis­tra­tion systems in use today were first built between 2004 and 2006. These systems were not designed with cyber­se­cur­ity protec­tions needed to face today’s threats against our elec­tion infra­struc­ture.

Is it too late to upgrade or replace crit­ical elec­tion infra­struc­ture like voting machines and voter regis­tra­tion systems? 

Of the crit­ical elec­tion secur­ity meas­ures we need to take, this is one where the most lead time is prob­ably needed. As a general rule, states and counties don’t want to embark on repla­cing major elec­tion infra­struc­ture, much less than a year before a big elec­tion (which the Novem­ber 2020 elec­tion certainly will be). Still, it is worth noting that the state of Virginia replaced all of its paper­less voting machines in a matter of months after discov­er­ing they had severe secur­ity vulner­ab­il­it­ies.

Local cyber­se­cur­ity train­ing and staff

The vast and decent­ral­ized elec­tion system in the United States means our elec­tions are largely run at the local level. While there are certainly secur­ity bene­fits asso­ci­ated with this decent­ral­iz­a­tion, there are also obvi­ous risks.

Fore­most among these is the fact that with over 8,000 separ­ate elec­tion offices, there are many poten­tial targets — from local elec­tion websites that tell people where and when to vote to elec­tion night report­ing systems, which aggreg­ate vote totals for the public after the polls close. As Bob Brehm, co-exec­ut­ive director of the New York State Board of Elec­tions, recently put it in an inter­view with the Bren­nan Center, “it is not reas­on­able” to expect each of these state and local elec­tion offices to inde­pend­ently “defend against hostile nation-state actors.” This is partic­u­larly true in the case of local elec­tion offices that frequently have little or no in-house IT or cyber­se­cur­ity resources.

The need for cyber­se­cur­ity expert­ise (and train­ing for non-expert staff) will continue to be high in 2020. Many states and counties around the coun­try have or are in the process of having the Depart­ment of Home­land Secur­ity or other secur­ity experts conduct cyber­se­cur­ity scans of their elec­tion-related computer systems. But with current resources, not all local juris­dic­tions will be able to take action to fix or minim­ize vulner­ab­il­it­ies that are discovered.

Contin­gency plan­ning

Efforts to prevent attacks in the first place are, of course, crit­ical. But in the months remain­ing before the elec­tion, it is at least equally import­ant that state and local elec­tion offi­cials ensure adequate prepar­a­tions are in place to quickly and effect­ively recover if preven­tion efforts are unsuc­cess­ful.

Examples of the kinds of attacks we could see include:

  • Hack­ing of elec­tion websites that provide inform­a­tion on polling loca­tions, voting times, and regis­tra­tion status
  • Cyber­at­tacks on regis­tra­tion systems or elec­tronic poll books (tablets that are used to check in voters and are often connec­ted to the inter­net during voting) to elim­in­ate people from voter rolls, switch their desig­nated polling places, or incor­rectly show that they already voted
  • Cyber­at­tacks on elec­tion vendors who program voting machines for the purpose of crash­ing machines during voting or alter­ing vote totals
  • Attacks on elec­tion night report­ing systems to take down these sites or provide incor­rect inform­a­tion on elec­tion results.

For each of these, there are contin­gency plans that could mitig­ate the damage such an attack could do, even if success­ful.

So, for example, elec­tion offi­cials must ensure that there are suffi­cient emer­gency paper ballots where elec­tronic machines are used so that machine fail­ures do not lead to long lines or lost votes is a crit­ical step every juris­dic­tion using such equip­ment should take. Simil­arly, they must make sure that there are paper backups of elec­tronic poll­books in every polling place, so that fail­ure of these tablets does not keep people from voting. Finally, estab­lish­ing redund­ant elec­tion night report­ing sites that could be made avail­able in the event the main site is attacked, and having a good commu­nic­a­tions plan in place in the event of such an attack, will be crit­ical for elec­tion offi­cials to retain cred­ib­il­ity in the event they discover a breach of such systems.

Elec­tion offi­cials have long been focused on creat­ing contin­gency plans ahead of Elec­tion Day, which are a source of strength as our elec­tions face new secur­ity threats. But these steps cost money. Congress and state legis­latures must ensure that elec­tion offi­cials have enough resources to imple­ment these plans effect­ively.

Post-elec­tion audits

A crit­ical compon­ent of elec­tion secur­ity is known as the “post-elec­tion audit,” which compares the paper ballots to the elec­tronic totals produced by each voting machine. Nearly 90 percent of Amer­ic­ans will vote on paper-based systems in 2020, and we expect that at least 42 states will have paper records of nearly every vote. But these paper records will be of little secur­ity value unless they are used to check and confirm elec­tronic tallies.

Here is where there is the most work to do. Only 24 of these 42 states require these kind of post-elec­tion audits before certi­fic­a­tion of elec­tion results. The remain­ing 26 states, total­ing 243 elect­oral votes, do not currently require post-elec­tion audits of all votes prior to certi­fic­a­tion.

However, there is noth­ing stop­ping most of these remain­ing states from conduct­ing such audits if they have the resources do so. Many states would like to do more. In fact, a slew of states, includ­ing Geor­gia, Indi­ana, Michigan, Missouri, New Jersey, Pennsylvania, and Virginia have recently or soon plan to launch pilots of the most robust kind of post-elec­tion audit, the risk-limit­ing audit (RLA). These audits use stat­ist­ical model­ing to detect poten­tial inac­curacies in elec­tion outcomes, whether they are the result of acci­dental or inten­tional inter­fer­ence. RLAs can provide assur­ance that the repor­ted winner did, in fact, win.

While such audits would not prevent success­ful attacks against elec­tronic voting machines, they would provide states with the oppor­tun­ity to catch such attacks and then use the paper ballots to correct totals to reflect voter’s choices. They would also help increase confid­ence in the integ­rity of an elec­tion that are likely to be chal­lenged on social media, regard­less of the outcome.

It’s not too late

While the window is clos­ing on the abil­ity of states to make major upgrades like repla­cing paper­less voting machines, there is still time. Just as import­antly, there are other meas­ures that states can take in 2020 that are at least as crit­ical to protect­ing elec­tions. That includes hiring cyber­se­cur­ity staff that can address prob­lems as they are discovered in 2020; imple­ment­ing more robust contin­gency plan­ning so that if attack­ers are success­ful in disrupt­ing our Elec­tion Day, people can still vote and have assur­ance those votes will be coun­ted; and conduct­ing post-elec­tion audits to confirm that cyber­at­tacks did not alter elec­tion results.

But a complete answer would also include the import­ant caveat that “Is it too late?” is the wrong ques­tion. Congress has a bad habit of throw­ing money at our elec­tion infra­struc­ture only when things go off the rails. In the wake of the 2000 elec­tion fiasco, Congress passed the 2002 Help Amer­ic­ans Vote Act, which provided hundreds of millions of dollars to replace punch card machines and mandate statewide voter regis­tra­tion data­bases.

Congress didn’t invest in our elec­tion infra­struc­ture again for another 16 years. Of course, we must do everything we can to secure the 2020 elec­tion. But there will be elec­tions after 2020. The threat of cyber­at­tacks will still be with us. We need a consist­ent and steady stream of fund­ing to protect us in 2022, 2024, and beyond.