After months of enduring the “Moscow Mitch” label, Senate Majority Leader Mitch McConnell surprised many observers in September by throwing his support behind a proposal to provide $250 million in funds for state election security, something he had assiduously rejected all year. The move was only a partial concession, and many rightly argue it is hardly enough.
McConnell still rejects the need for comprehensive security legislation that many experts say we need. The proposal he supports would provide far less money than a House appropriations bill passed in June, which would not only provide the states with a much more robust $600 million, but also includes measures meant to ensure that all of the money is spent on election security measures rather than non-security related items.
The Washington Post has noted that McConnell’s sudden conversion “is likely just the start of what could be a battle royal in Congress” over these differences. Still, the move by McConnell makes it much more likely states will see additional money they can use for election security ahead of November 2020. The House and Senate will need to compromise to pass a budget, and for now, both sides finally seem to agree that states need more resources to ensure that American elections remain free, fair, and secure from cyberattack.
One question we’re hearing a lot at the Brennan Center is: even if there is agreement, is it too late to make a difference for 2020? The answer is no.
The Brennan Center has estimated that the national cost for some of the most critical election security measures to be approximately $2.2 billion over the next five years. Below I detail each of those items and explain why there is still time for an infusion of cash from Congress to make significant improvements in protecting our election from cyberattacks.
Upgrading voting machines and other critical election infrastructure
Most of the public dialogue around election security centers on securing our voting machines. This is not particularly surprising, as the easiest attack to understand — and in many ways, the most nightmarish — is the insertion of malware onto voting machines that changes election results without detection.
The most critical step we need to take around voting machines is replacing paperless voting machines with systems that have a voter-verified paper backup of every vote. Without that, we do not have an independent record that we can use to make sure we can trust the software totals provided by voting machines. The good news is that we’ve made substantial progress in replacing these machines, nearly halving the number used since 2016. Still, unless more states and counties move to replace them, the Brennan Center estimates that approximately 16 million Americans will vote on paperless systems in 2020.
More broadly, paper backup or not, many voting machines in the United States are so old they pose a security risk. At a certain point, older computerized systems are more likely to fail and difficult to maintain. They use outdated hardware and software that are no longer serviced, meaning that some election officials have to turn to eBay for replacement parts and cannot patch vulnerabilities when they are discovered. Election officials know these machines should be replaced. In a survey last year, local officials in 31 states told the Brennan Center they needed to replace their equipment before the 2020 election, but two-thirds said they did not have the funds to do so.
In addition to voting machines, other critical election infrastructure, like voter registration databases, need to be upgraded for better security. It is worth remembering that while there is no evidence that voting machines were targeted in 2016, voter registration databases certainly were, as they have been in other countries around the world. We use voter registration databases to determine who can vote and where. An attack on them, such as changing or deleting files, could disenfranchise huge numbers of voters unless states take steps to prevent that. Many statewide voter registration systems in use today were first built between 2004 and 2006. These systems were not designed with cybersecurity protections needed to face today’s threats against our election infrastructure.
Is it too late to upgrade or replace critical election infrastructure like voting machines and voter registration systems?
Of the critical election security measures we need to take, this is one where the most lead time is probably needed. As a general rule, states and counties don’t want to embark on replacing major election infrastructure, much less than a year before a big election (which the November 2020 election certainly will be). Still, it is worth noting that the state of Virginia replaced all of its paperless voting machines in a matter of months after discovering they had severe security vulnerabilities.
Local cybersecurity training and staff
The vast and decentralized election system in the United States means our elections are largely run at the local level. While there are certainly security benefits associated with this decentralization, there are also obvious risks.
Foremost among these is the fact that with over 8,000 separate election offices, there are many potential targets — from local election websites that tell people where and when to vote to election night reporting systems, which aggregate vote totals for the public after the polls close. As Bob Brehm, co-executive director of the New York State Board of Elections, recently put it in an interview with the Brennan Center, “it is not reasonable” to expect each of these state and local election offices to independently “defend against hostile nation-state actors.” This is particularly true in the case of local election offices that frequently have little or no in-house IT or cybersecurity resources.
The need for cybersecurity expertise (and training for non-expert staff) will continue to be high in 2020. Many states and counties around the country have or are in the process of having the Department of Homeland Security or other security experts conduct cybersecurity scans of their election-related computer systems. But with current resources, not all local jurisdictions will be able to take action to fix or minimize vulnerabilities that are discovered.
Efforts to prevent attacks in the first place are, of course, critical. But in the months remaining before the election, it is at least equally important that state and local election officials ensure adequate preparations are in place to quickly and effectively recover if prevention efforts are unsuccessful.
Examples of the kinds of attacks we could see include:
- Hacking of election websites that provide information on polling locations, voting times, and registration status
- Cyberattacks on registration systems or electronic poll books (tablets that are used to check in voters and are often connected to the internet during voting) to eliminate people from voter rolls, switch their designated polling places, or incorrectly show that they already voted
- Cyberattacks on election vendors who program voting machines for the purpose of crashing machines during voting or altering vote totals
- Attacks on election night reporting systems to take down these sites or provide incorrect information on election results.
For each of these, there are contingency plans that could mitigate the damage such an attack could do, even if successful.
So, for example, election officials must ensure that there are sufficient emergency paper ballots where electronic machines are used so that machine failures do not lead to long lines or lost votes is a critical step every jurisdiction using such equipment should take. Similarly, they must make sure that there are paper backups of electronic pollbooks in every polling place, so that failure of these tablets does not keep people from voting. Finally, establishing redundant election night reporting sites that could be made available in the event the main site is attacked, and having a good communications plan in place in the event of such an attack, will be critical for election officials to retain credibility in the event they discover a breach of such systems.
Election officials have long been focused on creating contingency plans ahead of Election Day, which are a source of strength as our elections face new security threats. But these steps cost money. Congress and state legislatures must ensure that election officials have enough resources to implement these plans effectively.
A critical component of election security is known as the “post-election audit,” which compares the paper ballots to the electronic totals produced by each voting machine. Nearly 90 percent of Americans will vote on paper-based systems in 2020, and we expect that at least 42 states will have paper records of nearly every vote. But these paper records will be of little security value unless they are used to check and confirm electronic tallies.
Here is where there is the most work to do. Only 24 of these 42 states require these kind of post-election audits before certification of election results. The remaining 26 states, totaling 243 electoral votes, do not currently require post-election audits of all votes prior to certification.
However, there is nothing stopping most of these remaining states from conducting such audits if they have the resources do so. Many states would like to do more. In fact, a slew of states, including Georgia, Indiana, Michigan, Missouri, New Jersey, Pennsylvania, and Virginia have recently or soon plan to launch pilots of the most robust kind of post-election audit, the risk-limiting audit (RLA). These audits use statistical modeling to detect potential inaccuracies in election outcomes, whether they are the result of accidental or intentional interference. RLAs can provide assurance that the reported winner did, in fact, win.
While such audits would not prevent successful attacks against electronic voting machines, they would provide states with the opportunity to catch such attacks and then use the paper ballots to correct totals to reflect voter’s choices. They would also help increase confidence in the integrity of an election that are likely to be challenged on social media, regardless of the outcome.
It’s not too late
While the window is closing on the ability of states to make major upgrades like replacing paperless voting machines, there is still time. Just as importantly, there are other measures that states can take in 2020 that are at least as critical to protecting elections. That includes hiring cybersecurity staff that can address problems as they are discovered in 2020; implementing more robust contingency planning so that if attackers are successful in disrupting our Election Day, people can still vote and have assurance those votes will be counted; and conducting post-election audits to confirm that cyberattacks did not alter election results.
But a complete answer would also include the important caveat that “Is it too late?” is the wrong question. Congress has a bad habit of throwing money at our election infrastructure only when things go off the rails. In the wake of the 2000 election fiasco, Congress passed the 2002 Help Americans Vote Act, which provided hundreds of millions of dollars to replace punch card machines and mandate statewide voter registration databases.
Congress didn’t invest in our election infrastructure again for another 16 years. Of course, we must do everything we can to secure the 2020 election. But there will be elections after 2020. The threat of cyberattacks will still be with us. We need a consistent and steady stream of funding to protect us in 2022, 2024, and beyond.