Skip Navigation
Resource

Recommendations to Defend America’s Election Infrastructure

Intelligence agencies and security experts warn that America’s decentralized election infrastructure is likely to be a target in the 2020 election and beyond. The good news is there are key actions that federal, state, and local governments can take to ensure our elections remain free, fair, and secure.

Published: October 23, 2019

Demo­cracy in Amer­ica is under seri­ous threat. A bipar­tisan report from the Senate Intel­li­gence Commit­tee concluded that in 2016 all 50 states were likely targeted by Russian oper­at­ives seek­ing access to elec­tion infra­struc­ture, at least one major elec­tion vendor was success­fully breached, and that future attacks should be expec­ted. Indeed, since 2016, we have seen contin­ued cyber­at­tacks against polit­ical campaigns tied to both Russia and Iran

Amer­ican elec­tions are decent­ral­ized, with state and local elec­tion offi­cials retain­ing primary author­ity for admin­is­ter­ing them. This means, among other things, that they bear consid­er­able respons­ib­il­ity for defend­ing our infra­struc­ture against concer­ted attacks from soph­ist­ic­ated nation state actors. Fortu­nately, elec­tion offi­cials take this duty seri­ously, and the federal govern­ment has recently provided some over­due assist­ance, in the form of minimal fund­ing to improve elec­tion secur­ity and better coordin­a­tion with agen­cies such as the Depart­ment of Home­land Secur­ity. Many states are in the process of repla­cing anti­quated and paper­less voting machines with more secure systems, while others have sought out risk assess­ments to identify secur­ity vulner­ab­il­it­ies in import­ant infra­struc­ture such as regis­tra­tion data­bases.

Much more can be done, however, to strengthen elec­tion secur­ity and increase public confid­ence in elec­tions. Below, we detail our top policy recom­mend­a­tions for doing so.

Conduct Assess­ments and Test­ing

Discus­sions of elec­tion secur­ity often focus on indi­vidual aspects of elec­tion systems, such as voting machines or regis­tra­tion data­bases. While such focus is import­ant, it is also crit­ical to look at the elec­tion process as a whole, under­stand the inter­ac­tion of elec­tion systems and person­nel, and assess the vulner­ab­il­it­ies that exist in each facet that could be exploited by mali­cious actors look­ing to under­mine elec­tions. Below we detail steps the federal govern­ment could take to ensure more compre­hens­ive secur­ity.

Conduct peri­odic state and nation­wide threat assess­ments. As cyber threats evolve, it is essen­tial to assess the secur­ity of our elec­tion infra­struc­ture regu­larly, to under­stand where new vulner­ab­il­it­ies may crop up. Congress should provide resources for state and federal agen­cies to conduct regu­lar threat assess­ments and help state and local govern­ments imple­ment mitig­a­tion strategies to address the iden­ti­fied weak­nesses.

Estab­lish a bug bounty program for elec­tion systems. Bug bounty programs provide a mech­an­ism for inde­pend­ent secur­ity research­ers to identify poten­tial vulner­ab­il­it­ies and respons­ibly report them.  This provides a legal method to actively search out vulner­ab­il­it­ies in elec­tion systems and finan­cial incent­ives for appro­pri­ately report­ing them.  Disclos­ures through a bug bounty program would allow manu­fac­tur­ers the abil­ity to fix the issue before the discov­ery is made public and allow elec­tion offi­cials to appro­pri­ately plan mitig­a­tion strategies for exist­ing vulner­ab­il­it­ies.  Several federal agen­cies, includ­ing the Depart­ment of Defense, have estab­lished success­ful bug bounty programs in recent years as part of ongo­ing efforts to strengthen cyber secur­ity.  Congress should author­ize and provide fund­ing for the Elec­tion Assist­ance Commis­sion (EAC) to certify and monitor a broader range of elec­tion systems (explained more below), and create an addi­tional require­ment for estab­lish­ing a bug bounty program for each of these EAC-vetted systems.  

Develop a CSF Elec­tions Profile. The National Insti­tute of Stand­ards and Tech­no­logy (NIST) is respons­ible for creat­ing and main­tain­ing the Cyber­se­cur­ity Frame­work (CSF), a set of stand­ards, guidelines, and prac­tices that help entit­ies manage cyber­se­cur­ity risks. Along with the CSF, NIST creates imple­ment­a­tion profiles that give volun­tary guid­ance on how to adapt these guidelines and prac­tices to partic­u­lar crit­ical infra­struc­ture sectors. Consist­ent with the recog­ni­tion of elec­tion systems as crit­ical infra­struc­ture, NIST should prior­it­ize the devel­op­ment of a CSF Elec­tions Profile to provide clear and direct guid­ance to elec­tion offi­cials on how to best secure their systems.

Secure Voting Equip­ment and Regis­tra­tion Data­bases

Even though elec­tion juris­dic­tions across the coun­try have made signi­fic­ant progress in updat­ing their elec­tion infra­struc­ture since 2016, signi­fic­ant secur­ity gaps remain. But steps can be taken to reduce the like­li­hood of equip­ment fail­ure, recover more quickly from fail­ures when they do occur, and ensure that every legit­im­ate voter has an oppor­tun­ity to cast a ballot and have their vote coun­ted. We recom­mend the follow­ing actions be taken to achieve these goals. 

Require paper ballots. Paper ballots create a tangible record of a voter’s choices that the voter can review, prior to cast­ing the ballot, to ensure it accur­ately captures their intent. These records can then be used by elec­tion offi­cials to discover any errors in the voting tabu­la­tion system, and ulti­mately ensure that total elec­tion results were recor­ded correctly. All voting systems should use paper ballots in order to make effect­ive audit­ing and confirm­a­tion of results feas­ible.

Ban wire­less compon­ents. Wire­less compon­ents that permit connec­tions to WiFi networks, cellu­lar networks, or other devices, via Bluetooth or other protocol, pose an unne­ces­sary risk of malware being implanted in this equip­ment, unbe­knownst to elec­tion admin­is­trat­ors. Wire­less compon­ents should be prohib­ited in voting systems that record and tabu­late votes. Voting system compon­ents that do not tabu­late votes should limit wire­less connectiv­ity only to instances neces­sary for access­ib­il­ity.

Imple­ment robust post-elec­tion audits. Repla­cing paper­less voting machines is not enough on its own to ensure accur­ate elec­tion result­s—elec­tion offi­cials must use these paper ballots to conduct rigor­ous and routine post-elec­tion audits that are designed to provide a high level of stat­ist­ical confid­ence of the correct outcome. We recom­mend the regu­lar use of risk-limit­ing audits. Risk-limit­ing audits provide confid­ence in elec­tion outcomes because they limit the risk that a voting system error or hack signi­fic­ant enough to affect the outcome of an elec­tion will go undis­covered. A sample of ballots is examined by hand and compared to the results recor­ded by the voting system to look for discrep­an­cies. For contests with large repor­ted margins of victory, a smal­ler sample is required to reduce the risk of error than for contests with small repor­ted margins of victory. There­fore, risk-limit­ing audits can be performed on a regu­lar basis, unlike costly full hand recounts.

Back up voter regis­tra­tion data­bases regu­larly. In the run-up to the 2016 elec­tions, Russian agents sought to access elec­tion systems in many states, and success­fully breached records in the voter regis­tra­tion data­base of at least one state. Such attacks on statewide voter regis­tra­tion data­bases present a seri­ous risk of elect­oral disrup­tion, as mali­cious actors could inter­fere with the abil­ity of voters to cast ballots by delet­ing them from lists of registered voters, chan­ging their recor­ded address, or chan­ging party affil­i­ation to keep them from voting in their party’s primary. If backup regis­tra­tion lists are avail­able, elec­tion offi­cials should be able to quickly recon­struct accur­ate lists when improper changes are discovered. To ensure that no manip­u­la­tion of a state regis­tra­tion data­base prevents legit­im­ate voters from cast­ing a ballot or having their votes coun­ted, backup regis­tra­tion lists should be created regu­larly on remov­able media isol­ated from inter­net connec­tions, as well as on paper. 

Estab­lish elec­tion day failsafes. Backup regis­tra­tion lists can allow elec­tion offi­cials to recon­struct accur­ate lists, but that may not ensure eligible voters can cast ballots if the prob­lems are discovered only after Elec­tion Day is over. An undetec­ted change to the voter list could incor­rectly show that a voter had already cast a ballot, or that she had recently moved. For this reason, elec­tion offi­cials should also put in place failsafe meas­ures to ensure that legit­im­ate voters can still cast a ballot that will be coun­ted, such as having suffi­cient numbers of provi­sional ballots at every polling place. In addi­tion, states should adopt elec­tion day regis­tra­tion proced­ures that allow voters to register at their polling places if they are unre­gistered, improp­erly removed from the lists, or if there are other prob­lems with their regis­tra­tion in the data­base.

Create a certi­fic­a­tion program for e-poll­books. Under the Help Amer­ica Vote Act (HAVA), the EAC is tasked with devel­op­ing volun­tary voting system guidelines (VVSG) that set stand­ards for voting systems and certi­fy­ing voting systems that meet these stand­ards. While parti­cip­a­tion in the certi­fic­a­tion program is volun­tary under HAVA, many states have form­ally adop­ted the VVSG and require all voting systems used in the state to be certi­fied by the EAC. But the VVSG and corres­pond­ing certi­fic­a­tion process is limited to voting systems upon which votes are cast and coun­ted, fail­ing to account for the numer­ous other systems that are neces­sary for the broader elec­tion process. The EAC’s author­ity should be expan­ded to certify not just voting systems, but also e-poll­books, in order to ensure that other compon­ents of elec­tion infra­struc­ture are more secure, incor­por­at­ing appro­pri­ate access controls, and provid­ing backup and recov­ery mech­an­isms. Several proposed bills in Congress—in­clud­ing the Elec­tion Secur­ity Act, the SAFE Act, and the For the People Act—have recom­men­ded adding e-poll­books to the voting system certi­fic­a­tion regime.  

Regu­late Elec­tion Vendors

Secur­ity meas­ures in response to the attacks on Amer­ica’s elec­tions in 2016 have largely focused on insti­tut­ing best prac­tices for state and local offi­cials to prevent, detect, and recover from cyber­at­tacks. Yet private vendors, not elec­tion offi­cials, build and main­tain much of our elec­tion infra­struc­ture. These compan­ies are involved at every stage of the elec­tion process—cre­at­ing voter regis­tra­tion data­bases, program­ming ballots, provid­ing elec­tronic poll­books and voting machines, build­ing elec­tion night report­ing websites, and check­ing equip­ment and proced­ures post-elec­tion. Despite this preval­ent role, there is almost no federal regu­la­tion of private vendors in the elec­tion space. A forth­com­ing Bren­nan Center report will focus on this prob­lem and propose a series of solu­tions, includ­ing the follow­ing: 

Create a certi­fic­a­tion regime for elec­tion system vendors. While the EAC runs a federal certi­fic­a­tion system for voting machines, it does not certify vendors selling voting machine equip­ment or vendors that provide other elec­tion services. There is no federal over­sight to ensure that private vendors have prop­erly screened employ­ees who may program voting machines and conduct other sens­it­ive func­tions, or have engaged in the best supply chain manage­ment and cyber­se­cur­ity prac­tices when manu­fac­tur­ing and repla­cing their equip­ment. We need a federal certi­fic­a­tion program so that elec­tion offi­cials and the public can have greater confid­ence in the compan­ies that provide crit­ical elec­tion products and services, and to engage in routine monit­or­ing of such vendors to ensure ongo­ing compli­ance.  The For the People Act and the SAFE Act have both proposed these kind of programs.

Require vendors to report cyber incid­ents. Both the public and govern­ment offi­cials are often in the dark about secur­ity incid­ents affect­ing elec­tion vendors. This state of affairs can under­mine faith in the vote and leave elec­tion offi­cials unsure about vendor vulner­ab­il­it­ies. To address these concerns, Congress should require elec­tion vendors to report cyber incid­ents to all relev­ant elec­tion author­it­ies. Recent bills in Congress have proposed similar mandat­ory report­ing require­ments, includ­ing the Secure Elec­tions Act and the Elec­tion Vendor Secur­ity Act.

Cent­ral­ize Inform­a­tion

While the EAC has taken signi­fic­ant steps in recent years to improve inform­a­tion shar­ing among elec­tion offi­cials when prob­lems with voting systems occur, we believe more can be done to ensure that state and local offi­cials can address system vulner­ab­il­it­ies and prevent the same prob­lems from occur­ring in multiple juris­dic­tions. Because of this, we recom­mend that the federal govern­ment take a greater role in monit­or­ing voting system fail­ures and promot­ing the spread of inform­a­tion across the coun­try.

Create a national data­base of voting system fail­ures. The estab­lish­ment of a new, national inform­a­tion hub is needed to ensure that voting system defects are caught early, disclosed imme­di­ately, and correc­ted quickly and compre­hens­ively. Specific­ally, the nation needs a publicly avail­able, search­able online data­base that includes data about voting system fail­ures and defects discovered across the coun­try. Such a data­base could be used to prevent the same system fail­ures from occur­ring in multiple juris­dic­tions across many years, and would assist elec­tion offi­cials as they look to purchase new voting machines with crit­ical inform­a­tion about system perform­ance. 

Provide Long Term Support and Fund­ing

A lack of finan­cial resources presents the most signi­fic­ant obstacle to elec­tion secur­ity improve­ments in local juris­dic­tions. Congress took an import­ant first step in 2018 by alloc­at­ing $380 million to states for elec­tion secur­ity activ­it­ies, and there are prom­ising signs of more fund­ing coming in 2019. But these one-time invest­ments are not enough to address the signi­fic­ant prob­lems facing elec­tion systems or provide long-term stabil­ity for future elec­tion secur­ity plan­ning. It is clear there is an ongo­ing need for federal fund­ing to help protect our elec­tion infra­struc­ture from foreign threats. Accord­ingly, we recom­mend that Congress take the lead to ensure that all levels of govern­ment provide suffi­cient long-term fund­ing for elec­tion secur­ity and invest in innov­at­ive approaches toward making elec­tions more secure, access­ible, and effi­cient. 

Provide robust, consist­ent fund­ing for elec­tion resources. Because the threats to elec­tion secur­ity evolve over time, effect­ive elec­tion secur­ity requires an ongo­ing commit­ment of resources, as opposed to a one-time expendit­ure. Compan­ies in the private sector have depart­ments and budgets dedic­ated to secur­ity gener­ally, and often to cyber­se­cur­ity specific­ally, precisely for this reason. Congress should provide a steady stream of fund­ing for the peri­odic replace­ment of outdated voting systems, upgrad­ing of data­base and other elec­tion infra­struc­ture, and the purchas­ing of ongo­ing tech­nical and secur­ity support for all these systems. But federal fund­ing alone is not enough—state and local govern­ments should make elec­tion secur­ity a budget prior­ity and develop long-term plans to fund regu­lar equip­ment upgrades, train­ing, and cyber­se­cur­ity staff to assist local offi­cials. 

The Bren­nan Center has estim­ated the nation­wide five-year cost for several crit­ical elec­tion secur­ity items to be approx­im­ately $2.2 billion. This total includes:

  • Provid­ing addi­tional state and local elec­tion cyber­se­cur­ity assist­ance
  • Upgrad­ing or repla­cing statewide voter regis­tra­tion systems
  • Repla­cing aging and paper­less voting machines
  • Imple­ment­ing rigor­ous post-elec­tion audits 

Estab­lish an innov­a­tion fund. Congress should estab­lish an innov­a­tion fund for the purpose of promot­ing advance­ments in the secur­ity, access­ib­il­ity, and effi­ciency of elec­tions. This fund would award grants on a compet­it­ive basis to entit­ies for research and devel­op­ment in elec­tion modern­iz­a­tion. The Elec­tion Secur­ity Act, which is currently pending before Congress, would provide for such a fund. 

Make the “crit­ical infra­struc­ture” desig­na­tion for elec­tion systems perman­ent. The federal govern­ment has provided import­ant elec­tion secur­ity support to state and local govern­ments through its “crit­ical infra­struc­ture” desig­na­tion for elec­tion systems, adop­ted by the Depart­ment of Home­land Secur­ity in Janu­ary 2017. However, this desig­na­tion could be with­drawn by the exec­ut­ive branch at any time. Congress should make the crit­ical infra­struc­ture desig­na­tion perman­ent though legis­la­tion to guar­an­tee states are provided with prior­ity access to tools and resources avail­able from DHS and greater access to inform­a­tion on cyber vulner­ab­il­it­ies. 

Adequately fund the EAC. In recent years, despite the increased threat of cyber­at­tacks against our nation’s elec­tion infra­struc­ture, fund­ing for the Elec­tion Assist­ance Commis­sion—the federal agency charged with adopt­ing elec­tion secur­ity guid­ance and certi­fy­ing voting system­s—has dropped sharply. The agency’s budget in fiscal year 2019 was just $9.2 million, slightly more than half the fund­ing it received in fiscal year 2010. Congress should ensure this agency has the resources, staff and lead­er­ship it needs to prop­erly perform its crit­ical elec­tion secur­ity func­tions.

For media inquir­ies, contact: Rebecca Autrey; rebecca.autrey@nyu.edu; 202.753.5904  

Election Security Experts