For many, the most important question as the midterms approach isn’t whether the Democrats or Republicans will win control of Congress, but whether the elections themselves will be secure. In 2016, Russian hackers likely targeted election systems in many states and penetrated Illinois’s registration database; this year there is concern that hackers will go after both government and private systems. In March, Congress made $380 million available to states seeking to improve their election systems’ cybersecurity. But state officials and election security experts say this doesn’t even come close to addressing the nation’s electoral cybersecurity needs.
So what exactly do states need to do in order to secure their election systems? Although experts largely agree on basic guidelines, there is no one playbook for how to beef up electoral cybersecurity. America’s elections infrastructure is highly decentralized, with every state managing its own system. This is a benefit in some ways, said Jim Condos, Vermont’s secretary of state and a prominent voice in election cybersecurity discussions. It means bad actors can’t just break into one centralized system. But it also means states employ a patchwork of approaches to elections cybersecurity. The contours of threats and their fixes are constantly shifting as well.
The complexity of upgrading America’s electoral cybersecurity makes it difficult for legislators to draft a single overhaul bill. Instead, many of the experts I’ve spoken to agree, the federal government needs to commit itself to an ongoing effort to help states learn about threats and develop their security through regular institutional and financial support.
Congress has only reinforced America’s electoral integrity once, in the aftermath of the “hanging chad” debacle in 2000. Two years later, legislators granted states a $3.9 billion fund to mix with local assets to replace the nation’s old punch-card and lever voting machines. That fund never ran dry; the $380 million allocated for cybersecurity this March is actually its dregs, shifted to serve more general cybersecurity needs.
Almost two decades later, voting machines present a key vulnerability in a number of electoral systems. Security experts agree that we need to replace all-electronic voting machines with paper ballots of some kind, because you can’t hack paper. Five states still solely use no-paper systems—many of them put in place using the funding from 2002 in an ill-advised effort to decrease the risk of mechanical errors—while nine others only partially use paper ballots. A number of other states use machines with a paper trail that is difficult to audit. And, as of 2015, 43 states also used machines that were old and buggy enough to cause election day issues; many of them are so old they can no longer be reliably repaired. In a few instances, officials have had to find spare parts on eBay.
But as the Brennan Center for Justice’s voting systems expert Lawrence Norden told me, there is no clear agreement on whether we need to replace only the most vulnerable no-paper machines, or also old and potentially buggy paper-backed machines. Even if one could pin down the number of machines that need to be replaced, said Norden, there is no single option for what to replace them with. Nor is there agreement about which of a variety of paper-backed voting machine options are the best to replace existing machines with.
On top of confusion about what needs to be replaced, cybersecurity expert Charles Stewart III told me that voting machine vendors are a small and highly secretive lot, which keeps price competition down and makes it “hard for locals to know what a fair price should be” for any system. Plus, Condos noted, every state has its own procurement protocols, which might affect the final prices. This leads to cost estimate across states that can vary from from $200 million to $1.5 billion. And even those figures, Norden told me, still leave out the cost of software licensing and upgrades, maintenance, and repairs over time. “That,” said Stewart, can “double to triple the cost of a new system.”
And that’s just the confusion surrounding machine costs. Federal security officials, legislators, and private sector experts agree that to really secure elections against cyber threats, states need to do a variety of things:
- Have a system in place to audit paper ballots.
- Put extra security around their voter registration databases to prevent unauthorized changes that could put polling stations into chaos on election day. (Hackers could, for instance, unregister a voter, or change their address or their name so they couldn’t vote.)
- Send elections staff through cybersecurity training so they don’t fall for hackers’ tricks.
- Hire dedicated cybersecurity staff.
- And develop plans for how to respond to hacking attempts, malware detection, or a variety of election-day systems failures.
States, to their credit, noted Maria Benson of the National Association of Secretaries of State, have been trying to address these and other issues for years. But there are no hard-and-fast best practices and models for how to tackle many of these issues yet.
Some states, like California, have set up entire elections cybersecurity teams, while others, like Vermont, have put a cybersecurity expert within their established elections systems IT departments. Whether one approach is definitively better than the other remains to be worked out.
Even if security experts and state officials do eventually settle on best practices, this would not give legislators a clear picture of the financial support local systems would need to beef up their cybersecurity.
“Federal, state, and local governments have not come to a common understanding about who is responsible for addressing” cybersecurity, said Norden, “especially funding it.” Every official and legislator at the national and state level seems to have a different sense of how much of the cost of security upgrades they are willing to shoulder. State officials and legislators also bicker about how much of a say the federal government should get in standards for state and local cybersecurity practices in exchange for handling a certain amount of the funding.
All this complexity, and the fact that cybersecurity threats and needs will only evolve with technology, has led some experts to recommend that Congress not try to pass a bill that establishes a new set of firm guidelines and offers a single lump sum of support, as most election security bills seem to aim to do now, but instead make a more open-ended commitment.
“The only way to really move forward,” said Stewart, “is for there to be some understanding that the federal government is responsible for X percentage of every election’s cost... But we still have a long way to go before we have a consistent stream of money.”
Legislators, especially fiscal conservatives, have opposed dolling out even a few hundred million more dollars as a lump sum this year. Many will probably continue to oppose new funds as long as the existing $380 million pool remains unspent. Even when that cash is spent, a blind commitment to perpetual funding, versus a lump sum, may not be popular.
All of the experts I spoke to for this piece were optimistic that such an agreement could be reached in the near future. Until 2016, they noted, most of Congress saw elections as a state issue, and their 2002 funding as a one-time deal. States, meanwhile, were largely leery of federal involvement in their election systems through funding offers. However, states have warmed to federal cooperation to varying degrees over the past couple years, and Congress has started to take elections cybersecurity seriously as a federal-level national security concern.
But we definitely won’t see that understanding and funding before the 2018 elections. And whether we see funding of any sort will depend on the experience and outcome of that election. So voters will just have to cross their fingers for November and hope that legislators and state officials pick this issue back up come January 2019. The 2020 elections are closer than you think.
Follow Mark Hay on Twitter.