This post is part of "Cybersecurity and Election Interference," a Brookings series that explores digital threats to American democracy, cybersecurity risks in elections, and ways to mitigate possible problems.
When it comes to fighting illegal intrusions into American elections, the states and localities are where the rubber meets the road—that is where American elections are administered. This authority is grounded in more than tradition; it derives from Article I, Section 4 of the Constitution. That section notes that while Congress has the authority to intervene in the setting of elections, election administration is largely a function of state and local government.
Given this situation, election law and practice vary considerably from state to state, which leads to a number of ramifications. On the one hand, this decentralization makes it hard for a single cyberattack to take down the entire American election system. But having a fragmented system poses some disadvantages as well. Some states and localities are simply better equipped to protect against cyber intrusions than others, and an adversary seeking to sow doubt and confusion about the integrity of an election needs to compromise only a few parts of the entire system in order to undermine public confidence.
The vulnerabilities in election administration exist at every step of the process, from the registration of voters, to the recruitment of poll workers for election day, to the books of registered voters at polling places, to the devices that capture and tally the vote, to the transmission of that data to a central place on election night and to the ability to execute an accurate recount. Every state and locality wants to run a fair election but they are limited by inadequate funding, the absence of trained personnel, and outdated technology.
A 2019 bipartisan report out of the Senate Intelligence Committee concluded that,
“In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking; for example, voter registration databases were not as secure as they could have been. Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary. Despite the focus on this issue since 2016, some of these vulnerabilities remain.”
The Committee also found that the Russians had attempted to intrude in all 50 states, an assessment that went far beyond the original claim. And 2016 was not the end of it. A few weeks before the 2018 midterm elections the Department of Homeland Security (DHS) found that numerous actors were routinely targeting election infrastructure. Warnings continue that in the next election attacks could be coming not only from Russia but from other actors as well. Most recently, the former Special Counsel Robert Mueller made headlines when he told Congress “They’re [the Russians] doing it as we sit here.”
So what are states doing in preparation? They are hardening their election infrastructure, training election personnel, testing their systems and providing backup. But it is not clear these steps will be sufficient. For example, state systems for registering voters are ripe targets for those who would seek to sway an election or simply sow chaos. The inviolability of the voter registration system is critical to making sure that everyone who wants to vote is able to vote. In July of 2016 twelve Russians hacked into the election database of the State of Illinois. They stole data on about 76,000 voters. Once it was noticed, the assault caused the state to close down their online voter registration website, which turned out to be the hole in the system.
Once voters register, their information is distributed to polling places around the state. If voters’ names have been erased or changed they will be unable to vote or forced to file a provisional ballot—creating delay and confusion in the vote count. Harvard University’s State and Local Election Cybersecurity Playbook recommends (among other things) that systems are patched and updated and that the database is not accessible over the public internet.
Electronic vulnerabilities exist with voting machines as well as with voter registration systems. In July, 2017 hackers at the DefCon hacking conference invaded 30 Direct Record Electronic (DRE) touch-screen voting machines. (Defcon is one of the largest hacking conferences in the world.) The state of Virginia, facing an important gubernatorial election, decertified the vulnerable machines leaving more than twenty cities and counties scrambling to get new equipment.
In addition to upgrading their infrastructure and increasing the security around it, states are looking for ways to better train election personnel. For some time now, concern has centered on the front-line personnel in the election system: poll watchers. With 116,990 polling places and 8,616 early voting locations around the country, states have a hard time recruiting poll workers. In addition, many of them are elderly. In 2017 the U.S. Election Commission found that 56% were age 61 and older and that states were trying to recruit some younger poll workers who are more comfortable with technology.
Training has increased for those whose full-time job is running elections. One of the most significant developments has been participation in a simulation exercise designed to help election officials experience what it is like to be under attack in an election. The most recent three-day exercise called “Tabletop the Vote” took place from June 18–20, 2019 and was hosted by the Cybersecurity and Infrastructure Security Agency with the National Association of Secretaries of State and the National Association of State Election Directors. The purpose is “to improve preparedness, information sharing, response and recovery.” Results of the exercise are not public but, assuming the exercise was well-designed, participants were probably forced to confront the unexpected and to learn something about operating in a crisis. And this summer many officials from different levels of government—including Senator Ron Wyden (D-OR)—attended Defcon, which has not been a popular hangout of government officials. The fact that so many state and local election officials attended “Defcon’s voting village” to watch others hack into all manner of voting systems means that people are moving outside their comfort zones.
Finally, the many threats to elections have increased attention to ways of validating election results. The first is (ironically in this day of paperless everything), the re-introduction of paper ballots in the election system and the second is the mandatory risk-limiting audit. Because electronic tabulation systems are vulnerable to all sorts of electronic mischief, the need for post-election verification is more important than ever. Paper ballots are the only way a state has of conducting either a recount or an accurate audit of an election. Following the decertification of some of its election machines, the State of Virginia adopted a system where paper ballots would be marked, fed into a scanner and then saved, if needed, for a recount. Many more states have gone back to paper. Fourteen states now require paper ballots, and another seventeen require voting machines to have a paper record verified by the voter himself or herself. Six states require their machines to have a permanent voter record. Thirteen states do not have a statutory requirement, nine of them have a statewide paper trail and the remaining have some jurisdictions with a paper trail and some without.
There is a certain historic irony to this return to paper ballots. Many Americans can remember the confusion created by the paper ballots that were used in the contested 2000 election in Florida. As a result of that election, the Help America Vote Act helped states replace their old machines with DRE (Direct Recording Electronic) systems. These systems, even if not connected to the Internet, are easily compromised, as proven by the hackers at Defcon.
Paper ballots allow a state to conduct what’s known as a “post-election audit.” In those states that use a traditional type of post-election audit, officials hand-count a certain portion of the ballots and compare the results to the ones produced by the electronic voting machines. A more recent type of audit is called the “risk-limiting audit,” in which statistical methods are used to cut down on the number of ballots that need to be checked. If the electronic margin is large, fewer ballots need to be examined. If it is small, more ballots need to be looked at. The audit “either (a) stops when it finds strong evidence that the reported outcome is correct, or (b) fails to find strong evidence that the outcome is correct and evolved into a full hand count of ballots.” According to a study from MIT, the risk-limiting audit “does not stop auditing until and unless there is strong statistical evidence that a full hand count would simply confirm the reported outcome.”
States and localities are on the front lines of protecting our elections. They are taking, along with the federal government, important steps to secure and upgrade their election infrastructure. But this cannot be a one-time activity. In the digital age, once one door is closed to the hackers, they go in search of another—the need to protect election systems will be ongoing. In a close election, a miscreant could compromise the entire result by hacking or disrupting a few counties in a couple of crucial states. It doesn’t take much to cast doubt on the entire process.