By: Jake van Leer, JD ‘20

In the wake of the 2016 election, the “hacking” of U.S. elections was at the forefront of political discussion. Foreign interference sparked numerous congressional inquiries and a high-profile investigation by Special Counsel Robert Mueller. Most hacking-related commentary focused on Russian disinformation campaigns. Fake news and disinformation pose real threats to the integrity of our nation’s political campaigns. However, less attention has been paid to the very real threat of cyberattacks to our election infrastructure.

Though the weight of cyberattacks in the last two election cycles were aimed at targets outside of election infrastructure, critical attacks on the election system still occurred. An interim report by the Department of Homeland Security identified “at least 18, and potentially as many as 21, states whose election systems were targeted” during the 2016 election. In some states, cyber attackers may have “altered or deleted voter registration data,” but it appears that no actual votes or vote totals were compromised. In the wake of these threats, the Department of Homeland Security (DHS) designated the nation’s election system as “critical infrastructure.” DHS’s motivation behind the designation was to ensure that “election infrastructure will . . . be a priority for cybersecurity assistance and protections.”  

But that doesn’t mean that it’s not possible—or likely—that election infrastructure will suffer attacks in future elections. Cybersecurity expert David Fidler suggests that though Russia’s primary efforts in 2016 and 2018 “involved disinformation operations not manipulation of election systems,” foreign adversaries may be watching closely “to assess changes in U.S. election cybersecurity in order to develop strategies for targeting election systems in 2020.” Building a more secure election infrastructure is crucial, even if larger-scale attacks haven’t yet occurred; a weak election apparatus further undermines the public’s trust in a system that has recently suffered from Electoral College misfires, isolated but well-publicized absentee ballot fraud, and allegations of rampant voter suppression.

There are countless means by which election infrastructure could be subjected to cyberthreats, and widespread security efforts are difficult to enact because of the decentralized nature of U.S. elections. Elections are administered at the local level, meaning that thousands of jurisdictions are subjected to unique laws and employ distinct procedures. The Belfer Center at the Harvard Kennedy School notes that the decentralization of elections is “both good and bad for cybersecurity.” Distribution of election authority makes it hard for any individual cyberattack to compromise multiple jurisdictions, but inconsistencies in cybersecurity resources creates significant vulnerabilities across localities.

The Belfer Center’s State and Local Election Playbook describes three levels of operation at which all jurisdictions must address cyberthreats. The first level is “core systems”—voter registration databases, electronic poll books, voting machines, etc. The second involves intermediaries that connect multiple election system components, namely state- and county-level election systems and election officials’ internal communications channels. Finally, the third level involves external functions, such as vendors or social media. Vulnerabilities are apparent at each of these levels and some pose larger threats than others. For example, vendors of voting systems are considered easy targets for foreign hackers. In 2016, Russia’s military intelligence agency launched an attack on a vendor that provides election services and systems. As one voting security expert put it, “If I was a Russian trying to manipulate an election, this is exactly how I would do it.”

One of the primary areas of weakness is voting machines themselves. Other nations pride themselves on technological advancements in voting—consider Estonia, in which forty-four percent of votes in a recent parliamentary election were cast online (though these advancements are not without their own security concerns). After the passages of the Help America Vote Act of 2002 (HAVA), there was a significant effort to replace obsolete technologies with new voting systems. But voting machines that were once considered top-of-the-line technological innovations are now causing significant problems. A recent report by the Brennan Center for Justice highlights this urgent need to replace antiquated U.S. voting technology. In addition to obvious election administration issues caused by malfunctioning machines, old voting systems are far less likely to have security features included in more modern machines.

As detailed in a New York Times Magazine feature, the approximately 350,000 voting machines in the United States fall into two categories: optical-scan machines and direct-recording electronic machines (DREs). Both suffer from severe cybersecurity problems: Optical scan machines require voters to fill out paper ballots which are scanned so that votes are digitally recorded on a memory card. Though the ballots provide a paper trail, audit procedures are often inadequate—unless hacked machines are randomly selected to be audited, election meddling may go noticed. DREs are even more problematic; they use digital-only ballots and store votes electronically, though some machines provide a printout that allows voters to confirm their selections. However, this paper trail is insufficient as “a hacker could conceivably rig the machine to print a voter’s selections correctly on the paper while recording something else on the memory card.” Five states exclusively use voting machines that don’t produce any paper records and another ten rely on paperless DREs in some jurisdictions. A top election official warned that without such receipts, “you don’t really have security.”

Some jurisdictions are engaged in rigorous debate over new technologies to revitalize their outdated election infrastructure. A recent legislative battle in Georgia pitted election officials against technology experts. Georgia’s current machines do not produce any paper printouts and have led to significant controversy. The proposed $150 million system would rely on DREs that combine touchscreens with printouts. Republican legislators and state election officials support the proposed system. However, Democratic legislators and cybersecurity experts warn that these machines are ripe for cyberattacks; instead, they urge the adoption of paper ballots, filled in with pens. At the time of this writing, the Georgia legislature had approved the plan over the objection of cyber specialists, sending the bill to a supportive Governor. While new plan is an improvement over the existing system, its shortcomings highlight the Brennan Center report’s suggestion that recent investment in voting machine modernization “only scratches the surface” of necessary improvements.

Though elections are administered locally and through states, there is room for federal assistance. The U.S. House of Representatives recently passed a sweeping legislative proposal that includes ethics reforms, campaign finance regulations, and massive revitalization of election security efforts. The Congressional Budget Office estimates that the bill, H.R. 1, would cost $2.6 billion dollars over the next five years, with the majority of that money to be spent on election security. H.R. 1 would authorize the Election Assistance Commission (EAC), originally created by HAVA, to issue grants to states to update voting technology, reduce vulnerabilities to cybersecurity threats, and provide cybersecurity training to election officials. The EAC would also be required to issue election cybersecurity guidelines for states. In addition, H.R. 1 authorizes the Department of Homeland Security to establish an “Election Security Bug Bounty Program” to improve the cybersecurity of the systems used to administer federal elections.

However, H.R. 1 is likely dead-on-arrival in the Senate. The question is whether cybersecurity improvements are getting unfairly and foolishly bogged down by partisan politics. Without addressing whether the partisan divide on other aspects of H.R. 1 is justified, election security measures should be easy-to-pass, bipartisan issues. Trump’s own cybersecurity Tsar Chris Krebs, the inaugural Director of DHS’s Cybersecurity and Infrastructure Security Agency, stated that “[e]lection security is nonpartisan.” One might argue that House Democrats should consider separating these measures from the more ideologically controversial material in order to offer a more politically palatable bill. However, the recent experience in Georgia, which pitted Republicans against cybersecurity experts, suggests that election security itself may soon be too hot to handle.

Election security is already emerging as a key election issue for 2020 Democratic presidential hopefuls. Candidates like Kamala Harris and Amy Klobuchar have issued detailed proposals to upgrade voting machines and every U.S. Senator currently running for President has co-sponsored a bill aiming to enhance election security efforts. When running against a President who refused to condemn, or even recognize, Russian election interference, appearing strong on cybersecurity is a no-brainer. However, the nation will be far worse off if securing our election infrastructure from critical threats becomes a partisan chip. Perhaps legislators are better off acting now to pass a comprehensive, single-issue bill before election security becomes overly embroiled in the 2020 election debate.