The Russian meddling that rocked the 2016 United States presidential election gave the public a full view of something election officials and advocates have warned about for years: weak voting infrastructure and election systems around the US, and a lack of political will and funding to strengthen them. Two and a half years later, real progress has been made in key areas. But with a new presidential election less than 18 months away, glaring systemic risks remain.
Many of those inadequacies show up in new report from the Stanford Cyber Policy Center, which breaks down the threats facing the 2020 election and beyond, and proposes paths to managing them. But as the report also makes clear, many of those necessary steps will not be completed before 2020. Smooth-running elections will require a clear-eyed view of those lingering deficiencies.
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.
“There’s good news and bad news when it comes to election security,” says Andrew Grotto, a coauthor of the report and program director at Stanford, who previously worked as the senior director for cybersecurity policy at the White House in the Obama and Trump administrations. “As much as we’d like all the recommendations in the report to be implemented, if you can’t implement all of them it doesn’t mean you shouldn’t implement some of them. We can still move the needle and improve quality and resilience of our democracy.”
As election officials, democracy advocates, and researchers scramble to make improvements and convince lawmakers of the need for more funding, four areas stand out that still need major work.
Election experts have long agreed on the need for a paper backup to be generated along with each digital vote. Computerized tallies can potentially be manipulated in ways that paper cannot. But three states—Georgia, Louisiana, South Carolina—still exclusively use digital voting systems without a paper backup. And at least 10 states have mixed offerings, in which many precincts don’t produce a paper trail.
“With paperless systems the number has been shrinking, but that’s still too many,” says Lawrence Norden, the deputy director of the Brennan Center’s Democracy Program at New York University School of Law. “It’s crazy that we haven’t gotten rid of them by now. And then generally we have a lot of really old machines—over half the counties in the US are using machines that are over a decade old and that creates security and reliability risks.”
One potential model for voting machine security for 2020 comes from Los Angeles County, which has spent the last decade and about $100 million designing its own voting machine from open source components and totally rethinking the voting process. Beginning with the March 2020 California primary, Los Angeles voters will have 11 days to vote. When they do, they’ll make their choices on a touchscreen, confirm them, feed a paper ballot into the machine, and then press a button to record their final choices on the paper ballot. Election officials will then count both the digital vote records and the paper ballots. Voters can also elect to fill out the ballots by hand instead. And the machines include numerous accessibility features.
Not many election offices have the resources to match Los Angeles County’s commitment. But these types of initiatives—which also include a secure, open source voting machine hardware project at the Defense Advanced Research Projects Agency—could pave the way for more open, auditable, and publicly verifiable voting machines for everyone.
“I don’t think the for-profit commercial model works particularly well for voting systems, because there’s not enough profit in them to do really good R&D,” says Marian Schneider, president of Verified Voting, a group that promotes election system best practices. A handful of for-profit companies current provide the majority of voting machines in the US. “The more cost effective way and the more secure way is investing in secure hardware that would be available to jurisdictions coupled with open source software.”
Replacing insecure and aging voting machines around the country, introducing post-election audits in the dozens of states that don’t yet have them, shoring up election network defenses, and expanding security personnel all takes money. And while independent, locally adjudicated elections are a cornerstone of US democracy, researchers say that federal funding is still badly needed to make sure all election systems around the country have high-caliber security defenses in place.
“If we want to have a strong democracy there are a lot of things we need to work on regarding our elections.”
Marian Schneider, Verified Voting
In March 2018, Congress appropriated $380 million to states for election infrastructure and security upgrades through the 2002 Help America Vote Act. And just this week, a House Appropriations subcommittee preliminarily approved a 2020 funding bill that includes a much-needed $600 million for the Election Assistance Commission, which facilitates election infrastructure improvements and disperses federal funds to states. The bill has a long way to go before passage, but amidst other disputes, the election funding didn’t specifically draw criticism from lawmakers in early discussions.
Secure election advocates say, though, that federal funding has not come quickly enough, and that it needs to be consistent and reliable over time, rather than a one-off investment every decade or so.
“If we want to have a strong democracy there are a lot of things we need to work on regarding our elections,” Verified Voting’s Schneider says. “We know what they are, we just need the funding to implement them and help election officials run as smooth an election as possible. They do an amazing job already with the resources they have.”
The legislative side remains similarly hamstrung. Numerous proposed election security bills, including the bipartisan Secure Elections Act, have floated around Congress without passage for years now. And Senate majority leader Mitch McConnell has consistently made it clear that he does not support passage of election security legislation. But advocates say that momentum is steadily growing across Congress, and hope remains for progress in the next few months. Even president Donald Trump, who has often shirked discussions about election integrity, seems to be gradually acknowledging with the importance of paper backups.
“I think we wanted to provide a wake-up call to the political establishment in DC.”
Eileen Donahoe, Stanford University
Voting machine vendors in particular aren’t subject to any specific regulations, and aren’t even required to notify their customers when they have a security issue or breach. A Wednesday report by Politico found that the Florida-based voting machine manufacturer VR Systems used risky remote-access software to troubleshoot election equipment the day before the 2016 presidential election—which could have opened a channel for hackers to penetrate and alter voter records. Voting machines don’t just need better technology, like the kind you’ll find in Los Angeles County. They need a better regulatory framework.
The silver lining at the federal level has been better communication with state and local election officials and law enforcement. The Department of Homeland Security has collaborated with the National Association of Secretaries of State and numerous other state and local groups to get government clearances for election officials, and to share best practices. A recent revelation in the Mueller report, though, indicated that even this project still has a way to go. The report revealed that during the 2016 presidential election, Russian hackers breached two supervisory election networks in Florida precincts. The intrusions didn’t result in data or vote manipulation, but many Florida officials and other top voting officials around the country were unaware of the incident, and were shocked that it hadn’t come to light for nearly three years.
“There’s no question that election officials feel there’s better information sharing, but there’s also still frustration,” the Brennan Center’s Norden says. “There’s still progress to be made—Florida shows that.”
In the wake of the 2016 presidential election, the US slowly moved to publicly blame Russia and blame the country out for election hacking in other countries. The US government has also indicted Russian election hackers, and even retaliated through the Department of Defense’s Cyber Command unit, which has struck Russian hackers and done takedowns of social media influence operations.
Election officials and researchers often emphasize, though, that to them the best offense is a good defense. And Thursday’s Stanford report calls out another important component as well: The need to forge international norms discouraging hacking and digital meddling in foreign elections. Though this effort is perhaps in the earliest stages of all, Eileen Donahoe, the executive director of the Global Digital Policy Incubator at Stanford and a former US ambassador to the United Nations Human Rights Council, says that the most important part of election security diplomacy is reinforcing basic concepts of voting as a human rights issue.
And as international discussions first enter their nascent phases, the Stanford report seeks to show a path forward for election security within the US. “I think we wanted to provide a wake-up call to the political establishment in DC,” Donahoe says. “Not just that our democracy is under attack after what happened in 2016, but that if integrity of the 2020 election is undermined by foreign malign actors in a significant way the consequences will be gargantuan.”