The 2018 midterm elections are only weeks away but experts remain split — or at least cautiously optimistic — over the question of whether states are fully prepared to keep their election systems secure.
Voters in all 50 states will go to the polls on Nov. 6 to choose their representatives in the U.S. House and a number of state and local elections. Thirty-three states hold elections to decide one of their U.S. senators, and 36 will choose their governors.
The 2016 presidential election was marred by accusations that Russia hacked Democratic Party emails and engineered a disinformation campaign that used inflammatory social media posts to sow discord among voters. While America’s intelligence community has unanimously concluded that the Kremlin interfered in the 2016 election, President Trump has been loathe to admit that Russia may have meddled in the race to tilt the outcome in his favor.
Nevertheless, the intelligence community has stood by its findings and sounded the alarm that American democracy remains susceptible to outside influences.
Director of National Intelligence Dan Coats has said the country’s digital infrastructure is “literally under attack” and that Russia is “the worst offender.”
“These actions are persistent, they’re pervasive and they are meant to undermine America’s democracy on a daily basis, regardless of whether it is election time or not,” Coats said at an event in mid-July at the Hudson Institute. He added that nearly two decades after the 9/11 terrorist attacks, “the warning lights are blinking red again.”
Coats said that Russia is potentially targeting the 2018 elections, although the effort is “not as robust” as the one in 2016. Nevertheless, he vowed that securing the election process is a top priority of the administration, despite the president’s public ambivalence on the issue.
Trump recently issued an executive order to impose sanctions on countries or individuals that interfere in the upcoming elections, but lawmakers say the order is not enough because it relies on the discretion of the president. Rather, many support bipartisan legislation that would mandate penalties on those found to have meddled in the elections.
Meanwhile, social media platforms like Facebook and Twitter have pledged to crack down on fake accounts and protect their networks from foreign manipulation ahead of the midterms.
Special counsel Robert Mueller’s recent indictment of 13 Russian nationals and 12 Russian spies has provided experts with a detailed blueprint of how Kremlin-linked operatives hacked Democratic computer systems and used social media to wage “information warfare” on Americans in 2016. In particular, a Russian troll farm known as the Internet Research Agency used thousands of fake “bot” accounts and deceptive advertising to attack Hillary Clinton and “spread distrust towards the candidates and the political system in general,” according to the indictment.
Perhaps less well publicized, however, is the revelation in Mueller’s investigation that Russian-linked hackers also “stole information related to approximately 500,000 voters” and probed election websites in Georgia, Florida and Iowa for vulnerabilities. Over the summer, President Obama’s former cybersecurity czar, Michael Daniel, testified before Congress that Russian hackers likely scanned the election systems of all 50 states. While there hasn’t been any evidence to show that Russia infiltrated these election systems or altered the vote count, recent discoveries demonstrate that it wasn’t for lack of trying.
Vulnerable Ballots
Indeed, beyond online propaganda campaigns and cyber attacks on candidates, there’s another weakness in the U.S. electoral process that has received considerably less attention: the vulnerabilities among state voting machines, which are often connected to the internet and operated by staff who aren’t trained in information technology.
A Politico survey of election upgrades in all 50 states released in mid-July found that most states’ election offices have failed to fix their most glaring security gaps and few states are planning steps that would improve safeguards before November.
The biggest fix seems counterintuitive in an increasingly digital world: Most experts recommend using voting machines that leave a paper trail, instead of relying exclusively on internet services that can be hacked. Another recommendation is simply better information-sharing with federal officials.
But even as experts raise the alarm about potential security lapses at the state level, the White House allegedly pressured one Senate committee to hold a bipartisan bill aimed at improving the security of those election systems, according to original reporting by Yahoo News.
On Aug. 22, the Senate Rules Committee, chaired by Sen. Roy Blunt (R-Mo.), abruptly postponed its markup (a final review of a bill) of the Secure Elections Act, introduced by Republican Sen. James Lankford of Oklahoma.
The bill would grant every state’s top election official security clearance to receive threat information, formalize information-sharing between the federal government and states regarding threats to electoral infrastructure, and incentivize the purchase of voting machines that leave a paper trial, according to the Yahoo report by Alexander Nazaryan.
It was expected to come to a full Senate vote in October. As of this writing, the bill’s fate is uncertain, although Lankford disputed the account that the White House was behind the delay in an Aug. 28 statement to The Diplomat.
“After multiple conversations with the White House over the weekend, it is clear they did not request to postpone last week’s markup. I’m grateful to Chairman Blunt for his leadership to markup this bill in the Senate Rules Committee, and I look forward to it being rescheduled in the days ahead. This is an important bill that I will not let fail. I look forward to working with members and groups that have technical concerns with the text of the Secure Elections Act as we continue to walk through its passage,” Lankford said in the statement.
Some state officials oppose certain measures in the Secure Elections Act, specifically a requirement that each state conduct a post-election audit to verify the election result.
Secretaries of state, the officials responsible for state and local elections, have argued that the requirement is an unfunded mandate, according to reporting by Tim Starks for Politico.
Audits require manpower, which means more time on the clock for state workers and the vendors responsible for ensuring that voting machines operate properly. There was also some dispute over what a successful audit would entail. The original language of the Secure Elections Act “effectively mandated paper-based audits,” but that language was stripped at the behest of state officials and voting machine vendors, according to Starks. The removal was decried by election integrity advocates who say electronic audits will be worthless during a cyber attack.
Costs to maintain and upgrade the security of voting machines can also be prohibitive for state budgets. In Indiana, which received a failing grade this year in an election security assessment by the Center for American Progress, it’s estimated to cost between $22.7 million to $35.6 million to replace the state’s voting machines, according to a report by the Associated Press. (The cost estimate comes from the Brennan Center for Justice, a law and policy institute that has become a leading resource on American elections.)
Funding Boost
Fortunately for state governments, last year’s federal budget appropriated $380 million in funds to assist states in securing their voting systems.
The funds will be used by 41 states to improve election cybersecurity, with 34 states using the grants to purchase new voting machines, 29 states improving voter registration systems and 24 states using the funds for post-election audit activities, according to a press release from the U.S. Election Assistance Commission.
“There are certainly steps that we can take today to make the 2018 elections more secure,” Liz Howard, counsel for the Brennan Center’s Democracy Program and a former deputy commissioner for the Virginia Department of Elections, told The Diplomat.
Election officials can do “common-sense things” like make sure they have enough backup paper ballots for every registered voter in the event of a voting machine failure, Howard said.
“If you are in a jurisdiction that uses e-pollbooks, administrators can make sure there are paper pollbooks,” she added, referring to the lists poll workers use to look up voters.
The need to have paper backups has become a common theme in the discussion around election security.
“Georgia is among 14 states heading into Election Day using touchscreen, computerized machines that don’t meet federal security guidelines because they produce no paper record — so voters can’t verify their choices and officials can’t audit the results,” Margaret Newkirk reported for Bloomberg on Aug. 10.
These machines are used statewide in Georgia, Delaware, Louisiana, New Jersey, South Carolina and in at least some polling stations in nine other states, according to Newkirk’s report.
Virginia is the only state to have decertified and replaced all of its paperless voting systems after the 2016 election, which Howard coordinated as deputy commissioner, according to the Brennan Center.
Virginia officials acted quickly to have new voting machines up and running in time for the state’s 2017 elections.
But not all states are acting with the same urgency. Some state officials have said that the $380 boost in federal funding is a good start, but that more money is needed to make sweeping changes. On the flip side, Eric Geller of Politico reported that some states are not taking advantage of the money already offered to them.
“Only 13 states said they intend to use the federal dollars to buy new voting machines. At least 22 said they have no plans to replace their machines before the election — including all five states that rely solely on paperless electronic voting devices, which cybersecurity experts consider a top vulnerability,” Geller wrote in a July 18 article. “And fewer than one-third of states and territories have requested a key type of security review from the Department of Homeland Security.”
DHS’s Role
The Department of Homeland Security has taken center stage as the agency responsible for defending state election systems from hacks — or at least preparing states to do so themselves. While the FBI has investigated hacks after they happen, and the National Security Agency and U.S. Cyber Command evaluate possible cyber threats, DHS is filling the gap of responsibility for the security of core U.S. infrastructure, including election systems.
“DHS is working with election officials in all states to enhance the security of their elections by offering support and by establishing essential lines of communications at all levels — public and private — for reporting both suspicious cyber activity and incidents,” a DHS official told The Diplomat.
The department “has been committed to working collaboratively with those on the front lines of administering our elections — state and local election officials and the vendor community — to secure election infrastructure from risks,” the official added.
On Aug. 22, Homeland Security Secretary Kirstjen Nielsen told reporters that the Trump administration is “working with election officials in all 50 states” to identify and help manage risks.
Nielsen also called on election officials in all 50 states to ensure that every ballot used in the 2020 presidential election is “verifiable and auditable.”
“Secretary Nielsen has said over and over and over again that election security is national security,” Howard told The Diplomat.
Still Not Prepared
Despite the increased attention that high-tech election tampering has received, the U.S. has “failed to protect the 2018 election,” according to Alex Stamos, who was until recently chief security officer of Facebook and is now an adjunct professor at Stanford University and a visiting scholar at the Hoover Institution.
In an Aug. 22 article for Lawfare, Stamos pointed to recent news that Microsoft unveiled a phishing scheme by a hacking group tied to Russian intelligence as an indicator that hostile actors have not been deterred from committing cyber attacks.
Meanwhile, Russia’s 2016 “playbook” is now in the public record, enabling others to commit copycat attacks — not only against Democrats, but also Republicans, Stamos warned.
North Korea, China and Iran all have sophisticated cyber capabilities and at least one of them has followed Russia’s lead. On the same day that Microsoft exposed the Russian phishing scheme, Facebook revealed “more than 600 accounts that were being used by Russian and Iranian groups to distort the information environment worldwide,” Stamos wrote.
Just this past summer, Sen. Claire McCaskill, a vulnerable Democrat running for re-election in Missouri, was targeted by the Russian intelligence hacking group known as “Fancy Bear,” according to a report in the Daily Beast.
McCaskill is one of three congressional candidates who have been targeted by Russia, according to Microsoft executive Tom Burt, who first revealed the hacking attempts at the Aspen Security Forum in July.
To protect U.S. elections from the kind of interference conducted by Russia during the 2016 presidential election, Congress has taken up the Honest Ads Act introduced by Sens. Mark Warner (D-Va.), Amy Klobuchar (D-Minn.) and the late John McCain (R-Ariz.).
Because Russian interference involved paid digital advertising and the creation of internet personas and advocacy groups meant to look like real Americans, the Honest Ads Act would establish new disclosure requirements and hold social media companies accountable for maintaining databases of entities purchasing ads on their platforms.
“The bill creates a framework for updating campaign finance law for the 21st century, making a broader swath of online activity subject to transparency requirements and the ban on spending by foreign nationals,” Lawrence Norden and Ian Vandewalker wrote in an op-ed last year for the Brennan Center.
While Facebook and Twitter executives have endorsed the act, and appeared before the Senate Intelligence Committee in a Sept. 5 hearing to discuss potential new regulations, the bill has yet to come up for a vote in Congress.
At least one state has taken the lead in protecting its elections from fake online ads. California passed its own legislation to strengthen disclosure requirements for paid digital ads in political campaigns.
But as the example of California shows, the response to election interference has been disjointed and ad hoc. Just as the federal government is deadlocked on how to protect American democracy from foreign meddling, individual U.S. states also struggle to find a unified, comprehensive solution to the problem.
Some are taking the initiative by working with federal agencies and the private sector to safeguard their voting machines, thwart cyber attacks and limit the spread of foreign-funded fake news. Others are constrained by finances and others by sheer complacency — even when the help is right in front of them.
For example, on Aug. 30, Valimail, an email security firm, announced that it would offer its email protections for free to state and local election officials and political campaigns through the 2018 midterm elections. It follows Cloudflare and Synack, which have also offered their services at no cost to help secure election systems, according to a report by Taylor Hatmaker for TechCrunch.
Valimail also offered the same email fraud prevention service to the Democratic National Committee and the Republican National Committee at no cost through the 2020 U.S. presidential election.
So far, no candidate, election official or party organization has taken Valimail up on its offer.
About the Author
Ryan R. Migeed (@RyanMigeed) is a freelance writer based in Boston.