Voting in the United States is highly decentralized—and in many ways that’s a good thing when it comes to security. Having different regions operate their own elections and count their own votes makes it harder for someone to forge, compromise, or change a large number of votes all at once. But that decentralization also means that individual states, counties, or districts are also often free to make bad decisions about what kind of voting technology to use—and it’s surprisingly hard to stop them.
Earlier this week, North Carolina’s state elections board made a last-ditch attempt to convince a judge to prohibit counties in the state from using voting software manufactured by VR Systems on the grounds that the board hadn’t officially certified the software since 2009. On Monday—the day before Election Day—that attempt failed when Superior Court Judge Paul Ridgeway declined to intervene.
The situation in North Carolina highlights just how hard it is to make progress securing elections at the state level even at a moment when there’s more interest in and attention to state election security than ever before. Much of that interest stems from reports of Russian attempts to infiltrate and compromise the voting infrastructure of 21 states in the lead up to the 2016 election. According to the Intercept, VR Systems—the electronic voting company North Carolina’s election board was concerned about—was the target of a series of phishing attempts that were intended to enable Russian hackers to impersonate a voting software vendor and distribute malware to local election officials. Besides, five Durham County precincts experienced problems with VR Systems software in 2016 and were ultimately forced to give out paper ballots instead (probably an improvement in terms of security).
It’s unclear whether any of Russia’s attempts were successful and, if so, what the consequences were. The NSA document obtained by The Intercept indicated that it was “likely” that an employee account had been compromised at an unnamed election software company selling a VR Systems product and that access was probably used to gather information for the next round of phishing, directed at local governments, during which the hackers impersonated VR Systems employees. VR Systems disputes this account and says that no employee credentials were compromised.* And the fact that hackers were targeting the company and impersonating VR Systems vendors in their efforts to distribute malware does not necessarily indicate that the company’s voting software is vulnerable. And it’s possible that the Durham County problems were user error, as VR claims. But even without these red flags, it would be pretty reasonable for North Carolina to do another security audit after an interval of eight years.
But what’s most astonishing about the North Carolina saga is just how little it matters what the state wanted—and just how little power state elections boards appear to have over voting technology. The North Carolina elections board was not even permitted to revoke its own certification of VR Systems software eight years after it initially issued it. It’s hard to imagine how an elections board could ever feel comfortable certifying voting technology under those circumstances.
The lack of supervisory power at the state level is especially striking at a moment when the federal government is pushing to give more support to states to beef up their elections security. In late October, Sens. Martin Heinrich and Susan Collins announced a new bill intended to help strengthen voting security primarily through partnerships and funding provided at the state level. The Securing America’s Voting Equipment Act would give the federal government the ability to share more classified information with state election officials about potential threats to their voting systems. It would also establish a grant program for states to upgrade their election technology subject to recommended best practices for security developed by the Department of Homeland Security, the National Institute for Standards and Technology, the National Association of Secretaries of State, and the National Association of State Election Directors. In the House, on Wednesday, Rep. Debbie Dingell introduced a similar bill, the Safeguarding Election Infrastructure Act of 2017, which would also provide states with additional intelligence and resources to protect voting systems.
Helping states buy more secure election technology that meets baseline security standards and providing them with more information about threats sounds like the sort of legislation state governments would support. But, in fact, previous efforts by the federal government to take similar steps have not been welcomed by all states. For instance, last year, when the Department of Homeland Security offered to help states scan their voting systems for security vulnerabilities, Georgia flatly declined. Georgia Secretary of State Brian Kemp said at the time he thought the government was “federalizing elections under the guise of security.” Georgia, meanwhile, has struggled considerably when it comes to dealing with security threats to its elections, signaling just how much it needs the kind of help it so aggressively refused. (Other states, including Florida and Ohio, were more willing to accept assistance help from DHS.)
Trying to prevent meddling in U.S. elections seems like an issue that voters and government offices at every level should be on the same side of—and yet it’s remarkably adversarial. The federal government can’t enforce security standards at the state level, and, at least in North Carolina, the states can’t even necessarily enforce their own security decisions at the county level. This profound lack of coordination and cooperation speaks to the disadvantages of letting everyone run elections in their own way. Yes, the decentralization of voting in the United States makes our elections harder to hack in some ways—but it also makes them harder to secure.
*Update, Nov. 9, 2017: An earlier version of this piece asserted that a VR Systems employee account had been compromised as a result of hacking attempts based on The Intercept’s analysis of a classified NSA document about hacking efforts directed at a U.S. elections software company selling a VR Systems product. VR Systems denies that any employee accounts were compromised and the piece has been updated to reflect that.