The 2,232-page budget bill President Trump signed Friday included a provision that election security and technology experts have been pushing for years: money to update the nation’s outdated voting infrastructure. It came on the heels of similar calls from the current and former chiefs of homeland security and a bipartisan group of lawmakers. According to a recent analysis, the $380 million from lawmakers is not enough to fully replace the most vulnerable parts of our electoral machinery (we probably need at least another $380 million directed to jurisdictions with the most vulnerable equipment to do that), but it will allow states to make real progress toward long-overdue upgrades and cybersecurity improvements.
Still, Congress can’t afford to take its foot off the gas. At a Senate Intelligence Committee hearing last week, senators and witnesses reiterated the real threat that nations like Russia and China may use future elections as opportunities to exploit weaknesses exposed during the 2016 campaign. While states and counties are doing what they can to identify and patch these vulnerabilities, this is a race without a finish line, and we should expect that our adversaries will change and advance their methods of attack. More resources and guidance will be needed.
This year, the Brennan Center, where we both work, identified residents in 41 states where at least some will vote on machines that are a decade old or more. Voting machines that are no longer even manufactured remain in use in 43 states and D.C. Like a laptop computer or an old iPhone, aging machines are more vulnerable to malfunction and to hacking. In a 2015 Brennan Center report, we identified some of the malfunctions that can become more common with age, including “vote flipping” on touch-screen machines and memory-card crashes that require election officials to take systems out of service.
The problem isn’t just decrepit equipment. Without a verified paper record, it’s impossible to complete an audit independent of the software-generated totals. Thirteen states use machines that produce no voter-verified paper record—and five (Delaware, Georgia, Louisiana, New Jersey, South Carolina) use these machines statewide. Replacing these machines needs to be a top priority when it comes to upgrading our aging electoral infrastructure.
But paper records need to be audited and compared to electronic vote totals. Doing so makes it easier to detect—and fix—irregularities or hacks. Only 26 states require audits of paper records after elections. And many in that group have inadequate processes in place, such as exempting certain categories of ballots, like vote by mail, from the audit or conducting the audit after the election is certified, so there is no opportunity to correct results if a discrepancy is found.
The industry gold standard is what’s known as a risk-limiting audit, an efficient system that works by testing a statistically significant sample of ballots to check for any anomalies. In blowout contests, we don’t need to check many paper ballots to know that a software error could not have resulted in the wrong winner being declared. In narrowly won contests (like Conor Lamb’s squeaker in Pennsylvania), this type of audit reviews a larger sample, giving more confidence in the results. Unfortunately, only three states actually require this essential part of any election-security plan.
The machinery is one part of the equation. The other is ensuring that election officials are sharing information with one another and with federal officials at the Department of Homeland Security. After all, the country doesn’t have just one election—but thousands of individual elections conducted by communities across the country. There’s been progress here. State officials say communication between the DHS and states have improved. And officials at all levels of government are working to create avenues for continued conversations. The DHS, for example, has joined the federal Election Assistance Commission and state and local officials to convene a Government Coordinating Council to share information on threats to our election security and collaborate on best practices in the field.
But the DHS has been slow to issue needed security clearances for state election officials—it told lawmakers last week it’d issued only 20 of at least 150 requests. And as Sen. Mark Warner pointed out, private companies that maintain voter lists and equipment aren’t required to communicate potential threats to election officials. That’s got to change.
With so much left to do, lawmakers and experts are continuing to push legislation like the Secure Elections Act, a bipartisan bill that tackles many of these issues head-on. The Republican and Democratic leaders of the Senate’s powerful Intelligence Committee have signed on to support the bill, and the incoming chair of the Rules Committee has promised hearings.
The law would build on the funding in the newly passed spending bill by providing states much more money to replace their paperless systems, launching pilot programs for risk-limiting audits, and facilitating better information sharing (including through a requirement that vendors report cybersecurity breaches).
But time is not on our side. As Minnesota Sen. Amy Klobuchar recently noted, there are only seven months “until the next federal election and primaries have already begun. Congress should pass the bipartisan Secure Elections Act immediately.” In the coming days, this bill should be the Senate’s first and most critical priority. While a vote on the bill before this summer may not happen, there is reason to believe it will have fresh momentum. In addition to the recent bipartisan embrace from leaders of the Senate Intelligence Committee, Sen. Roy Blunt (who will likely soon take over as chair of the Senate Rules Committee, which has jurisdiction over the bill) has made several public statements about the importance of protecting the nation’s election infrastructure and the need for hearings.
Some of these fixes are pricey, others a bit less than sexy, but all are crucial to securing our elections from cyberattacks, either from state actors or just those seeking to sow chaos in our democracy. Just as importantly, they will also reassure Americans that when they go to a local school, a community firehouse, a public library, or a civic building to cast a ballot, they will have confidence that their votes are being counted.