We have made it through Election Day (or month) without signs of a significant cyberattack on our voting systems. That nightmare scenario had been at the forefront of election security experts’ minds ever since operatives connected to the Russian government targeted our election infrastructure in 2016. Election officials, federal agencies, security experts, and private vendors spent the next four years working to prevent or minimize the impact of such an attack: They upgraded technology, built a structure for sharing information, established resiliency plans, and coordinated at the federal, state, and local levels. Not only did all of this work strengthen our voting infrastructure’s cybersecurity, it had another extremely important side benefit. It helped officials run a remarkably successful election with historic turnout during a pandemic.
In the nationwide push for better election security, experts, election officials, and others focused on the kind of voting machine most vulnerable to cyberattack: paperless machines, which do not produce a paper backup to check against electronic tallies. In 2016, 14 states had at least some jurisdictions using paperless voting machines as their primary polling place equipment.
By 2020, six states, including Georgia, North Carolina, Pennsylvania, and Virginia replaced these electronic machines with newer, paper-based systems. The result was not only an increase in security but the replacement of antiquated machines that were on their last legs and more likely to fail during heavy use. Indeed, the Brennan Center for Justice, where we work, issued a study in 2015 that detailed how continued use of these outdated systems was not only a security risk but also (because of their age) a reliability risk for “increased failures and crashes, which can lead to long lines and lost votes.”
In addition to replacing voting equipment, many states used federal and state money to modernize their IT infrastructure, while strengthening the technical knowhow of local election officials. Previously, these outdated systems were difficult to maintain, did not integrate well with modern systems, and featured security gaps that were easily exploited by bad actors. Improving these systems not only plugged security holes, it allowed local jurisdictions to adapt quickly when the pandemic hit. Improved infrastructure meant that when voters who could not register at closed DMV offices shifted to using online registration sites, the sites (with extra capacity gained from upgrades) largely stayed up and working, with few exceptions.
Finally, the focus on improving election security in recent years meant that election officials built up even more resiliency than already existed in their systems, so that if they were attacked, there would be a backup plan to ensure voters were not disenfranchised. They obtained emergency paper ballots to be used if touch-screen voting machines became unusable. They placed paper poll book backups on site at polling places, in the event that data in electronic poll books were corrupted. And they kept provisional voting materials (such as ballots and envelopes) on hand, in case the voter registration database was hacked.
These preparations had clear benefits in 2020, even absent a devastating hack: When there were technical glitches, voters were able to continue voting while problems got fixed. For instance, when poll workers in Fulton County, Georgia, had trouble getting their voting equipment to start, voters who couldn’t wait around for assistance to arrive were offered the option of voting on a paper ballot. When officials in Franklin County, Ohio, experienced problems with uploading voter data to electronic poll books, they were able to switch to paper backup poll books. And when a fiber cable was accidentally cut during a utilities project in Chesterfield County, Virginia—causing the state’s voter registration database to be inaccessible—early voters who could not return on a different day were able to vote provisionally. Those votes will eventually be counted, once officials check that the individuals who cast those ballots were registered and eligible to vote.
No doubt, the investment in election security helped in other ways, too. Cybersecurity risk assessments performed by the Department of Homeland Security and independent companies hired by states and local election offices around the country almost certainly resulted in upgrades that led to not only more secure, but also more reliable systems that were less prone to malfunctions. Security trainings for thousands of election officials, including the widespread adoption of multifactor authentication for their networks, made it easier for employees to work remotely yet securely during the height of the first COVID-19 peak last spring and summer. Investments in combating disinformation helped build confidence in a process that saw record turnout, despite the pandemic. And the move to paper ballots as a security measure also allowed election officials to reassure the public, inundated with disinformation about the trustworthiness of vote totals that they had the ability to ensure accuracy.
Although much progress has been made, there is more to do. Since 2018, Congress has invested roughly $1.2 billion to secure our elections (including money Congress provided states in 2020 to make adjustments to run elections safely and securely in the midst of the pandemic). While that’s progress, it’s still short of what’s needed to secure our election infrastructure over the next several years. Among other things, it is still critical that the eight states using antiquated paperless electronic voting machines replace them; that the federal government establish minimum security standards for electronic poll books and voter registration databases (and that we upgrade those databases); and that we provide states and local election offices with resources to hire their own cybersecurity professionals and conduct postelection audits.
Sadly, one cyberattack-free election doesn’t mean we’ve eliminated the cybersecurity threat. This is a race without a finish line. The good news is that 2020 shows that investing in election security will not only reduce the risk of a successful cyberattack but also result in more reliable election systems, improved and more flexible election administration, and a better voting experience for all Americans.