This post was originally on the BPC blog co-authored by Timothy Harper
Americans learned after the 2016 election that our electoral process was not as secure as imagined. We may not know all the threats and tactics our adversaries will use during the 2020 cycle, but the country is miles ahead when it comes to repelling them.
Foreign adversaries in 2016 sought to sow distrust in democracy, exposing many weaknesses in our election system. Maybe the most glaring vulnerability in our system was an attribute of American elections that most thought to be a feature, not a bug: the decentralized nature of the voting process.
American elections are largely run by over 8,000 local administrators with varying levels of resources to defend against nation state actors. The local administrators and states in 2016 were left to defend themselves even when they were unaware in real-time about attempted cyberattacks happening across the country. This framework of defense is untenable. After all, we would never expect a solitary township in Michigan to defend itself against a military ground invasion from a foreign government, yet this is what local election offices were up against in the cyber realm.
Getting officials at the local, state, and federal level to work toward the same goal isn’t always easy, but it’s a real success story when it comes to U.S. elections after 2016. Officials in every state and territory, regardless of partisanship, have been working to protect and defend against cyber and other security threats to the 2020 presidential election. This time around, they have more resources than ever before. The Department of Homeland Security in 2017 designated elections as critical infrastructure. This designation led DHS to prioritize security assistance to state and local jurisdictions, enhance information sharing about security threats, and establish formal coordination mechanisms.
The critical infrastructure designation initially sparked bipartisan condemnation from states concerned about the expanding federal role in elections—a state prerogative. DHS responded by investing in building relationships and listening to election officials’ concerns and has now established itself as a key resource for state and local governments when it comes to providing resources, training, and monitoring. This monitoring will prove helpful in 2020.
For example, while foreign actors in 2016 were probing voter registration systems in all 50 states, information about these threats was not being shared effectively because there was no mechanism to do so. In fact, we learned from reporting that federal law enforcement officials were in contact with some state officials about attempted cyberattacks, but oftentimes they were not talking to the state personnel responsible for the voting process. DHS has since created the Election Infrastructure Information Sharing and Analysis Center, or EI-ISAC, to allow election jurisdictions to share information about threats in real-time. All 50 states and nearly 2,000 local election officers are members.
Despite these important improvements, it remains a long-term concern that the critical infrastructure designation could be rescinded at any time. Whereas other critical infrastructure designations are established in law, the elections designation was made at the secretary level. That’s why we believe Congress should codify the designation in statute. We worry that a different DHS secretary with other funding priorities could leave the elections community without a strong federal partner in election security considering how little funding the U.S. Election Assistance Commission receives.
Funding for election security to the states is another concern. States and locals need more funding—and more consistent funding—to secure elections. The $380 million in election security grants appropriated in 2018 were the first federal appropriation to states for election administration since 2010 and, while the money was useful, for some states it translated to just $3 million. Elections have swelled into complex logistical and IT operations in the last two decades and require consistent state and federal investment commensurate with their scale.
There is still time for any additional funding appropriated by state and federal legislators to be put to good use in advance of 2020. These include upgrading voter registration databases, implementing two-factor authentication and other firewalls, and investing in cybersecurity training programs and contingency planning exercises for local administrators. Some small election jurisdictions need assistance just getting to a basic level of cybersecurity preparation.
One risk that probably cannot be addressed before 2020 is the voting machines in the polling places. There are still some states using voting technology tested to standards created before the original iPhone was released. Some of these systems also lack a paper record and upgrading to modern systems that use robust and auditable paper ballots is an important priority. Due to long timelines for purchasing and implementation, it is unlikely any money appropriated in late 2019 or 2020 will lead to voters seeing new machines on Election Day.
Elections are more secure than ever. Resources and relationships matter. Election officials at the state and local level with the help of federal partners are working together on the most impactful solutions in the near-term while also planning for the long-term. With a year to go, policymakers should do everything they can to help election officials build on their successes to create the 21st century election process about which all Americans can be proud.