On Monday night, the Intercept published a leaked National Security Agency report that recounts a Russian military intelligence cyberattack against a voter registration software company. According to the report, Russian government hackers appear to have used “data obtained from that operation to … launch a voter registration–themed spear-phishing campaign targeting U.S. local government organizations.”
On one level, this story was not particularly surprising. Even before the Intercept article, we knew—based upon previous news reports, as well as a January report from American intelligence agencies—that hackers working on behalf of the Russian government were targeting state and local voter registration databases. And there is nothing in the NSA report or the Intercept piece that supports the idea that Russian hacks against election offices and registration system prevented anyone from voting or changed vote totals in any way. (It always bears repeating that the voter registration system and vote tallying systems are different. An attack against the registration system will not change vote totals on a voting machine.)
But the leaked NSA report adds disturbing details to this knowledge, making it clear that the attacks against local election offices and the voter registration system were even more extensive than was previously known and that they came after President Obama personally told Vladimir Putin to “cut it out.” In other words, we cannot assume America’s election infrastructure is somehow immune to cyberattack. It’s wishful thinking to believe something that happened in Ukraine or Bulgaria couldn’t happen here.
Despite the alarms raised by these revelations in recent days, there has been little discussion of solutions. But the way forward is relatively clear. Protecting our elections against foreign attackers ultimately requires the will to squarely address known vulnerabilities—a will that has been lacking in Washington.
The details about Russian hacking cast into stark relief Congress’ stunning passivity around the issue of election infrastructure security—not just for the past few months, but for more than a decade.
Over the past few years, the need for new investment in our election infrastructure has become more and more apparent to anyone who studied the issue. In 2014, the bipartisan Presidential Commission on Election Administration warned of an “impending crisis” of aging voting technology. The Brennan Center (where I work) noted in a comprehensive study of voting machines in 2015 that this old equipment has significant security vulnerabilities. It hasn’t been tested to the relatively rigorous federal certification standard that exists today and often runs on unsupported software (like Windows 2000 and Windows XP) that doesn’t receive regular security patches to protect against current methods of cyberattack. Even more troubling, many of these systems don’t have a “software independent record,” such as a paper ballot, that can be used to independently verify that the software totals weren’t hacked.
While these studies’ main focus was often on voting machines, many of the same concerns about outdated hardware and software could be applied to state and county voter registration systems.
For the past 10 years, in the face of evolving cyberattacks and warnings from security experts about protecting our elections from hacking, Congress has remained strangely silent. Just about the only discussion there has centered around whether to shut down the tiny Election Assistance Commission, the federal agency charged with setting standards and providing guidance for electoral systems on criteria like performance and security. It has an annual budget of about $10 million, or less than 5 cents per registered voter.
Of course, under the American system, states and counties are in charge of running elections. But Congress has clearly has a supporting role. After all, among the elections that states and counties run are federal contests for Congress and the presidency. Congress has an obligation to ensure that these elections are fair and secure.
Moreover, many of the expenses that states and localities now must bear to secure our election system from cyberattacks stem from actions Congress has taken over the past 15 years. It was Congress that mandated the replacement of outdated and failing punch card and lever machines in 2002. It was Congress in 2009 that mandated states transmit ballots to military and overseas voters at least 45 days before an election, requiring states to offer to send blank ballots by email, fax, or online delivery system.
These mandates greatly improved federal elections. With the purchase of new voting machines, the number of lost votes (previously caused by faulty punch card voting machines) plunged , and many disabled voters were able to vote privately and independently for the first time. New requirements for the delivery of ballots to military voters greatly increased their ability to get their votes returned on time.
But these mandates came with a cost far beyond the resources that Congress originally provided. At the state and local level, providing additional resources for election administration almost always comes second to more visible day-to-day needs, like education, repairing roads, and snow removal. Absent an actual election meltdown, local funders may not feel that spending scarce resources on improving IT infrastructure for elections is the urgent priority it actually should be. To take but one example of this problem, shortly before the 2016 election, the Brennan Center surveyed 274 county election officials in 28 states. More than half of the officials said they would need new voting machines by the 2020 election, but more than 80 percent of those said they did not know if or how they would be able to pay for replacements.
The revelations in the leaked NSA document make it plain that Russia is likely to continue to escalate its efforts to interfere in our democracy, and this fact may embolden other foreign powers or terrorist groups like ISIS to act against us as well. States and counties have done much to improve election security in recent years—most importantly, the vast majority of states have moved away from paperless voting machines. But more needs to be done.
We must recognize that we live in a world where foreign interests are vying for power on the world stage by trying to shape American politics or even attempting to create doubts that democracy really works. Against that backdrop, it is clear that strengthening election security is essential to protecting our national security.
It is time for members of Congress to step up. They can encourage urgent action by state and local funders by providing them with time-limited grants to do things like replace antiquated machines, upgrade the hardware and software that supports voter registration, and conduct post-election audits to confirm to the public that they can trust the results. State and local election officials know what improvements their systems need, and security experts have made clear recommendations. Congress should listen to these voices and use its powers to strengthen election systems’ ability to withstand the next attack.