Last week, Kris Kobach, vice chair of President Trump’s Election Integrity Commission, set off a firestorm by asking for voter roll data of every registered citizen in America, including (depending on the state) birthdates, party affiliations, voting histories, and the last four digits of Social Security numbers. The backlash has been intense. It depends a bit how you count, but so far, 21 states have declined to provide any data, with many more making clear they may not provide the information requested. The states’ bipartisan reluctance makes sense given that several election observers have argued that Trump’s establishment of the commission is a big fraud set up to give credence to his bizarre (and repeatedly disproven) claim that 3 million to 5 million noncitizens cast ballots. Critics believe that the bigger goal is to push restrictive laws that will make it more difficult for eligible citizens, particularly people of color and young adults, to register and vote.
No doubt they are right. But the antics of Trump’s commission are also something else: a distraction from what could be an existential threat to our democracy. On the very same day Kobach sent his letter to state election officials, Secretary of Homeland Security John Kelly gave a speech at the Center for a New American Security, warning that cyberattacks against our election systems were the “way of the future” and arguing that we need to take immediate action before the next federal election in 2018. “We have to protect this or we’re not a real democracy anymore,” he said.
His comments echo the consensus of the intelligence community: The Russian government engaged in an unprecedented cyberattack against America in 2016, and it will be back with a vengeance in the next two federal elections. While there is no evidence the attacks against our election systems successfully altered vote tallies or changed information on voter rolls, there are legitimate concerns those things could happen down the road. As one former senior U.S. official put it to Bloomberg, “the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks.”
The contrast here—between the overreach of the Trump commission in the service of providing “evidence” for Trump’s unfounded tweets and the lack of federal action to protect our election systems from the very real threat of foreign attack—is painful. It’s hard to escape the feeling that the Titanic has hit an iceberg and the captain is ordering his crew to search the ship for leaky faucets. There is going to be real damage if we don’t start reordering our priorities very soon.
Certainly federal and local officials have taken some important steps to shore up our election infrastructure in the last few years. For instance, voting machines with Wi-Fi capabilities that could be accessed remotely have been decertified and taken out of service. Security testing of machines has become much more sophisticated than it was a decade ago. And perhaps most importantly, many jurisdictions have replaced their paperless computerized voting machines with systems that scan paper ballots filled out by voters or produce a paper trail that can be reviewed by the voter. These paper ballots allow us to check that machines are providing accurate totals and weren’t hacked. The Brennan Center, where I work, estimates that in November 2016, at least 80 percent of registered voters either made selections on a paper ballot or voted on an electronic machine that produced a paper trail.
But given the pace at which cyberattacks are evolving, we are not moving nearly fast enough. The good news is that security experts are confident there are a few basic steps Congress and local officials can take now that would vastly increase our ability to block or mitigate damage that could be done by a sophisticated cyberattack. These were detailed in a recent Brennan Center report. Among the most important items:
- Replacing antiquated voting machines with new, auditable systems. In particular, Congress should act to help states and counties replace the old, paperless direct recording electronic machines that are still used in 14 states with more secure, accessible systems.
- Requiring regular and robust audits of the paper ballots or voter-verified paper record. Today, only 26 states require that election officials conduct post-election audits of paper records. Even in states where checks are conducted, they are often insufficiently robust to ensure an election-changing software error would be found.
- Completing a full assessment of threats to our voter registration systems. The consensus among experts interviewed by the Brennan Center is that this should be done on a regular basis, but that many states are unlikely to have completed this kind of comprehensive risk assessment in the last few years despite the fact that both registration systems and cyberthreats have evolved enormously over that time.
- Upgrading and replacing IT infrastructure, including databases. The Brennan Center estimates that 42 states are using voter registration databases that were initially created at least a decade ago. Many states will require upgrades to their databases and election infrastructure in the near future, and the need is particularly great at the local level where systems often run on discontinued software like Windows XP or Windows 2000 that is more vulnerable to cyberattack because it is no longer vendor-supported. (That is, vendors no longer issue security patches except in the most dire of circumstances, like with the vulnerability exploited by the ransomware WannaCry.)
After the bungling by the president’s Election Integrity Commission, many may prefer to see Congress stay out of elections entirely. In the face of such an urgent threat to our democracy, however, that would be a mistake. As Bruce Fein, conservative lawyer and columnist, put it in Tuesday’s Washington Times, “Elections are too important to be left to amateurs or luck, which Congress seems not to understand.”
In fact, several important leaders in Congress do appear to understand. At a Senate Select Intelligence Committee hearing on Russian interference in the 2016 election, Sen. Richard Burr—a North Carolina Republican who chairs the panel—noted: “This adversary is determined, they’re aggressive, and they’re getting more sophisticated by the day. The diversity of our election system is a strength, but the intrusions in the state systems also show that Moscow’s willing to put considerable resources in an unclear result.” He followed those remarks with a question: “What are we doing to prepare ourselves for this November and next November?”
Sadly, the answer so far from Congress and the president is not much. Not a single bill in Congress that addresses the true vulnerabilities in our voting process has a Republican co-sponsor.
There is still time to take important steps that could safeguard our election systems ahead of the 2018 and 2020 elections. It won’t come from Trump’s dubious fraud commission, and it seems unlikely to come from the president himself. If it’s going to come from anyone, it will be from Republican members of Congress like Burr. The 2018 election is less than 16 months away. Let’s take the energy that’s going into Kobach and Trump’s commission and put it toward actions that will actually ensure we have free and fair elections without tampering or manipulation.