State Election Security Spending Guidance for 2018 Omnibus

Voters file in to vote at the Beulah Baptist Church polling station in Montgomery, Alabama, on December 12, 2017.

On March 23, 2018, the U.S. Congress passed a comprehensive spending bill that includes $380 million dollars in much-needed funding for improving election security in the states. Each state is guaranteed at least $3 million in grant funding to improve election security, with additional funding available based on a state’s population.

States are directed to use grant funds to replace paperless electronic voting machines with paper-based voting systems, implement robust post-election audits, or make important cybersecurity and technical upgrades to election infrastructure. When receiving a grant, states must commit to match federal funding by at least 5 percent as part of their state budgets within a two-year period.

Federal funding for election security comes at a critical time—just seven months before the 2018 midterm elections—and after months of congressional hearings on the continued threat of foreign interference and warnings from national security experts that Russian operatives will again seek to infiltrate and disrupt U.S. elections. Recognizing this, some states are already taking steps to fortify election infrastructure:

  • On February 27, 2018, the Kentucky State Board of Elections voted to require voter-verified paper trails for all future election equipment purchases throughout the state.
  • In March, Minnesota Secretary of State Steve Simon (D) announced that Minnesota would begin providing cybersecurity training to election officials.
  • On March 7, 2018, Washington passed a new election security package to strengthen the state’s post-election audit procedures and require voting system vendors to disclose security breaches in their systems, among other efforts.
  • Oregon is hiring a cybersecurity expert to improve the overall security of the state’s voter registration database.
  • On March 1, 2018, Arizona Gov. Doug Ducey (R) issued an executive order creating an Arizona Cybersecurity Team, charged with improving the state’s cybersecurity capabilities through collaboration and information sharing between experts from the public and private sector on cybersecurity best practices.
  • On February 9, 2018, Gov. Tom Wolf’s (D) administration in Pennsylvania—which still uses paperless voting machines in some jurisdictions—ordered counties looking to replace voting systems to purchase machines with paper records.
  • In March, Michigan announced that 2018 post-election audits will be performed through manual hand-count, as opposed to automated retabulation.

Still, as illustrated in Center for American Progress’ report “Election Security in All 50 States: Defending America’s Elections,” vulnerabilities in election infrastructure remain in all 50 states and the District of Columbia. And while the bipartisan funding allocated by Congress is a good first step in improving election security, research shows that additional funding will be needed in the future to shore up state systems. Indeed, CAP estimates that $1.25 billion over a 10-year period is needed to fortify elections.

Because federal funding is limited, states must spend their grant monies wisely and pursuant to the bill’s report language and directives from the Election Assistance Commission (EAC), which Congress has given the authority to distribute these funds, pursuant to the Help America Vote Act (HAVA) of 2002. States are required to provide an overview and budget for how they plan to spend their allotted funds and subsequently must report their spending to the EAC, which provides another measure of accountability.

Some states have already announced how they would like to use the federal funds. For example, Vermont Secretary of State Jim Condos (D) said on March 29, 2018, that the federal grants will allow his state to “invest in additional tools, cybersecurity protections and equipment,” including penetration testing on election systems, as well as replacing the state’s “aging infrastructure.” A spokesperson from the Connecticut secretary of state’s office on March 29, 2018, said that staff are already meeting to determine how best to use their state’s funding. As is clear, specifics on how states will use their grant funds are still being formulated. However, over the coming months, Congress, government watchdog groups, the media, and the public must closely monitor state spending to ensure state officials use their funding efficiently, effectively, and pursuant to federal requirements.

In prioritizing state spending of federal grants, CAP agrees with the March 2018 guidance provided by the Senate Intelligence Committee and the EAC, and thus, recommends the following:

1. Prioritize switching to paper-based voting systems

Fourteen states still use paperless electronic voting machines in at least some jurisdictions. These states—Arkansas, Delaware, Florida, Georgia, Indiana, Kansas, Kentucky, Louisiana, Mississippi, New Jersey, Pennsylvania, South Carolina, Tennessee, and Texas—must immediately replace paperless machines with voting systems that produce a voter verified paper record, preferably a paper ballot. These states should look to Virginia, which replaced all its paperless electronic voting machines with a statewide paper ballot voting system just weeks before the 2017 elections. Unfortunately, recent analysis by the Brennan Center for Justice and Verified Voting found that the $380 million allocated by Congress is not enough to replace all paperless electronic voting machines in all the states that currently use them. The federal funding does allow states to begin replacing at least some machines, which is an important improvement.

2. Implement robust post-election audits

Robust post-election audits, such as risk-limiting audits, confirm and instill confidence in the accuracy of election results. Robust post-election audits can only be carried out with strong voter verified paper trails and cannot be applied to paperless electronic voting machines that do not produce a reliable record of voter intent. Only two states—Colorado and Rhode Island—have audit requirements in place that can reliably detect and remedy incorrect election outcomes if they occur. States that have strong paper voting systems but require significant upgrades to their current auditing procedures include: Alabama, Arizona, Idaho, Iowa, Maine, Maryland, Massachusetts, Michigan, Montana, Nebraska, New Hampshire, North Dakota, Oklahoma, South Dakota, Vermont, and Virginia.

3. Provide cybersecurity training for election officials

In 2016, hackers waged a series of spear-phishing and other attacks on state and local election officials in an organized effort to steal sensitive information allowing hackers access to voter databases. In addition to serious privacy concerns, breaches to voter databases could prevent eligible voters from casting ballots that count when they show up to the polls on Election Day. Hackers could alter or delete voter registration information, which in turn could result in eligible voters being turned away. In the current threat environment, election officials with access to voter databases must be properly trained on how to identify and properly respond to potential spear-phishing attacks and other suspicious cyber activity. The states that need to begin providing cybersecurity training to election officials include: Connecticut, Idaho, Maine, Missouri, Nevada, South Dakota, Texas, Vermont, and Wyoming.

4. Fortify election equipment and system databases

Relatedly, states must work alongside cybersecurity experts and computer scientists to fortify election equipment and system databases, implementing cybersecurity best practices. The U.S. Department of Homeland Security already offers cyberhygiene scans, as well as risk and vulnerability assessments of election infrastructure to states at no cost. In addition to implementing cybersecurity best practices, states should dedicate funding to appointing or training experts specializing in the cybersecurity of election infrastructure and should conduct their own regular and vigorous threat assessments on election databases to identify and prevent potential vulnerabilities and attacks in real time.

Conclusion

The $380 million allocated by Congress represents a kind of down payment for upgrading and improving the nation’s election infrastructure. Although it is not enough to fully upgrade state election systems, it demonstrates a bipartisan recognition by Congress of the threat posed by foreign interference to America’s elections and a desire to support states in their efforts to protect against future attacks. States should continue acting on their own—where they have existing resources—to switch to paper ballot systems; provide cybersecurity training to election officials; improve post-election auditing practices; and dedicate resources to upgrading the cybersecurity and technological standards of election systems. Securing U.S. elections depends on coordination and resource sharing between the states and federal government. Congress’ decision to act in a bipartisan way to dedicate some much-needed funding to election security is a good first step.

Danielle Root is the voting rights manager for Democracy and Government Reform at the Center for American Progress. Liz Kennedy is the senior director for Democracy and Government Reform at the Center. Michael Sozan is a senior fellow supporting the work of Democracy and Government Reform at the Center.