In a wide-ranging set of indictments handed down on July 13, 2018, the U.S. Department of Justice (DOJ) charged 12 Russian intelligence officers with brazenly attacking U.S. election infrastructure during the 2016 presidential election. On that same day, Director of National Intelligence Dan Coats sounded the alarm that Russia is continuing its cyberattacks on the United States, ominously stating that “the warning lights are blinking red again,” just as they were before the terrorist attacks of 9/11. Coats went on to say that the nation’s election systems and other digital infrastructure are “literally under attack.” Yet, in the face of overwhelming evidence, for more than a year-and-a-half, President Donald Trump has cast doubt on these consistent warnings. It now is incumbent on Congress, key members of the administration, state and local officials, and other stakeholders to take aggressive steps within their respective purviews to secure our election infrastructure.
The cacophony of warnings from top intelligence officials and lawmakers about our nation’s insecure election infrastructure could not be starker. In addition to the admonitions of Director of National Intelligence Coats, FBI Director Christopher Wray warned that the United States needs to respond to Russia’s attacks “with fierce determination and focus.” Secretary of State Mike Pompeo said that the United States has a “‘great deal more work to do’ to safeguard the integrity of American elections ahead of the upcoming 2018 midterms.” And the Senate Intelligence Committee, chaired by Sen. Richard Burr (R-NC), concluded that 2016 may have been just a “testing ground” for future, more severe attacks.
On July 26, 2018, concrete evidence of the accuracy of these warnings came to light. Sen. Claire McCaskill (D-MO), who is a harsh critic of Russian President Vladimir Putin and is in the midst of her own reelection campaign, revealed that Russian operatives attempted to infiltrate her Senate computer network. These Russian hackers allegedly used a variant of the same password-stealing technique that they used successfully to steal the e-mails of Hillary Clinton’s campaign chairman, John Podesta, in 2016.
Just three days after the DOJ’s indictments of Russian intelligence officers, President Trump conducted a summit with President Putin in Helsinki, Finland. In stunning remarks in front of the Russian leader and international media—which he later attempted to walk back—Trump cast doubt on whether Russia worked to interfere in the 2016 election and appeared to accept Putin’s denials of Russia’s attacks on our democracy. Trump’s comments were met with outrage in the United States, with half of all Americans calling Trump’s actions “treasonous.” Members of Congress—from both parties—condemned the president’s capitulation to Russia. Despite this condemnation, Trump quickly followed up the Helsinki summit by inviting Putin to meet in the United States during fall 2018. Trump’s national security adviser, John Bolton, shortly thereafter announced the delay of the Trump-Putin meeting until 2019. This was done in hopes that it would occur after the conclusion of special counsel Robert Mueller’s investigation of Russian election interference, which Bolton called a “witch hunt” despite the multiple DOJ indictments of Russian operatives.
For his entire presidency, Trump has failed to condemn Putin’s 2016 attack on the United States election or explicitly recognize that Russian incursions into our election infrastructure are ongoing. He has also refused to aggressively lead a whole-of-government response to repel the Russians and other hostile nation-states, dangerously waiting to call his first White House meeting about the issue until July 27, 2018. In light of this dereliction of duty, it is more critical than ever that Congress aggressively exerts its authority to ensure that votes cast in the upcoming November 2018 midterm election—just more than three months away—and the 2020 presidential election are secure from Russian tampering.
Resources needed for states to strengthen election security
Free and fair elections are a central pillar of U.S. democracy. Through our elections, Americans voice their choices about the future path of our nation; who will represent their interests in the states, Congress, and beyond; and what policies will be enacted by those leaders. Yet, the right of Americans to choose their own political destiny is being challenged by foreign nation-states that work to hack into our elections in order to advantage their preferred candidates as well as undermine Americans’ confidence in election results, furthering the goal of weakening the United States as a geopolitical power.
The DOJ indictments made clear that, in addition to hacking the Democratic National Committee and Hillary Clinton’s presidential campaign, Russian operatives targeted state and local election infrastructure in a sophisticated and wide-ranging attack during 2016. According to the indictments, the object of the Russian conspiracy was to infiltrate protected computers belonging to state boards of elections, secretaries of state, and U.S. companies that supply software and other election-related technology in order to steal voter data and other information.
Further details reveal that the indicted hackers, based in Russia’s GRU military intelligence service, broke into a Florida-based software company that supplies software for some voting machines nationwide and accessed a state election website—which Illinois admits was very likely its website—to steal sensitive information on approximately 500,000 voters. A senior DHS official testified on July 18 that, although there is evidence Russia targeted voter registration databases in 21 states, he suspects Russians scanned every single state and territory during the 2016 election cycle.
As the Center for American Progress detailed in a 50-state report, state- and local-based election infrastructure and voting systems are vulnerable to hacking and other malfeasance. The most important mechanisms to help secure election infrastructure include conducting elections with a paper-based voting system that makes hacking virtually impossible and carrying out robust postelection audits to confirm the accuracy of election results.
State and local officials, who largely are responsible for administering secure elections, are in the process of receiving $380 million in congressional funding to bolster their election infrastructure. The U.S. Election Assistance Commission already has transferred most of that money to states for immediate use after all states applied for their funds.
In the meantime, a congressional report released on July 13 identified 18 states that still lack key voting safeguards, including paper trails and postelection audits. Thirteen states still allow at least some votes to be cast on machines that lack a paper trail. And all but three states fail to require rigorous postelection audits.
Many state and local officials are, in fact, taking steps to improve election security. For example, California plans, in part, to use it allotted federal funds between 2019 and 2021 to upgrade its voter registration database, conduct cybersecurity training, and implement risk-limiting audits while also taking more immediate steps to increase personnel and set up vote centers. Washington state, which conducts its elections by mail-in ballot, recently passed legislation to implement stronger postelection audits. The state plans to use its federal funding for upgrades such as new information technology staff, as well as more staff training and equipment to strengthen cybersecurity monitoring. Georgia—a state that votes exclusively on machines that do not provide a paper record and does not require postelection audits—is slated to receive $10.3 million in federal funding from the Election Assistance Commission. However, it will cost Georgia between $35 million and $100 million to replace the state’s 27,000 voting machines.
With only a little more than three months before the midterm elections, most states are unable to fully fix their election security weaknesses. State officials of both political parties, including 21 state attorneys general, have said that they have not received enough federal funds to make necessary improvements to their systems.
Urgent, coordinated action needed from all stakeholders to bolster election security
Despite the need for additional federal funds, on July 18, House Republicans blocked attempts by House Democrats to add $380 million in election security funds to a relevant spending bill. Remarkably, Republican congressmen claimed that states do not need additional funds for election security. Next week, the Senate may vote on a similar Democratic-sponsored amendment that would add $250 million in election security funds to appropriations legislation.
In addition to slow-walking funding, Republican leaders will not allow passage of the Secure Elections Act, a piece of bipartisan Senate legislation that would take substantive policy steps to improve election security. The chief Republican sponsor of the bill, Sen. James Lankford (R-OK), continues to push Republican leadership to act, observing that the indictments of the 12 Russians are “another sign that we must enact election security legislation to protect our election infrastructure from attacks from foreign entities.” Similarly, Sen. Ron Wyden (D-OR) has urged passage of his legislation, the Protecting American Votes and Elections Act of 2018, which would require paper ballots and rigorous “risk-limiting” audits for all federal elections. House Democrats also have sponsored a strong legislative framework, the Election Security Act, which would make crucial changes to existing laws to bolster election security.
The nation’s top election equipment vendors also contribute to the insecurity of voting machines and related networks. In just the latest example, it recently was revealed that for many years, a top vendor—Election Systems and Software—had installed remote access software and modems on machines used to tally official election results and program voting machines, practices that render equipment very susceptible to hacking.
At a bipartisan July 11 hearing of the Senate Committee on Rules and Administration, multiple senators expressed concerns with the practices of equipment vendors that are not taking sufficient steps to ensure voting machines and related networks that state and local officials use are secure. Two of the largest vendors failed to show up at the hearing for questioning, and the vendors that did appear claimed it was appropriate for them to continue selling electronic voting machines without paper backups.
As Sen. Mark Warner (D-VA) observed, “When you’ve got a 90 percent [market] concentration [and] three vendors controlling the back end of our voting systems, that’s a vulnerability.” Sen. Wyden, who repeatedly has demanded important information from vendors, accused vendors of stonewalling Congress and refusing to answer basic questions about cybersecurity practices, remarking, “The only way to make this worse would be to leave unguarded ballot boxes in Moscow and Beijing.”
Software vendors also may be making election systems less secure. On the same day that the federal indictments of the Russian election hackers were handed down, the state of Maryland revealed the FBI discovered that, in 2015, the state’s voter registration platform was purchased by a company controlled by a Russian oligarch without state officials’ knowledge. As of now, there is no evidence of malfeasance, but Gov. Larry Hogan (R-MD) conceded, “Even the appearance of the potential for bad actors to have any influence on our election infrastructure could undermine public trust in the integrity of our election system.”
Given all these dynamics, it is clear that Congress and President Trump should aggressively be paving a path for states and localities to secure election infrastructure. But even in that absence, key executive branch departments and agencies should be providing leadership to help secure our election infrastructure. Department of Homeland Security Secretary Kirstjen Nielsen and FBI Director Wray issued a joint statement in May claiming that election security “is an issue that the Administration takes seriously and is addressing with urgency.” Despite increased coordination between federal and state officials, election infrastructure, as a whole, remains insecure, especially without a whole-of-government effort coordinated through the White House.
We know one thing for certain: Even without a presidential or congressional mandate, state and local officials should take every possible step to move to a system that incorporates paper ballots and robust postelection audits. Without these two crucial components, our election infrastructure remains insecure and vulnerable to Russian hacking in both the 2018 midterm election and the 2020 presidential election—a completely unacceptable and dangerous state of affairs for a nation with a democracy under attack.
Michael Sozan is a senior fellow on the Democracy and Government Reform team at the Center for American Progress.