CSIS Election Cybersecurity Scorecard: The Outlook for 2018, 2020 and Beyond
The 2016 election was a wake-up call for the United States that our largely digitized election systems are vulnerable. The Russian government targeted US campaigns, candidates, and election systems in a series of coordinated cyber attacks and influence operations intended to undermine confidence in American democracy.
In the last two years, federal, state and local election officials have made significant efforts to secure our election infrastructure and defend our democracy. Basic cybersecurity best practices have been implemented across most of our 50 states, and more than $800 million has been allocated by federal and state officials to harden election systems against cyber threats. We are better prepared in 2018 to deal with the threat of foreign election interference, but there is much more to be done to ensure the integrity and resilience of our elections against cyber threats for 2020 and beyond.
The 2018 midterm elections involve thousands and local, state and federal contests for everything from local selectman seats to 468 seats in the U.S. Congress. Cyber attacks could target systems run by any of thousands of campaigns and political party organizations, voter registration and election managment systems administered by the 10,000 jurisdictions that oversee U.S. elections, voting machines or vote tallying systems, or election night reporting by official election websites or traditional and social media.
Understanding the risks to our election systems requires understanding the threats to these systems posed by foreign nation states, the vulnerability of our electoral system to different types of disruption and manipulation, and the measures we have in place to secure each of these systems.
Our primary cyber adversary, Russia, continues to target campaigns and candidates with cyber attacks in 2018, building off their successful tactics in the 2016 election to manipulate political discourse in the U.S. through influence operations. We have yet to see a foreign adversary attempt to disrupt our core election infrastructures – voter registration databases, election management systems, voting machines or vote counting systems – despite the fact that attacking these systems could directly disrupt or manipulate the results of an election.
Over the last two years, a great deal of effort and investment has gone into securing core election infrastructures against cyber threats, and implementation of basic cybersecurity practices has improved. More remains to be done, but campaigns and election night reporting systems have received comparatively little attention. While these systems cannot be used to directly disrupt or manipulate elections, attacks on these systems pose a serious threat to public confidence in American democracy.
The greatest overall risk in 2018 is to campaigns and candidates, where cybersecurity practices remain inconsistent but our adversaries have focused their attacks. However, to ensure that Russia does not escalate its attacks to disrupt election systems, we must continue to invest in the security of those systems, and communicate clearly to the Russians that interfering with the conduct or results of U.S. elections will have serious consequences.
Over 99% of votes in the United States are cast or counted by computers, and many of these systems are vulnerable to cyber threats. Computerized voting, while potentially vulnerable to cyber threats, has some significant advantages over all paper ballots. Computerized voting can reduce miscounted or discarded votes due to voter error, enable voters with disabilities to vote, help voters in rural areas to access the polls, and speed up the delivery of election results.
But we have underinvested in securing digital election systems. Across the country, state and local officials have limited staffs and budgets for security, and many of the most competitive races in 2018 are being held in some of the most vulnerable areas.We surveyed our extensive network of cybersecurity experts to find out what cyber threats they worry most about in 2018. More than 80% of our experts identified Russia as the number one cyber threat to U.S. elections, reflecting the strong evidence of ongoing Russian cyber attacks against the 2018 election over the last few months.
While a third of our experts worry about Russian attacks on voter registration and voting systems, the primary risk remains cyber-enabled influence operations and espionage targeting campaigns and candidates. Dozens of attacks have already been reported on campaigns and party organizations across the country, disrupting websites and stealing documents and communications.While headlines often focus on vulnerabilities that remain in election systems, much has already been done to strengthen our cyber defenses for the 2018 midterms. We identified 40 states that have invested more than $75 million of federal and state funds to secure election systems since 2016. This includes 26 states that have conducted security assessments and implemented cybersecurity upgrades, 20 states that have invested in enhanced cybersecurity training for election officials, 15 states that have upgraded or replaced voting equipment, and nine states that are expanding post-election audits.
The federal government has also taken measures to support election security efforts. The Department of Homeland Security (DHS) has designated election systems as critical infrastructure, created a dedicated election thread under the Multi-State Information Sharing and Analysis Center (MS-ISAC), and recruited more than 1,300 local jurisdictions and all 50 states to participate in information sharing through the newly established Elections Infrastructure ISAC (EI-ISAC). 41 states and 68 counties have also installed DHS’s Albert intrusion detection sensors to protect their election systems, and in August, DHS held a three-day tabletop exercise with 44 states to practice coordinated responses to a range of simulated cyber attacks on election day. Meanwhile, the FBI has established programs to provide cybersecurity training and support to campaigns and election officials.
Much more is being done to prepare for the 2020 general election. Over $800 million, including $380 million of federal money under the Help America Vote Act (HAVA), has been earmarked for election cybersecurity across the 50 states. More than $300 million of this funding has already been allocated to projects that will be completed ahead of the 2020 elections.
The critical importance of a voter verifiable paper audit trail (VVPAT) has been embraced by election officials across the country. 46 of our 50 states have committed to establishing a VVPAT for all voters. In 2020, 38 states will use all paper ballots or voting machines with a VVPAT, two more will have a paper trail for all but their accessible voting machines for disabled voters, and six more will be in the process of implementing VVPAT for all voters.Progress is being made, but there is also much more to be done. All votes in the United States should have a VVPAT, and all 50 states should conduct risk-limiting post-election audits to ensure that any attempt to manipulate voting systems is detected and mitigated. No system is perfect (including paper ballots, which have been manipulated many times over the course of modern history), but a paper audit trail and risk-limiting audits are an important first step in establishing resiliency against cyber threats.
We must also increase funding for election security. Following the 2000 presidential election, in 2002 Congress allocated more than $3 billion to the states to modernize election systems, the equivalent of $4.2 billion in today’s dollars. Today, the threat to our elections is much greater, but only $380 million has been allocated by Congress to support state election security efforts. We must invest in strong cybersecurity for our election systems today, and ensure that adequate funding is available in the future to maintain and upgrade election systems as technology and threats evolve.
We also need to look beyond the risks to core election infrastructures and redouble our efforts to secure campaigns, party organizations, and election night reporting systems against cyber threats. While cyber attacks on these systems cannot be used to directly manipulate the results of votes, they pose a significant threat to public confidence in our leaders and in our elections.
Finally, campaigns and election officials should leverage all available partnership opportunities to improve their security. In addition to state resources and support from DHS and the FBI, private companies including Microsoft, Cloudflare, Akamai, and Symantec, among others, have offered pro-bono cybersecurity services to election systems and campaigns.
If Russia, or any other foreign adversary, attempts to interfere with the 2018 midterm elections, they will find this country better secured, better prepared, and ready to take action to defend our sovereignty. But federal, state and local officials must continue to work after November to strengthen the security of election systems for 2020 and beyond. We will be ready for Russia’s 2016 tactics in 2020, but our adversaries continue to innovate, and it will take sustained effort and investment to maintain the security and resilience of American democracy against cyber threats.
This Project is made possible by support from Raytheon Company.
1 A.B. No. 3075, Chapter 241 (Cal. 2017-2018), https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB3075.
2 “Albert,” Center for Internet Security, available at https://www.cisecurity.org/services/albert/.
3 “Amidst Reports of Russian Election Hacking, Governor Cuomo Unveils Comprehensive Initiative to Strengthen State's Election Cyber Security Infrastructure and Protect Against Foreign Interference,” New York State Governor’s Press Office, July 17, 2018, https://www.governor.ny.gov/news/amidst-reports-russian-election-hacking-governor-cuomo-unveils-comprehensive-initiative.
4 Andrew Liptak, “Virginia is replacing some of its electronic voting machines over security concerns,” The Verge, September 10, 2017, https://www.theverge.com/2017/9/10/16284108/virginia-replacing-direct-recording-electronic-voting-machine-cybersecurity.
5 Benjamin Freed, “Louisiana puts acquisition of new voting machines on hold after losing bidder protests,” statescoop.com, August 29, 2018, https://statescoop.com/louisiana-puts-acquisition-of-new-voting-machines-on-hold-after-losing-bidder-protests.
6 Benjamin Freed, “Meet the guy paying for West Virginia to run an election on blockchain,” StateScoop, April 4, 2018, https://statescoop.com/meet-the-guy-paying-for-west-virginia-to-run-an-election-on-blockchain.
7 Benjamin Freed, “New voting machines are important, but here are three other ways states are investing in election security,” statescoop.com, July 19, 2018, https://statescoop.com/new-voting-machines-are-important-but-here-are-three-other-ways-states-are-investing-in-election-security.
8 Brian Calkin et al., A Handbook for Elections Infrastructure Security, (East Greenbush, New York: Center for Internet Security, 2018), https://www.cisecurity.org/elections-resources/.
9 Bristow Marchant, “Is SC prepared for the 2018 election to be attacked?” The State, August 20, 2018, https://www.thestate.com/news/politics-government/article217007725.html.
10 Bryan Anderson, “California Plots $134M Election Security Spend,” The Sacramento Bee, July 10, 2018 http://www.govtech.com/security/California-Plots-134M-Election-Security-Spend.html.
11 Chase Gunter, “Locking Down Voting Tech,” GCN, February 15, 2017, https://gcn.com/articles/2017/02/15/voting-system-protections.aspx.
12 Christopher Deluzio, “Federal Election Security Grants Don’t Go Far Enough,” Brennan Center for Justice, August 24, 2018, https://www.brennancenter.org/blog/federal-election-security-grants-dont-go-far-enough.
13 “Contract for New Voting System in Travis County Approved,” Travis County Clerk, available at http://traviscountyclerk.org/eclerk/Content.do?code=NewVotingSystemAnnouncement.
14 Corin Cates-Carney, “Federal Grant Helps Bolster Montana Election Security,” Montana Public Radio, September 19, 2018, http://www.mtpr.org/post/federal-grant-helps-bolster-montana-election-security.
15 Danielle Root and Liz Kennedy, “9 Solutions to Secure America’s Elections,” Center for American Progress, August 16, 2017, https://www.americanprogress.org/issues/democracy/reports/2017/08/16/437390/9-solutions-secure-americas-elections/.
16 Danielle Root, Liz Kennedy, and Michael Sozan, “State Election Security Spending Guidance for 2018 Omnibus,” April 2, 2018, https://www.americanprogress.org/issues/democracy/news/2018/04/02/448734/state-election-security-spending-guidance-2018-omnibus/.
17 Deborah Shaar, “Post-Election Augists in Kansas Begin With 2019 Elections,” KMUW Witchita 89.1, October 1, 2018, http://www.kmuw.org/post/post-election-audits-kansas-begin-2019-elections.
18 Defending Digital Democracy Project, Cybersecurity Campaign Playbook, (Cambridge, MA: Belfer Center for Science and International Affairs, 2018), https://www.belfercenter.org/CyberPlaybook.
19 Defending Digital Democracy Project, Election Cyber Incident Communications Coordination Guide, (Cambridge, MA: Belfer Center for Science and International Affairs, 2018), https://www.belfercenter.org/publication/election-cyber-incident-communications-coordination-guide.
20 Defending Digital Democracy Project, The State and Local Election Cybersecurity Playbook, (Cambridge, MA: Belfer Center for Science and International Affairs, 2018), https://www.belfercenter.org/publication/state-and-local-election-cybersecurity-playbook.
21 “Elections Performance Index (EPI),” MIT Election Data and Science Lab, last modified 2018, https://elections.mit.edu/.
22 “Election Security in Wisconsin,” Wisconsin Elections Commission, available at https://elections.wi.gov/elections-voting/security.
23 Jackie Borchardt, “Ohio lawmakers OK $114.5 million for new voting machines,” Cleveland.com, June 27, 2018, https://www.cleveland.com/open/index.ssf/2018/06/ohio_lawmakers_ok_1145_million.html.
24 Jamie Fly et al., The ASD Policy Blueprint for Countering Authoritarian Interference in Democracies, (Washington, DC: The German Marshall Fund of the United States, 2018), http://www.gmfus.org/publications/asd-policy-blueprint-countering-authoritarian-interference-democracies.
25 Jerome Lovato, Risk-limiting Audits: Practical Application, (Washington, DC: U.S. Election Assistance Commission, 2018), https://www.eac.gov/assets/1/6/Risk-Limiting_Audits_-_Practical_Application_Jerome_Lovato.pdf.
26 John Monk, “South Carolina's 13,000 voting machines unreliable, vulnerable to hackers, lawsuit alleges,” Greenville News, July 11, 2018, https://www.greenvilleonline.com/story/news/2018/07/11/lawsuit-scs-voting-machines-unreliable-vulnerable-hackers/775280002/.
27 Jonathan Oosting, “Michigan plans to replace all voting machines by 2018,” The Detroit News Lansing Bureau, January 24, 2017, https://www.detroitnews.com/story/news/politics/2017/01/24/voting-machines/96991230/.
28 Kate Talerico, “Kentucky wants to replace voting machines. Some counties aren’t sure why,” Louisville Courier Journal, August 10, 2018, https://www.courier-journal.com/story/news/politics/2018/08/10/kentucky-replace-hackable-voting-machines/916542002/.
29 Lawrence Norden, America’s Voting Machines are at Risk, (New York, NY: Brennan Center for Justice, 2017), https://www.brennancenter.org/publication/securing-elections-foreign-interference.
30 Lawrence Norden and Ian Vandewalker, Securing Elections from Foreign Interference, (New York, NY: Brennan Center for Justice, 2017), https://www.brennancenter.org/publication/securing-elections-foreign-interference.
31 Liz Kennedy et al., Election Security in All 50 States, (Washington, DC: Center for American Progress, 2018), https://www.americanprogress.org/issues/democracy/reports/2018/02/12/446336/election-security-50-states/.
32 Mark Sommerhauser, “Catching Up: Elections Commission to make e-poll book technology available to cities, towns,” Wisconsin State Journal, September 4, 2017, https://madison.com/wsj/news/local/ask/catching-up/catching-up-elections-commission-to-make-e-poll-book-technology/article_d3661865-0be8-5036-b6c9-dd75f7f181b2.html.
33 Michael R. Wickline, “In 54 counties, voting machines new for election: In others, equipment aging,” Arkansas Democrat Gazette, September 23, 2018, https://www.arkansasonline.com/news/2018/sep/23/in-54-counties-voting-machines-new-for-/.
34 “Modernizing Voter Registration,” Center for Civic Design, last modified October 2018, https://civicdesign.org/projects/voter-reg/.
35 Nafeesa Syeed, “First Line of Defense in U.S. Elections Has Critical Weaknesses,” Bloomberg, May 29, 2018, https://www.bloomberg.com/news/articles/2018-05-29/first-line-of-defense-in-u-s-elections-has-critical-weaknesses.
36 National Academies of Sciences, Engineering, and Medicine, Securing the Vote: Protecting American Democracy, (Washington, DC: The National Academies Press, 2018), https://doi.org/10.17226/25120.
37 Nicole Nixon, “Six Things You Need To Know About Election Security In Utah — And What Officials Are Doing About It,” NPR Utah, October 2, 2018, http://www.kuer.org/post/six-things-you-need-know-about-election-security-utah-and-what-officials-are-doing-about-it#stream/0.
38 Nora G. Hertel, “New election equipment coming to Central Minnesota,” SC Times, February 11, 2018, https://www.sctimes.com/story/news/local/2018/02/11/new-election-equipment-coming-central-minnesota/323153002/.
39 “Post-election Audits,” National Conference of State Legislatures, last modified October 8, 2018, http://www.ncsl.org/research/elections-and-campaigns/post-election-audits635926066.aspx#state%20reqs.
40 Sarah Gibson, “New Hampshire Ramps Up Cybersecurity for Midterm Elections,” New Hampshire Public Radio, August 29, 2018, http://www.nhpr.org/post/new-hampshire-ramps-cybersecurity-midterm-elections#stream/0.
41 Scott Goss, “Delaware’s first new voting machine their way,” Delaware News Journal, September 17, 2018, https://www.delawareonline.com/story/news/politics/2018/09/17/delawares-first-new-voting-machines-decades-their-way/1338135002/.
42 Shannon Vavra, “The five states without a paper trail of votes,” Axios, February 18, 2018, https://www.axios.com/five-states-without-paper-trail-of-votes-32801015-4ba1-4b41-80ca-ebab2cdda087.html.
43 State of Florida, Governor Rick Scott’s Securing Florida’s Future Recommended Budget Frequently Asked Questions: General Questions Relating to the Securing Florida’s Future Budget, 2018, http://securingfloridasfuturebudget.com/content/Current/Reports/BudgetFAQ.pdf.
44 Status of Election Security in Kansas, Topeka, Kansas: Kansas Legislative Research Department, August 8, 2018, http://www.kslegresearch.org/KLRD-web/Publications/StateLocalGovt/2018-08-08-ElectionSecurityKansas.pdf.
45 The General Court of the Commonwealth of Massachusetts, FY 2019 Final Budget Chapter 154, July 26, 2018, https://malegislature.gov/Budget/FinalBudget.
46 U.S. Election Assistance Commission, “HAVA Funds State Chart View,” accessed October 2018, https://www.eac.gov/payments-and-grants/hava-funds-state-chart-view/
47 U.S. Election Assistance Commission, “Voluntary Voting System Guidelines 2.0,” available at https://www.eac.gov/assets/1/6/TGDC_Recommended_VVSG2.0_P_Gs.pdf.
48 U.S. House Committee on Oversight and Government Reform, Cybersecurity of Voting Machines: Hearing before the Subcommittee on Information Technology, 115th Cong., 1st sess. (November 29, 2017), available at https://oversight.house.gov/hearing/cybersecurity-voting-machines/.
49 Yvonne Gonzalez, “Nevada tightens election security in years after targeting of 2016 Democratic data,” Las Vegas Sun, July 20, 2018, https://lasvegassun.com/news/2018/jul/20/nevada-tightens-election-security-in-years-after-t/.
50 “2018 Texas Election Security Update,” Texas Secretary of State, available at https://www.sos.state.tx.us/elections/conducting/2018-security-update.shtml.