State election officials told members of Congress Wednesday that even after the $380 million the federal government distributed last year for states to shore up the security around their election systems, more will be needed to replace dated voting equipment and to combat future cyberthreats.
But the officials who testified before the House Homeland Security Committee were not unanimous in how new funds should be awarded, some wary that the federal government would put too many requirements and deadlines on states for spending additional election-assistance money.
“The most important feature to a good election security bill is to create one that provides necessary resources to the states without creating unfunded or underfunded mandates and strangling restrictions through federal overreach,” Alabama Secretary of State John Merrill said in his opening remarks.
Merrill and his fellow witnesses, including California Secretary of State Alex Padilla, were in Washington to comment on security measures in the For the People Act — also known as H.R. 1 — a sweeping election-reform bill being championed by the House’s new Democratic majority. Although the Republican said his state could use more funding to improve its election security, Merrill said the bill places too many rules on what could be done with any future grants, such as what types of voting machines could be purchased.
But the other panelists, including Padilla, endorsed setting national standards for election security, including the certification of voting equipment, conduct of post-election audits using paper trails and more rigorous cybersecurity measures. Those measures could include frequent vulnerability scans and adoption of procedures like multi-factor authentication for users who access election-related computer systems such as voter registration databases.
From ‘wedding planners’ to cybersecurity experts
Some of those steps for national standards were undertaken in the two year period between the 2016 presidential election, during which hackers linked to the Russian government attempted to penetrate the voter files in at least 21 states, and last year’s midterm races, which were the first federal elections to be conducted since the Department of Homeland Security designated election systems as a critical part of the nation’s infrastructure.
There may be signs this new partnership between the federal government and the states has been successful: The Homeland Security and Justice departments said this month there is no evidence that foreign adversaries interfered in the 2018 elections, though they have not made their findings public. Still, states say they’ve made strides in the last few years.
“What all election officials have learned is cyber hygiene, as well as our ‘cyber vocabulary’,” Padilla said. “We don’t want to downplay incidents, but we don’t want to oversell them. What is scanning? It’s been described in lay terms as someone going through a neighborhood checking doorknobs to see if they’re unlocked.”
But the path for election officials seeking to be become knowledgable on cybersecurity can be a complicated one, said Noah Praetz, a former elections director in Cook County, Illinois.
“Prior to 2000, election administrators served mostly as wedding planners, making sure the right list of people came together in the right place with the right stuff,” he said. “After Bush v. Gore, we became IT managers. And after 2016, we had to become cybersecurity experts.”
But the degree to which those officials have boned up on cybersecurity varies from state to state. In California, Padilla has used some of the $34 million he received last year from the Election Assistance Commission — along with state funding — to build two new offices dedicated to election cybersecurity and risk management. One project the new offices undertook was the creation of a website called “VoteSure” where Californians could find information about their polling places as well as a link to report disinformation campaigns spread on social media.
Padilla said that his staff referred 300 pieces of disinformation, including posts that told people the wrong days to vote, to social media companies, with 97 percent of them being removed. While that’s a high success rate, it also reflects the fact that election officials’ responsibilities now include the job of monitoring sites like Facebook and Twitter for bad information.
“We’ve got to expand the services we provide,” Praetz said. “I think social media steps in where they think they perceive they can. To the extent we don’t fill those gaps ourselves there are going to be third-party providers.”
‘Cybersecurity is cybersecurity’
Still, any additional steps states can take to improve their election security heading toward 2020 and beyond will come back to funding. The $380 million states received last year was the last bit of funding authorized the Help America Vote Act, a 2003 law passed in the wake of the contentious results of the 2000 presidential election in Florida.
“The federal government can move a lot quicker,” Padilla said.
While H.R. 1 is not a spending bill, the federal government will also need to provide “billions” to bring states up to speed, especially as they replace equipment that’s more than a decade old in many places, Jake Braun, the executive director of the University of Chicago Cyber Policy Initiative, told StateScoop. But even with some state officials’ chafing at the prospect of federal oversight, Braun said they’ll need to be held to certain standards.
“There’s probably some stuff in there that could reasonably be changed [in the bill],” he said. “That said, cybersecurity is cybersecurity. It doesn’t matter if you’re JPMorgan or Google or the state of Kentucky. What you do to enhance your cybersecurity is the same.”