Last month’s $380 million infusion of federal funds for states to shore up their election systems against cyberattack was hailed as a crucial, if somewhat belated, response to ongoing efforts by Russia and other adversaries to meddle in U.S. elections.
But even as the Election Assistance Commission scrambles to get that money to states ahead of the November midterms, experts warn that it’s unlikely to make more than a dent in the most pressing election-cybersecurity problems—particularly the need to replace paperless voting machines with those that leave an auditable paper trail of each vote cast.
“It’s going to be tough to get many places to replace equipment before November 2018,” said Lawrence Norden, the deputy director of the Brennan Center’s Democracy Program. States will have only a few months to negotiate contracts and certify the equipment, and Norden said that “lag time” makes it unlikely that the dozen or so states still voting on predominantly paperless systems can swap out their machines before the midterms.
Looking past November, there’s growing consensus in the election-security community that last month’s one-time influx of federal dollars is woefully insufficient to safeguard future votes against bad actors in cyberspace.
“The $380 million is not enough,” said Marian Schneider, president of the Verified Voting Foundation.
Because the money is allocated according to population rather than need, Schneider said it won’t do enough to help the states that still must replace most or all of their paperless voting machines. The same goes for the whopping 47 states whose election-auditing systems—the statistical processes through which officials actually review a produced paper trail for potential inconsistencies—experts say are not up to snuff.
A bipartisan bill now percolating through the Senate is set to address those specific concerns. Sponsored by Sens. James Lankford and Kamala Harris—and recently bolstered by support from Senate Intelligence Committee Chairman Richard Burr and ranking member Mark Warner—the Secure Elections Act would push an additional $386 million toward the states, with extra money for those that need it the most.
But the legislation is not without its detractors. In a hearing of the Senate Homeland Security and Governmental Affairs Committee on Tuesday, Chairman Ron Johnson repeatedly questioned the wisdom of focusing further federal efforts on election cybersecurity, which he believes is already robust.
“What we don’t want to do is play into [Russian President Vladimir] Putin’s hands and legitimize his activity here and upset the American public, make them question the legitimacy of these past and future elections,” Johnson told reporters after the hearing.
The Wisconsin Republican highlighted the lack of evidence that Kremlin-linked hackers did more than scan voter databases and conduct probing attacks last election cycle and suggested that, if anything, lawmakers could work with states to help them prioritize how to best spend the funds they’ve already been given.
Jim Condos, Vermont’s secretary of state and the incoming president of the National Association of Secretaries of State, said Johnson’s reasoning is exactly backwards.
“That scares the hell out of me, that he doesn’t understand the elections process and he doesn’t understand cybersecurity,” Condos told National Journal.
Condos said public confidence has already been undermined by Russia’s actions in 2016, and that new initiatives funded with federal dollars are expressly designed to regenerate that confidence by providing proof that foreign meddling did not affect an election’s outcome.
“It really would be a head-in-the-sand type approach to say if we don’t give any more money to this, the problem’s going to go away,” he said. “That’s not reality.”
Condos said the $386 million promised under the Secure Elections Act was formulated before the inclusion of $380 million for the same set of issues in last month’s omnibus. “I expect that number’s going to change,” he said.
While Condos and other election-security experts would welcome an additional $386 million, they worry even that number may not be enough to prepare states for years of battle against determined cyber-adversaries.
After paperless voting machines are done away with and auditing systems are made statistically robust, states will still face additional cybersecurity challenges. Old equipment will need to be swapped out, out-of-date operating systems will need to be upgraded, and election workers will need to be trained to resist spear phishing and other common ruses employed by foreign intelligence services online.
“Especially now that the federal government has named elections critical infrastructure, I think it’s incumbent on them to provide the resources that we’re going to need,” said Condos, adding that most states are too cash-strapped to devote more than a token amount of funding toward election cybersecurity. “If it’s just another round of one-time money, I don’t think that’s going to be particularly helpful.”
Beyond the typical aversion to increased spending, election-security experts say some lawmakers seem to be wrapping politics into what should be a cut-and-dried issue of national security. To them, Johnson’s concern about delegitimizing “past elections” indicates that some Republicans believe acknowledging the problem of foreign cyber-meddling undermines President Trump’s 2016 victory.
It’s an assertion most experts vociferously deny. And Schneider believes the issue should naturally transcend party politics. “Every congressman, every senator—they are all elected on the same equipment, regardless of party,” she said.
Politics may also be blocking meaningful executive action on election cybersecurity. Paul Rosenzweig, a senior cybersecurity fellow at the libertarian R Street Institute, suggested that Trump’s unwillingness to confront the Kremlin over its actions during the 2016 election means Putin will continue testing state election systems until he’s met with a response.
“Deterrence is at least an equal, if not a superior, component to the overall strategy as defense,” Rosenzweig said. “And the federal government’s systematic commitment to either or both of these is often dependent upon direction from the president—which has been lacking.”