Washington is used to being the final voice on all things related to national security. But as Congress looks to secure U.S. elections against foreign cyberattack, lawmakers are facing an uncomfortable reality—when it comes to elections, state officials are the ones calling the shots.
The Senate Rules Committee’s abrupt cancellation of a Wednesday-morning markup of the Secure Elections Act deftly demonstrates the point. The legislation, cosponsored by a bipartisan group of senators, was expected to pass out of committee after a chairman’s amendment reduced some of the requirements for state election officials. Instead, the committee indefinitely postponed consideration of the bill just minutes before the scheduled markup.
“In recent days, individual secretaries of State, including the Vermont secretary of state, who currently serves as president of the National Association of Secretaries of State, have expressed concerns about certain provisions in the Secure Elections Act,” a committee aide said in a statement explaining the postponement. Those concerns, the aide added, worked to whittle down Republican support for the bill.
Jim Condos, Vermont’s secretary of state, said in a statement that it was “important that any legislation passed by Congress regarding election administration includes funding for states to have the resources necessary to continue our work protecting the integrity of our electoral process.”
“As election administrators we do not need overly prescriptive language for election procedures like audits, but language that enables states to audit with confidence,” Condos later added.
The blowup over the Secure Elections Act is the latest in a long-running standoff between Congress and the states on election cybersecurity. Federal lawmakers warn of the dangers of fully digitized election audits or paperless voting systems while state officials caution Capitol Hill to respect their right to conduct elections as they see fit—particularly if they’re expected to put their own money down in the process.
The Constitution is somewhat nebulous on who has the final say on elections, especially when it comes to national security concerns. But notwithstanding the Voting Rights Act and a handful of other significant exceptions, lawmakers have historically hesitated to prescribe detailed remedies to perceived problems in the states’ administration of elections.
In this specific case, some conservatives are citing the 10th Amendment—the constitutional provision that grants to the states those powers not specifically delegated to the federal government—to advise against levying mandatory cybersecurity rules on state election officials.
“It’s such a complicated issue, and largely because of this federal-state dynamic,” said J. Alex Halderman, an election-security expert at the University of Michigan. “I think it’s an unfortunate dynamic, in that there are very few other issues where states find themselves on the front line of international cyberwarfare and something that affects all of our national security.”
Introduced in December 2017 by Sens. James Lankford and Amy Klobuchar, the initial version of the Secure Elections Act was all carrot and no stick—a nod to the fragile federal-state relationship on elections. In order to qualify for federal grant money, state officials would need to ensure that the funds would be spent according to guidelines crafted by a federal cybersecurity committee.
Those guidelines would’ve included a requirement that states purchase voting machines that spit out a paper record of each ballot cast, and that state officials set up post-election, paper-backed audits to examine the authenticity of the vote in the event of potential foreign tampering. Election-cybersecurity experts are nearly unanimous in their support for a paper-backed election process, saying it’s the only way to ensure public confidence in the vote should Russia or another foreign actor seek to cast doubt on the process.
But the carrot of federal funds was jettisoned entirely in the wake of a chairman’s markup released late last week. The new legislation instead required state officials to set up some form of postelection auditing on their own dime, though the details would be left to the individual states.
Many election experts were unhappy that the auditing requirements were being watered down, and worried that states may choose to audit their elections digitally—a practice that could leave them vulnerable to further cyberattacks—instead of counting a preset percentage of paper records by hand.
“Why are the election officials in the states resistant to that practice, when it’s well-established and accepted that that’s what we need to protect our elections?” said Susan Greenhalgh, the policy director at the National Election Defense Coalition.
But some conservatives—including Lankford, one of the bill’s primary sponsors—fretted over making audits, or anything else, mandatory for state election officials. “Everything’s voluntary, because the states need to be able to run their own elections,” he told reporters. “States clearly have the responsibility.”
Other conservatives disagree, citing overarching national security concerns that they believe should preempt attempts to wield the 10th Amendment against federal cybersecurity prescriptions.
“Part of me thinks maybe it’s people are over-reading the 10th Amendment on this one,” Adam Brandon, the president of small-government advocacy group FreedomWorks, told National Journal. “There’s no reason that the state of Ohio can be expected to combat these types of cyberthreats. This falls under the common defense.”
Trey Grayson, a Republican lawyer and a former Kentucky secretary of state, said the issue is driven less by partisanship than by a general distrust of federal intervention. “When I was secretary of state, I was struck by the number of Democratic secretaries and Democratic election administrators who would say, ‘The feds are going to mess up our elections, just stay away,’” Grayson said.
Despite Wednesday’s setback, the push on Capitol Hill for the Secure Elections Act is by no means over. On Wednesday afternoon, Senate lawmakers met with Homeland Security Secretary Kirstjen Nielsen, National Intelligence Director Dan Coats, and FBI Director Christopher Wray for a briefing on election cybersecurity and future policy responses. And Condos’s statement suggests that additional federal funds for audits and paper-backed voting machines could go a long way to assuaging state officials’ concerns about a federal takeover.
Congress already sent the states $380 million for election security in March as part of an omnibus spending package. With that in mind, Lankford says it’s unlikely that more federal funds will be forthcoming. But, he added, states can pave the way for funding in the future by cooperating with federal requests to update their election-cybersecurity systems today.
“For those states that can’t audit their elections, I think the push needs to be: You’re not going to get any federal funds to help—ever, in the future, if we’re going to do this ever again—if you can’t audit your elections,” Lankford said.
But most cybersecurity experts say states will need significantly more federal money to buy paper-backed voting systems, conduct robust postelection audits, and otherwise shore up their defenses. And even some conservatives wonder why Congress can’t make election cybersecurity a bigger priority.
“I don’t want to equate this with some of our overseas engagements, but when we need to find money, we find the money,” said Grayson. “If we prioritize national defense, then we have to cut some things.”