In the last U.S. presidential election, Russian hackers penetrated Illinois’s voter-registration database, viewing voters’ addresses and parts of their social security numbers. Election results were not affected, but the attack put intruders in the position to alter voter data, according to a report from the Senate Select Committee on Intelligence. The incursion was part of hacking attempts against all 50 states, and intruders will try even more vigorously in 2020, yet experts say Congress is doing little to improve defenses. The Brennan Center for Justice at New York University says states will need just more than $2.1 billion to upgrade election computer systems, yet last month the Senate approved only a fraction of that amount: $250 million.
One reason for the inadequate response is that elected representatives and their staffs are not tech savvy enough to understand the scope of the problems, says Lawrence Norden, director of the Election Reform Program at the Brennan Center and co-author of the cost analysis. His sentiments are echoed by other cybersecurity specialists. “I just didn’t have the tools,” recalls Meg King, director of the Digital Futures Project at the Woodrow Wilson International Center for Scholars, who worked on a cyberdefense bill a decade ago as a senior staff member on a House homeland security subcommittee. She now describes that bill as “too little, too late.” Today her think tank has begun to offer staffers short courses in cybersecurity issues, but security researchers worry that step will not be enough.
While substantially changing the outcome of an election by hacking into voting machines is extremely unlikely because those machines and the ballot counting process are very decentralized, altering voter rolls could block people from voting. If the system is even slightly exploited, says David Becker, executive director of the Center for Election Innovation & Research, it could trigger public distrust in elections. “I think the greatest challenge that we do have is to make sure that we maintain the integrity of our election system,” said Joseph Maguire, the U.S. acting director of national intelligence, during recent congressional testimony.
Because election security is so important to democracy, Norden wants Congress to fund new state offices that can act as cyber-response teams when attackers try to breach or even alter voter roll information. Yet this project is one that Republican Senate Majority Leader Mitch McConnell of Kentucky has been uninterested in pursuing, arguing that such responsibility rests with the states themselves. But the funding that state governments have allocated, along with federal assistance, to date “only scratches the surface,” Becker says. Continuous election security for the future means supporting states with money to update systems that store voter information and to improve cybersecurity training, he adds. “We need to address this as an ongoing expense.” Becker says.
King says one reason Capitol Hill keeps proposing solutions that fall short of the problem is high staff turnover, which means knowledge evaporates when people leave. Further, institutions that provide nonpartisan information to Congress, such as the Congressional Research Service, are stretched thin. The Office of Technology Assessment, a Congressional service that was intended to advise lawmakers on science and technology issues, was shut down in 1995. Recently representatives from both parties have begun efforts to resurrect it, but support has yet to materialize into real funding.
To get staffers to better understand the threats and how to find the right solutions to technical problems such as election security, the Wilson Center established the Congressional Cybersecurity Lab under the umbrella of King’s Digital Futures Project. The lab offers weekly seminars led by technologists and runs hands-on exercises over a six-week period. After staffers complete the program, they have access to a pool of experts to advise them “without a lobbyist’s perspective,” King says, as well as a network of lab alumni. Knowledge gained by staffers, she adds, should let them craft more effective legislation and communicate more easily with independent cybersecurity researchers at universities and corporations.
Legislators have a vested interest in supporting more secure elections and more cybersecurity expertise on Capitol Hill, points out Kathryn Waldron, a cybersecurity researcher at the R Street Institute. As 2020 campaigns gear up, hacking attempts against politicians and their offices will likely increase, she says. “It is not just a threat to national security; it is threat to American democracy at large,” Waldron says.