AFTER MONTHS OF stalled progress in Congress, efforts to promote and fund nationwide election security improvements have finally gained some momentum this week. The Senate Intelligence Committee released its long-awaited election infrastructure defense recommendations. Senate leaders got behind a revised version of the Secure Elections Act. And late Thursday night, the Senate passed the omnibus spending bill, which includes $380 million for securing digital election systems. All the pieces are in place. The solutions are clear. All that's left is the doing.
But, of course, that turns out to be the hardest part. Experts say that while Congress did take meaningful action this week, it likely comes too late to play an extensive role in securing this year's midterm elections.
"This is a great first step, but it’s not going to solve the problem," says Marian Schneider, president of Verified Voting, a group that promotes election system best practices. "Just the heightened awareness of what is the threat model and what are best practices for dealing with that threat model makes me hopeful and optimistic that those steps will be taken. But I would like to see the vulnerable systems replaced, and the clock is ticking. The farther we get into the year, the less likely it is. That’s just a reality."
Lots of reliable organizations have come out with recommended election security best practices, both conceptual and technical, over the last year—including the Harvard Belfer Center, the DHS-funded nonprofit Center for Internet Security, and the New York University Brennan Center. But that doesn't make the Intelligence Committee recommendations an empty gesture; they help cement the consensus about necessary steps, breaking the months-long Congressional holding pattern. The National Institute of Standards and Technology also releasedengineering-based draft guidelines this week aimed at addressing cyber threats to critical infrastructure like voting systems.
Analysts also celebrate the inclusion of election-security funding in the spending bill, which will draw its $380 million from money that was authorized but never appropriated by the 2002 Help America Vote Act. Within 45 days, states will be able to tap into grants to replace insecure voting machines and invest in election system security upgrades.
Observers note, though, that the HAVA money has crucial drawbacks and limitations. Both the spending bill and HAVA allow states to use the money for a broad range of election system-related projects, so there's no guarantee it will go toward critical defense upgrades. And the way HAVA allocates money means not every state will wind up with enough to meet their need.
"$380 million would probably be enough to replace the vast majority of the paperless systems in the US, which is one of the main things security experts are concerned about," says Lawrence Norden, the deputy director of the Brennan Center. "But since every state's allotment is based on their population under the HAVA formula no matter what their needs are, it’s not going to be enough to do that. This money hopefully will be used quickly for basic cybersecurity and better post-election audits. But there’s going to be a need to really closely watch how [the states] are spending it, and this alone is not going to be enough to solve the problem."
The limitations of the HAVA funding make this week's bipartisan momentum on the Secure Elections Act even more important. The bill broadly mirrors the Intelligence Committee's recommendations, and lays out more narrow parameters and requirements than HAVA for how states could use that funding. Receiving Secure Election Act grants would still be voluntary, as an acknowledgement of states autonomy in running elections. But those that chose to receive the money would have to meet some shared minimum requirements.
"Election officials are really doing a lot, and many of the folks you meet that are working in counties are as good security people as I’ve ever seen," says Mike Garcia, the director of elections best practices at the Center for Internet Security, who coauthored the organization's Handbook for Elections Infrastructure Security. "But there are 8,800 elections jurisdictions, so, yes, some are better than others. And with that kind of variation it means that some things are getting done and some things aren't."
Some of the crucial progress that is happening stems from Department of Homeland Security efforts. After a heated controversy about whether election systems should be officially classified as "critical infrastructure"—it is, as of last summer—DHS began establishing better communication channels for intelligence-sharing between all levels of law enforcement and election officials. The agency has also conducted system security assessments for dozens of states and localities.
And an increased awareness of threats to election security has motivated many officials to adopt cybersecurity best practices, institute or improve audits, and even replace insecure voting machines, in some notable instances. But without funding sources or legislation to incentivize adherence to minimum standards, these improvements have all been voluntary, and haven't been consistent or ensured.
Though problematically delayed, this week's Congressional movement can still positively impact this year's midterm elections in some ways. Some important cybersecurity and audit improvements can be implemented right away, like patching software and adding multi-factor authentication and other access controls to election-related networks. For more labor-intensive projects, though, and particularly those that will involve an lengthy acquisition process, time is up. Officials and experts are largely looking ahead to security improvements that will take effect for the 2019 and 2020 elections.
At the very least, though, there now seems to be more willingness for practitioners at all levels of government to collaborate with Congress and DHS. "This is a race with no finish line," top election officials wrote in a letter to voters on Monday. "Failing to invest will leave us less secure than we need to be."