Election Security

Don’t Let COVID-19 Eclipse Election Security Concerns

By Alex Zaheer, Tom Westphal
Thursday, May 7, 2020, 8:00 AM

The ongoing coronavirus pandemic has profoundly disrupted many aspects of American life, including a fundamental pillar of government: democratic elections. Many states have postponed their presidential primaries, and election officials across the country are already scrambling to ensure the presidential election in November can be held as planned.

But the new difficulties of a pandemic haven’t displaced the problems that faced election officials before the coronavirus arrived. The threat posed by foreign interference in U.S. elections and the vulnerability of elections to cyberattack have not gone away. And election officials’ responses to the coronavirus may create new vulnerabilities in the digital infrastructure that underpins elections. State and local officials must ensure that even amid the ongoing pandemic, election security remains a top priority.

Election officials around the country depend on electronic databases to store critical voter registration information. In some states, websites offer voters opportunities to register to vote and update important information, such as their addresses. Some jurisdictions employ technology in polling places themselves, providing poll workers with the real-time ability to see if a prospective voter is registered or has already voted elsewhere. And election agencies maintain databases necessary for other election functions—such as digital libraries of voters’ signatures, which can help verify the identity of vote-by-mail voters.

In 2016, Russian-sponsored cyberattacks exposed serious vulnerabilities in this digital election infrastructure. Russian actors probed election-related systems in all 50 states and succeeded in penetrating the voter registration databases of at least two states. These attacks were not sophisticated—they could have been engineered by any first-year computer security student. Yet the vulnerabilities that allowed the attacks still haven’t been fixed. In fact, hackers exploited the exact same class of vulnerabilities in the run-up to the 2018 midterm elections. If such security flaws remain unaddressed, there is every reason to expect that the 2020 presidential election will attract even greater foreign interest and more cyberattacks.

These consistent shortcomings suggest that the digital systems underpinning U.S. elections are not designed to withstand the strains of a modern election, including determined cyberattack. That many of these systems still have the same basic flaws four years later suggests that the U.S. has not learned its lesson and is ill prepared to meet the challenges to come.

The failure to secure digital election systems would be a glaring concern in any election year, and COVID-19 will only exacerbate these issues. The coronavirus pandemic will likely reshape how America votes in the 2020 elections. Because of the health risks inherent to in-person voting—which often requires standing in crowded lines and touching shared surfaces—many advocates, editorial boards and policymakers are calling for a massive expansion of voting by mail. But as jurisdictions rush to change their election systems, they must build digital infrastructure that can handle the strains of a presidential election while remaining secure.

The search for safe alternatives to in-person voting has already tempted states to introduce new and inadequately tested digital systems, which are risky not just because of security flaws but also because of shoddy software that is not ready for the stresses of a high-stakes election. Even a cursory analysis of the Iowa caucus app debacle earlier this year illustrates the perils of rushed and mediocre digital election infrastructure. In the nation’s first 2020 presidential caucus, the Iowa Democratic Party used a new smartphone app to record and transmit caucus results, hoping it would streamline the process. But the app didn’t work properly on caucus night and ultimately caused major delays in the caucus’s official result—not because of cyberattackers but because the app, hastily developed in two months, had infrastructure and user training that was not prepared to scale to the level of a statewide election. As states grapple with evolving election requirements, they may be tempted to cut corners just as the Iowa Democratic Party did.

Expanding access to voting by mail carries other risks. Voting at home can minimize person-to-person contact and help slow the spread of the virus, but successful vote-by-mail elections depend on accurate voter registration databases. If these databases are rendered dysfunctional just before the election, either by cyberattackers or by poor design, jurisdictions may not have enough time to implement emergency in-person polling options—and chaos could ensue.

State and local election officials must act now to address digital vulnerabilities in election infrastructure. First, jurisdictions must act swiftly to correct existing flaws. Stress-testing and auditing existing digital election infrastructure is a good first step: Without a map of trouble spots, election officials will be blind to their risks in the critical months ahead. Second, if digital election infrastructure is expanded or changed, security and resiliency measures should be an integral part of its design, not introduced after the fact. Finally, state and local officials should not shoulder the burden of this challenge alone. Federal agencies such as the Department of Homeland Security have resources available to help detect and secure digital infrastructure flaws. Election officials must seek out these resources early and often in the coming months.

In today’s polarized political environment, any disruption to the voting process risks inflaming already heightened partisan tensions. State and local election agencies should act now to secure digital election infrastructure. Failing to do so needlessly risks democracy’s legitimacy.