Warning Lights Are Blinking Red: It Is Time to Secure
Our Elections from Ongoing Russian Attack
In a wide-ranging set of indictments handed down on July 13, 2018, the U.S. Department of Justice (DOJ) charged 12 Russian intelligence
officers with brazenly attacking U.S. election infrastructure during the 2016 presidential election. On that same day, Director of National
Intelligence Dan Coats sounded the alarm that Russia is continuing its cyberattacks on the United States, ominously stating that “the warning
lights are blinking red again,” just as they were before the terrorist attacks of 9/11. Coats went on to say that the nation’s election systems and
other digital infrastructure are “literally under attack.” Yet, in the face of overwhelming evidence, for more than a year-and-a-half, President
Donald Trump has cast doubt on these consistent warnings. It now is incumbent on Congress, key members of the administration, state and
local officials, and other stakeholders to take aggressive steps within their respective purviews to secure our election infrastructure.
The cacophony of warnings from top intelligence officials and lawmakers about our nation’s insecure election infrastructure could not be
starker. In addition to the admonitions of Director of National Intelligence Coats, FBI Director Christopher Wray warned that the United States
needs to respond to Russia’s attacks “with fierce determination and focus.” Secretary of State Mike Pompeo said that the United States has a
“‘great deal more work to do’ to safeguard the integrity of American elections ahead of the upcoming 2018 midterms.” And the Senate
Intelligence Committee, chaired by Sen. Richard Burr (R-NC), concluded that 2016 may have been just a “testing ground” for future, more severe
On July 26, 2018, concrete evidence of the accuracy of these warnings came to light. Sen. Claire McCaskill (D-MO), who is a harsh critic of
Russian President Vladimir Putin and is in the midst of her own reelection campaign, revealed that Russian operatives attempted to infiltrate
her Senate computer network. These Russian hackers allegedly used a variant of the same password-stealing technique that they used
successfully to steal the e-mails of Hillary Clinton’s campaign chairman, John Podesta, in 2016.
Just three days after the DOJ’s indictments of Russian intelligence officers, President Trump conducted a summit with President Putin in
Helsinki, Finland. In stunning remarks in front of the Russian leader and international media—which he later attempted to walk back—Trump
cast doubt on whether Russia worked to interfere in the 2016 election and appeared to accept Putin’s denials of Russia’s attacks on our
democracy. Trump’s comments were met with outrage in the United States, with half of all Americans calling Trump’s actions “treasonous.”
Members of Congress—from both parties—condemned the president’s capitulation to Russia. Despite this condemnation, Trump quickly
followed up the Helsinki summit by inviting Putin to meet in the United States during fall 2018. Trump’s national security adviser, John Bolton,
shortly thereafter announced the delay of the Trump-Putin meeting until 2019. This was done in hopes that it would occur after the conclusion of
special counsel Robert Mueller’s investigation of Russian election interference, which Bolton called a “witch hunt” despite the multiple DOJ
indictments of Russian operatives.
For his entire presidency, Trump has failed to condemn Putin’s 2016 attack on the United States election or explicitly recognize that Russian
incursions into our election infrastructure are ongoing. He has also refused to aggressively lead a whole-of-government response to repel the
Russians and other hostile nation-states, dangerously waiting to call his first White House meeting about the issue until July 27, 2018. In light
of this dereliction of duty, it is more critical than ever that Congress aggressively exerts its authority to ensure that votes cast in the upcoming
November 2018 midterm election—just more than three months away—and the 2020 presidential election are secure from Russian tampering.
Resources needed for states to strengthen election security.
Free and fair elections are a central pillar of U.S. democracy. Through our elections, Americans voice their choices about the future path of our
nation; who will represent their interests in the states, Congress, and beyond; and what policies will be enacted by those leaders. Yet, the right
of Americans to choose their own political destiny is being challenged by foreign nation-states that work to hack into our elections in order to
advantage their preferred candidates as well as undermine Americans’ confidence in election results, furthering the goal of weakening the
United States as a geopolitical power.
The DOJ indictments made clear that, in addition to hacking the Democratic National Committee and Hillary Clinton’s presidential campaign,
Russian operatives targeted state and local election infrastructure in a sophisticated and wide-ranging attack during 2016.According to the
indictments, the object of the Russian conspiracy was to infiltrate protected computers belonging to state boards of elections, secretaries of
state, and U.S. companies that supply software and other election-related technology in order to steal voter data and other information.
Further details reveal that the indicted hackers, based in Russia’s GRU military intelligence service, broke into a Florida-based software
company that supplies software for some voting machines nationwide and accessed a state election website—which Illinois admits was very
likely its website—to steal sensitive information on approximately 500,000 voters. A senior DHS official testified on July 18 that, although there is
evidence Russia targeted voter registration databases in 21 states, he suspects Russians scanned every single state and territory during the
2016 election cycle.
As the Center for American Progress detailed in a 50-state report, state- and local-based election infrastructure and voting systems are
vulnerable to hacking and other malfeasance. The most important mechanisms to help secure election infrastructure include conducting
elections with a paper-based voting system that makes hacking virtually impossible and carrying out robust post-election audits to confirm the
accuracy of election results.
State and local officials, who largely are responsible for administering secure elections, are in the process of receiving $380 million in
congressional funding to bolster their election infrastructure. The U.S. Election Assistance Commission already has transferred most of that
money to states for immediate use after all states applied for their funds.
In the meantime, a congressional report released on July 13 identified 18 states that still lack key voting safeguards, including paper trails and
post-election audits. Thirteen states still allow at least some votes to be cast on machines that lack a paper trail. And all but three states fail to
require rigorous post-election audits.
Many state and local officials are, in fact, taking steps to improve election security. For example, California plans, in part, to use it allotted federal
funds between 2019 and 2021 to upgrade its voter registration database, conduct cybersecurity training, and implement risk-limiting audits
while also taking more immediate steps to increase personnel and set up vote centers. Washington state, which conducts its elections by mail-
in ballot, recently passed legislation to implement stronger post-election audits. The state plans to use its federal funding for upgrades such as
new information technology staff, as well as more staff training and equipment to strengthen cybersecurity monitoring. Georgia—a state that
votes exclusively on machines that do not provide a paper record and does not require post-election audits—is slated to receive $10.3 million in
federal funding from the Election Assistance Commission. However, it will cost Georgia between $35 million and $100 million to replace the
state’s 27,000 voting machines.
With only a little more than three months before the midterm elections, most states are unable to fully fix their election security weaknesses.
State officials of both political parties, including 21 state attorneys general, have said that they have not received enough federal funds to make
necessary improvements to their systems.
Urgent, coordinated action needed from all stakeholders to bolster election security
Despite the need for additional federal funds, on July 18, House Republicans blocked attempts by House Democrats to add $380 million in
election security funds to a relevant spending bill. Remarkably, Republican congressmen claimed that states do not need additional funds for
election security. Next week, the Senate may vote on a similar Democratic-sponsored amendment that would add $250 million in election
security funds to appropriations legislation.
In addition to slow-walking funding, Republican leaders will not allow passage of theSecure Elections Act, a piece of bipartisan Senate
legislation that would take substantive policy steps to improve election security. The chief Republican sponsor of the bill, Sen. James Lankford
(R-OK), continues to push Republican leadership to act, observing that the indictments of the 12 Russians are “another sign that we must enact
election security legislation to protect our election infrastructure from attacks from foreign entities.” Similarly, Sen. Ron Wyden (D-OR) has urged
passage of his legislation, the Protecting American Votes and Elections Act of 2018, which would require paper ballots and rigorous “risk-
limiting” audits for all federal elections. House Democrats also have sponsored a strong legislative framework, the Election Security Act, which
would make crucial changes to existing laws to bolster election security.
The nation’s top election equipment vendors also contribute to the insecurity of voting machines and related networks. In just the latest
example, it recently was revealed that for many years, a top vendor—Election Systems and Software—had installed remote access software and
modems on machines used to tally official election results and program voting machines, practices that render equipment very susceptible to
At a bipartisan July 11 hearing of the Senate Committee on Rules and Administration, multiple senators expressed concerns with the practices
of equipment vendors that are not taking sufficient steps to ensure voting machines and related networks that state and local officials use are
secure. Two of the largest vendors failed to show up at the hearing for questioning, and the vendors that did appear claimed it was appropriate
for them to continue selling electronic voting machines without paper backups.
As Sen. Mark Warner (D-VA) observed, “When you’ve got a 90 percent [market] concentration [and] three vendors controlling the back end of our
voting systems, that’s a vulnerability.” Sen. Wyden, who repeatedly has demanded important information from vendors, accused vendors of
stonewalling Congress and refusing to answer basic questions about cybersecurity practices, remarking, “The only way to make this worse
would be to leave unguarded ballot boxes in Moscow and Beijing.”
Software vendors also may be making election systems less secure. On the same day that the federal indictments of the Russian election
hackers were handed down, the state of Maryland revealed the FBI discovered that, in 2015, the state’s voter registration platform was
purchased by a company controlled by a Russian oligarch without state officials’ knowledge. As of now, there is no evidence of malfeasance,
but Gov. Larry Hogan (R-MD) conceded, “Even the appearance of the potential for bad actors to have any influence on our election infrastructure
could undermine public trust in the integrity of our election system.”
Given all these dynamics, it is clear that Congress and President Trump should aggressively be paving a path for states and localities to secure
election infrastructure. But even in that absence, key executive branch departments and agencies should be providing leadership to help secure
our election infrastructure. Department of Homeland Security Secretary Kirstjen Nielsen and FBI Director Wray issued a joint statement in May
claiming that election security “is an issue that the Administration takes seriously and is addressing with urgency.” Despite increased
coordination between federal and state officials, election infrastructure, as a whole, remains insecure, especially without a whole-of-government
effort coordinated through the White House.
We know one thing for certain: Even without a presidential or congressional mandate, state and local officials should take every possible step to
move to a system that incorporates paper ballots and robust postelection audits. Without these two crucial components, our election
infrastructure remains insecure and vulnerable to Russian hacking in both the 2018 midterm election and the 2020 presidential election—a
completely unacceptable and dangerous state of affairs for a nation with a democracy under attack.
Michael Sozan is a senior fellow on the Democracy and Government Reform team at the Center for American Progress.
By Michael Sozan