When It Comes to Protecting Our Elections, States Know What They’re Doing
Tom Spencer /
One of the mainstream media’s favorite tropes for the last 18 months has been Russian hacking of the 2016 election.
Ever eager to respond to manufactured crises, Congress is considering several bills that would give the federal government more control over election procedures and place onerous burdens on state and local election officials who have the primary power and responsibility under the Constitution to administer elections.
Shortly before leaving office, President Barack Obama’s Department of Homeland Security designated elections as “critical infrastructure,” and the Trump administration has continued that designation. This allows federal agencies that have previously been unfamiliar with elections, or the processes used to conduct them, to intervene in the election process.
The 2016 election precipitated all this activity, but what actually happened to the 2016 election process?
One voter registration system, in Illinois, was hacked—but no records were changed. The hacker may or may not have been a Russian agent. That is still to be determined. In addition, election officials in Arizona and at the Election Assistance Commission had their credentials illegally obtained, but again, no records were affected.
Homeland Security also reported that 21 state election systems were “scanned,” meaning that hackers assessed the system for security flaws. Many of these states have pointed to a couple of possibilities: The systems scanned were not, in fact, election-related but were separate state systems, or the scans were no different from the probing that our electronic systems face—and repel—every day.
While Homeland Security tried to argue these scans were a result of state incompetence, some of the 21 states on its list—like Wisconsin—are only listed because they actually reported the scan to Homeland Security, which is exactly what they are supposed to do.
The list also included California’s statewide Department of Technology system, which led California Secretary of State Alex Padilla to lament that the notice from Homeland Security “was not only a year late, it also turned out to be bad information.”
Homeland Security’s misinformation—implying that elections were hacked—betrays a lack of trust of local election authorities and a lack of communication with them. This skepticism has characterized Homeland Security’s interactions with state election officials ever since it deemed elections to be critical infrastructure.
While there is evidence that a foreign power may have tried to carry on a disinformation campaign in the U.S., there is no evidence whatsoever that a single vote was changed or improperly accessed, or that any voter registration records were changed in 2016 as a result.
Narrative Over Facts
Despite this lack of evidence, the media, Homeland Security, many in Congress, and liberal organizations are keen to keep the “21 states were hacked” narrative alive.
In February, NBC News ran a story with the headline “Russians penetrated U.S. voter systems, top U.S. official says.” While that certainly made for effective “clickbait,” the story contained no new information. It was merely an attempt to sensationalize a statement by a Homeland Security assistant secretary, Jeanette Manfra, in which she repeated her agency’s “21 states” count and said that an “exceptionally small number of [the election systems] were actually successfully penetrated.”
That small number was actually one, but Manfra’s unclear statement was exploited by a media only too eager to cast doubt on the results of the 2016 election.
This narrative gives the media a reason and justification to centralize the administration of elections, ultimately giving the federal government—and therefore, generally liberal-leaning Washington—more control.
Legitimate Threats Remain
While the extent of what actually happened in 2016 has been vastly overblown, we should not minimize the threats being made to both our election system and public confidence in that system from bad actors who compromise election technology.
In a March hearing on election cybersecurity, Sen. Marco Rubio, R-Fla., posed a chilling hypothetical: A hacker could compromise a voter registration system, change or delete a small but significant number of voters’ records, causing the voters to have problems at the polls on Election Day, and then when the story of the tampered voter registration records emerges, the entire election would be placed in doubt.
These kinds of threats are real and serious. While voters’ actual right to vote and have that vote counted would not necessarily be compromised, the real damage would be to voter confidence in our election results and election administration process.
In this age of viral social media posts and partisan rancor, hackers would not even need to penetrate our election system or alter vote counts to damage confidence in our election system.
Our federalist structure, which gives states the primary control and responsibility for election administration, is the best defense against the hacking of an election. Our decentralized system consists of thousands of different jurisdictions, which use different procedures, equipment, servers, vendors, and locations for data at every step of the election process, from voter registration to the final certification of results. Federalizing the administration of elections would remove this vital safeguard.
The media would have you believe that unless Congress or Homeland Security act, these diverse systems remain vulnerable to cyberattacks, as the states are too backward or unconcerned to protect their own systems.
Nothing could be further from the truth.
States and localities around the country are experts in election administration and have been thinking about and protecting the security of our election system long before it ever entered the national spotlight. And the federal government is no bastion of cybersecurity, as demonstrated by the fact that the Consumer Financial Protection Bureau was hacked over 200 times.
State laws place strict limitations on physical access to any machines involved in voting or the tabulation of votes. The much publicized “hacking” of election machines during last year’s DEF CON conference was not only done on outdated machines, but also required an extended period of physical access to the machines, including dismantling and removing the motherboards from the machines with screwdrivers.
Many states require machine access points to be covered with tamper-evident tape after machines are tested and calibrated, in addition to extensive physical security during storage and transport.
States also have cybersecurity protocols and protections, just like any other entity with online systems. All state systems have baseline protections, and the election systems usually have additional procedures to safeguard the integrity and security of election processes.
When testifying before the Senate Select Committee on Intelligence in March, Vermont Secretary of State Jim Condos outlined some of the practices Vermont uses to protect its election systems: vote tabulators are not connected to the internet, the voter registration database is backed up daily, all traffic to the website is monitored, known problem or suspected IP addresses are blocked, and the system is regularly tested for penetration. This is typical of steps taken by election officials around the country to protect their systems.
Could the states do more to protect election cybersecurity? Absolutely. As the never-ending string of data breaches at major companies and government entities demonstrates, bad actors are constantly evolving in their creativity, skills, targets, and strategies, and we must be constantly vigilant.
But the fact that cybersecurity efforts could always be better should not lead us to the conclusion that nothing is being done now.
Could the federal government provide crucial resources to the states to help with their cybersecurity efforts? Absolutely. But since the 2016 election, the federal government has mostly perpetuated the “21 states” hacking myth, sought to extend its own control instead of assisting states, and derided the states’ role and expertise.
If a bad actor succeeds in compromising an election system, even in a very small way, public confidence in our election system will be harmed. Liberals and the media have already done most of the bad actor’s work through their concerted efforts to undermine confidence in the election administration system of the 2016 election results and to destroy confidence in state and local election officials.
In a sense, Russia is winning without “firing a shot,” as the myth of its election hacking has undermined confidence in the 2016 election. Those who wish to sow discord in the U.S., like Russia, have found reliable allies in politicians, pundits, and computer scientists who are eager to create a centralized election administration system that is far easier to hack.
This is far worse than simply casting doubt on our election systems and election results. Rather, it creates the potential for real harm to our election administration systems while ignoring the efforts of hardworking election officials across the country.