In Congress, election security proposals aim at 2020 cycle

While most of the discussion around election security tends to focus on protecting the 2018 fall elections, much of the federal guidance and legislative proposals currently under consideration would likely have limited impact this year.

Two bills in Congress – the Secure Elections Act and the PAVE Act – would implement a number of best-practice policies around cybersecurity and vote tabulation that are endorsed by most experts. Yet some of the most impactful provisions from those bills, such as grant funding to replace obsolete or out-of-support voting machines or require states to use paper ballots, would take years to implement before states realized results.

Other proposals, like the Department of Homeland Security speeding up security clearances for state and local election officials, could have had an impact had they been passed earlier, but will provide few tangible benefits less than three months out from election day.

Senator Ron Wyden (D-Ore.) and Rep. Earl Blumenauer (D-Ore.), sponsors of the PAVE Act, warned in an Aug. 17 press conference that voting machine manufacturers and some state election officials are seeking to influence Congress to water down the Secure Elections Act as much as possible and promised to use all his power to ensure that the committee includes PAVE Act provisions on paper ballots and risk limiting audits into law this year.

"Essentially a coalition of the voting machine companies and some of the secretaries of state who insist on these inexcusable systems, they're going to try to drag their feet in the Senate Rules Committee," Wyden said. "There are real opportunities here to protect voters now."

Blumenauer said the goal was to get protections in place for 2020.

"You're right, it would be a stretch to make some of these structural changes mechanically before the [November 2018] election, although the audit is entirely [possible]," said Bluemenauer. "This is the first shot for the 2020 election."

The Election Assistance Commission is working on new voting system standards that include improved technical guidance around cybersecurity, but they must be voluntarily adopted by states and voting machine manufacturers.

Last year, then-EAC Chair Matthew Masterson told FCW that the commission doesn't expect those standards to have an impact on how states make purchasing decisions around voting equipment until 2020 or 2022 at the earliest. Since then, personnel changes have left EAC without a functioning quorum and new commissioner Thomas Hicks told Congress last month that the approval process for the new standards has been tabled indefinitely until another commissioner is appointed.

Earlier this year, Congress approved $380 million in assistance to states for election security improvements, but Hicks told Congress last month that much of that money has not actually been spent yet.

One of the biggest differences between 2016 and today is that the DHS has taken a more central role, sharing information with states faster and scanning for the presence of malicious cyber groups targeting election infrastructure.

The charge that nothing has been done since 2016 "couldn't be further from the truth," said Maurice Turner, a former cybersecurity staffer on the Homeland Security Committee and senior technologist at the Center for Democracy and Technology tweeted in May.

Another practical resource for states looking to harden defenses around election security before November may come from the private and non-profit sectors. This week, the Brennan Center for Justice released a playbook for election officials focused around preventing and recovering from technological failures and cyberattacks. Many of the recommendations assume that officials will be working with older, paperless voting machines in some form. The Center for Democracy and Technology has also started releasing a series of field guides for election administrators focused on implementing basic but effective cybersecurity practices within a legacy technology environment.

Meanwhile, lawmakers on Capitol Hill are jockeying to build support for their preferred legislation. The Secure Elections Act, which has 11 co-sponsors in the Senate and recently picked up a companion bill in the House, is scheduled to be marked up by the Senate Rules Committee next week and appears headed for floor consideration in the near future. Chairman Roy Blunt released an amended version of the bill Aug. 16 with an added provision that would require states to develop cyber incident response plans in order to be eligible for future grant funding.