Skip to main content

The Canvass | April 2021

March 31, 2021

Don’t Sleep on Election Cybersecurity (Cyber Criminals Won’t)

After the 2020 election, the Cybersecurity and Infrastructure Security Agency (CISA) and other members of the Election Infrastructure Government Coordinating Council proclaimed it “the most secure in American history.” More recently, the Departments of Justice and Homeland Security released a report finding no evidence of foreign interference in the election.

But lawmakers and election officials can’t celebrate just yet.

That report also discovered that Russian and Iranian campaigns “did compromise the security of several networks that managed some election functions” and “materially impact the security of networks associated with or pertaining to US political organizations, candidates, and campaigns.” And cyberattacks during the 2020 election weren’t limited to election systems, political groups or campaigns. At a recent cybersecurity workshop, Gary Pruitt, president and CEO of the Associated Press (AP), reported the AP was targeted with 10,000 phishing attempt emails on Election Day 2020 alone. Since the AP serves as a central hub for reporting election results to the public, those attacks—even though they failed—are bad news.

The U.S. is certainly more prepared for cybersecurity attacks and issues than ever before, yet Cliff Neuman, a computer science professor at the University of Southern California and cybersecurity expert, adds “our adversaries are also more capable today.” As foreign actors develop more sophisticated cyberattacks, so too must the U.S. construct more sophisticated defenses.

Last month, Neuman joined NCSL alongside Adam Clayton Powell III, the executive director of USC’s Election Security Initiative, for a webinar on elections cybersecurity. The two experts discussed the threats to election security, our election system’s vulnerabilities and strengths, and what states can do in this fast-changing cyber realm. Watch the webinar here, or, for an overview and additional focus on legislative action, read on.

Cyberattacks: Who, Why and How

Most foreign actors intent on disrupting our nation’s election security come from Russia, China, Iran and North Korea, though other countries—including Cuba and Venezuela—have made smaller attempts. According to Powell, Russia is the one to watch—they have the budget for research and development and the people to implement these attacks.

Threats can be domestic too, coming from organized crime, as well as individual criminals. Although foreign and domestic attacks may use similar methods, the intent typically differs: “Domestic actors are in it for the money,” says Powell, “Foreign actors are trying to discredit our election system, trying to discredit democracy itself.”

How do these attacks happen? Something as simple as clicking on a suspicious link or installing a bad app could download malware (short for “malicious software”) that disables a computer or voting system. Ransomware—perhaps the most notorious form of malware—disables a system, and then demands a ransom before allowing the user to re-enable the system.

But attacks can do more than disable a system. According to Neuman, malware, viruses, worms, trojan horses and other cyberattack methods can also steal data or, in a worst case scenario, “modify a system to do things like change votes.”

Phishing is another popular attack approach, and it occurs when adversaries send messages that appear legitimate and ask the user to click on a link or log on to a website that looks secure but isn’t. Once the user has logged on to the faked website, they’ve just given the criminal their password—and possibly access to voter registration data, internal documents and other sensitive materials.

Other attacks include “supply chain subversion,” which is when malware is embedded into software or systems during the manufacturing and distribution process and prior to purchase; and “denial of service attacks,” which is when cybercriminals try to shut down systems by overwhelming them with fake queries or other communications. These cyber-attacks, notes Neuman, are “sometimes indistinguishable from a simple failure,” and he points to a recent situation in Virginia where workers on a sewage project accidentally severed a fiber optic cable and shut down the state’s online voter registration system on the final day of voter registration.

What States Can Do

Overwhelmed? Fear not. Powell stresses, “One of the great strengths of American elections is that we’re decentralized.” That doesn’t mean our systems don’t have weaknesses, just that it is very difficult to tamper with the election at the point of voting because there are so many different targets.

In fact, states and election officials are more aware of cybersecurity threats than ever before. According to Neuman, that awareness—coupled with support from CISA and the U.S. Election Assistance Commission—has helped states protect their elections infrastructure. Most election systems now include a paper trail and isolate election tabulating systems from the internet. He adds, that “when outcomes were questioned—and yes, the outcomes were questioned—the officials in charge were able to speak with greater confidence that the results were correct and there was the ability to do the manual recounts in those instances where there actually was a concern.”

States are taking many of the necessary steps to protect their elections, so what else can legislators do?

Revisit Laws, Policies and Training Around Election Security

Does your state require a paper trail? Is your vote tabulation system sufficiently isolated from other systems or networks? Can your voting machines be accessed via the internet? Are election officials or others who access voter registration or tabulation data trained on security best practices? See the table below for examples of relevant legislation.

Become and Stay Informed

“What we [states] need to do now,” says Powell, “is not to relax our vigilance.” As adversaries become more inventive, states and election officials must stay on top of updates from the Department of Homeland Security, CISA and other cybersecurity experts.

Collaborate

Powell also adds that every state has cybersecurity assets, such as the National Guard and even cybersecurity centers at universities. And Neuman stresses that elections aren’t the only site for cyberattacks, so costs for cyber defenses and other security upgrades can be spread across not just the election community, but government in general.

Educate Voters

Mis- and disinformation were significantly entwined with cyberattacks in 2020, and states can help counteract misleading information by encouraging voters to rely on trusted sources. The best source? Always the state election official’s website.

There’s always more work to be done on this front, but as Powell emphasized at the end of our webinar, election officials in all 50 states displayed “a level of commitment and professionalism that was remarkable under the most difficult circumstances we will probably face in our lifetime. Everybody took security very seriously. Everybody took elections very seriously.” And “everybody” includes legislators.

Recent Legislative Action

In 2020, four states passed five bills on cybersecurity.

  • Indiana required each county to use a cybersecurity company designated by the secretary of state to investigate cybersecurity attacks and analyze security risks.
  • Louisiana required the secretary of state to establish cybersecurity training for people with access to the state’s voter registration computer system and prohibited election officials from disclosing various types of computer system information.
  • Virginia required its State Board of Elections to identify, assess and address threats to election integrity.
  • Washington enacted new policies to address security breaches of election systems by foreign actors.

While no cybersecurity bills have yet passed in 2021, many are pending and may see further action before session ends. See the table below for more details, and scroll further for additional resources.

2021 Election Cybersecurity Legislation
State Bill Status Summary
Arizona SB 1242 Pending Requires a committee appointed by the secretary of state to conduct a detailed review of election equipment security every two years.
Arizona SB 1616 Pending Prohibits any voting equipment used in a polling place or voting center from having internet access, any accessible port, and any access to data or results. Requires the delivery, use and return of the equipment to be logged on a chain of custody document.
Arizona SB 1638 Pending Requires the secretary of state to revoke the certification for vote recording and vote tabulating machines and devices by the August 2022 primary election unless they are manufactured in the United States and maintain an internal record of every insert and removal of a mass storage device, every software update and connection to the internet and every key stroke or screen touch made.
Arizona HB 2359 Pending Requires that any port, plug, door or other method of physical or electronic access to any voting machine or electronic pollbook shall be secured to prevent any unauthorized access. Requires the county to document and verify security procedures regarding access before any voting machine or electronic pollbook is placed into service for an election.
Arkansas SB 487 Pending Requires counties to certify to the secretary of state that the county has a secure electronic connection sufficient to prevent unauthorized access to the voter registration database and voting equipment.
Georgia HB 326 Pending Prohibits voting devices or systems used in any election from using any form of wireless network cards or wireless technology. Provides for the removal or disabling of such cards or technology before using such devices or systems.
Hawaii HB 853 Pending Provides that no electronic voting system or tabulator shall be used if the tabulators, voter assistance terminals, memory cards and flash drives cannot be securely stored or air-gapped from internet, Wi-Fi and Bluetooth access.
Illinois SB 350 Pending Amends the Freedom of Information Act to exempt from disclosure risk and vulnerability assessments, security measures, schedules, certifications and response polices or plans designed to detect, defend against, prevent or respond to potential cyberattacks on election systems. Also exempts the disclosure of any records that would constitute a risk to the proper administration of elections or voter registration.
Illinois SB 2038 Pending Among other security and chain of custody changes, requires the State Board of Elections to implement software that monitors and detects vulnerabilities to the security of the voter registration rolls.
Illinois HB 1972 Pending Prohibits a voting machine from being connected to the internet while being used to cast votes.
Indiana HB 1288 Pending Among other provisions, provides that a voting system using an automatic tabulating machine may be tabulated only within Indiana and that the results from a voting system must be published to the public before any results are transmitted outside of Indiana.
Kansas HB 2334 Pending Prohibits the networking of electronic voting machines.
Kentucky SB 63 Vetoed by governor Provides that no voting system shall be connected to the internet.
Kentucky SB 244 Pending Provides that no voting system shall be connected to—nor have the ability to be connected to—the internet, a modem or network of any type.
Montana HB 530 Pending Requires the secretary of state to adopt rules—on or before July 2022—defining and governing election security using federal election best practices as recommended by the U.S. Election Assistance Commission and the national institute of standards and technology of the U.S. Department of Commerce.
New York AB 829 Pending Authorizes the State Board of Elections to reject the use of voting machines or systems on that grounds that such machines or systems are not proper, safe or secure.
New York

AB 830

SB 4865

Pending Requires a “.gov” domain name for websites maintained by a board of elections.
Ohio SB 14 Pending Requires the secretary of state to adopt standards for the security and integrity of voter registration systems and that no voter registration system shall be approved by the board of voting systems examiners, certified by the secretary of state or acquired by the secretary of state or a board of elections, unless it meets those standards.
Washington HB 1068 Pending Exempts election security information from public records disclosure.
Washington SB 5382 Pending Requires the secretary of state to contract with individuals for the purposes of a security test of the voter registration system and that such testing must analyze system gaps and other flaws that could allow potential fraudulent or duplicate voter registration to occur.

Legislative Action Bulletin

  • As of March 31, 33 states are in regular session.
  • The South Carolina Senate is in session.
  • New Mexico and Wisconsin are in special session.

With most states now in session and some even nearing the end of their regular sessions, legislatures have continued to focus on election policies. See a list of notable enactments below and visit our Election Legislation Database for more information.

Enacted Election Legislation

Arizona SB 1002 specifies that an absentee ballot envelope must not reveal the voter’s political party affiliation.

Arkansas HB 1112 amends the state’s current voter ID law to require voters casting provisional ballots to show photo ID by noon on the Monday following Election Day. Previously, voters without an ID could cast provisional ballots and sign a sworn statement for their votes to be counted.

California SB 29 extends the state’s temporary adoption of all-mail voting in 2020 through 2021.

Georgia SB 202 makes a number of changes, including requiring ID to request and return absentee ballots, establishing guidelines for ballot drop boxes and giving the State Election Board more power over county election administration.

Illinois HB 3653 requires that the Department of Corrections provide information about voter registration to citizens when they are released and allows the department to participate in the automatic voter registration program.

Iowa SB 413 makes a number of changes, including reducing the early voting period from 29 to 19 days, requiring that absentee ballots be received by the close of polls on Election Day and creating penalties for election officials who willfully fail to perform their duties.

Maine HB 68 allows the processing of absentee ballots to begin seven days before Election Day.

Massachusetts HB 73 extends temporary mail-in voting expansions passed in 2020 through June 2021.

Montana SB 15 requires election officials to provide accessible voting locations for disabled voters during elections conducted primarily by mail.

New York AB 2574 adds the State University of New York as a designated voter registration agency for automatic voter registration.

South Dakota lawmakers enacted SB 102, which allows voters to apply to the secretary of state to protect their voter record from public access under certain conditions, and HB 1125, which prohibits precinct election boards from delaying the counting of ballots except for short recesses for the health and well-being of employees.

Utah lawmakers enacted HB 12, which requires that deceased voters be removed from the voter rolls and that the lieutenant governor enforce these provisions, and HB 70, which creates an online system for voters to track their mail ballots and receive text or email notifications regarding their ballot’s status.

Virginia enacted a number of bills: HB 1968 permits localities to provide absentee voting in person in the office of the general registrar or voter satellite office on Sundays; HB 2125 permits a person who is 16 years of age or older, but who will not be 18 on or before the day of the next general election, to preregister to vote; SB 1097 eliminates the requirement for a witness signature on absentee ballots during states of emergency; and SB 1331 requires the Department of Elections to create a tool to allow voters with a visual impairment or print disability to electronically receive and mark absentee ballots.


From the Chair

This month we spoke to New Hampshire Representative Barbara Griffin (R), who has represented the sixth Hillsborough district since 2014. The district is home to the Uncanoonuc Mountains and adjacent to the urban community of Manchester, though it still retains a strong rural character.

What is it like serving in the New Hampshire House of Representatives?

New Hampshire has the largest House in the U.S. and the smallest Senate. We get paid $100 a year, and a perk might be a license plate with your seat number on it. So when they say that New Hampshire has a volunteer legislature, it’s really true!

Why were you chosen to chair the House Election Law Committee?

The majority party picks the chairs for our 20 standing committees from among our 400 members. This is my fourth term in the legislature, third in the majority and second as chair of the Election Law Committee. This term, I think I was chosen because of my experience and because I know how to run a meeting. Going from in-person to remote meetings required myself and everyone else to develop new skills to ensure people feel they’re being heard. So I think my ability to handle the practical reality of doing business in this day and age was a factor.

What are your top election priorities for 2021?

One of my election priorities this year was to learn how to manage bills with our new virtual platform. Election Law had 50 bills this year—a record for the committee! But our process for handling bills was hampered by virtual meetings, so we chose to retain some of the bills. By retaining them, we can work on them in the second year of the session.

Another priority is addressing voter confidence. It’s been high in the past, but it dropped last year. The House recently passed a bill that will provide a procedure to audit a recount. It’s my hope that bill will get enacted.

I’m also mindful that the federal government is considering H.R.1, which may or may not impact the processes here. Certainly, if anything does happen with it, we’ll have to deal with it—hopefully before our 2022 session is closed.

Our lead article this month is on election security, particularly cybersecurity. How is New Hampshire handling that issue?

In the past, New Hampshire was much castigated and maligned for its failure to jump on the electronic bandwagon for elections. That’s actually been a good thing because we never abandoned paper ballots. We do have machines that count the ballots, but they don’t have an internet connection.

We also do not communicate voting results or tabulations electronically. It’s all done at the polling sites at the end of the night based on the data received directly from the tabulation machines. Then that data is put on a very specific reporting form and given to the secretary of state.

From a cybersecurity standpoint, New Hampshire’s reluctance to jump into the 21st century has really paid off. I don’t see it as a huge issue for us.

What aspect of New Hampshire’s election process makes you proudest?

Our elections are really run by local staff and volunteers. We manage to run over 240 polling places with town clerks and supervisors asking for volunteers from the community who come back year after year.

Even though some of the voting processes have changed, Election Day is still a thing in New Hampshire. It’s a social event, a community event, it’s where you get your Girl Scout cookies and where you run into your neighbor.

I think that’s something New Hampshire can be proud of.

This interview has been edited for length and clarity.


The Bill Information Service

One of the many exclusive benefits NCSL provides to legislators and legislative staff is access to the Bill Information Service. This 50-state+ searchable legislation database contains the full text of every bill in the 50 states, Washington, D.C., and Congress for the current session. With over 1,000 ready-to-use topic searches, the database makes finding bills on any policy area easier than ever. Sign up for the next training session on April 21, or check out the recorded training at your convenience.


Worth Noting

Catch Up On NCSL’s State Policy 101 Series

NCSL’s State Policy 101 educational series is now available to everyone! This series was created for legislators and legislative staff on key, cross-cutting policy issues and features 25 different educational sessions—including two on elections: “How We Vote: In-Person and Absentee/Mail Options” and “Knowing—And Showing—An Election Was Accurate.”

2020 Voter Turnout

A new report, America Goes to the Polls: Policy and Voter Turnout in the 2020 Election, examines voter turnout in the 2020 general election. A collaboration between Nonprofit VOTE and the U.S. Elections Project, this report compares turnout in the 2016 and 2020 presidential elections and finds that turnout in all 50 states increased.

Monthly Dose of Cybersecurity

Denver—NCSL hosted an Elections Cybersecurity webinar with experts from the University of Southern California, Adam Clayton Powell III (a journalist and director of USC’s elections cybersecurity program) and Cliff Neuman (a computer scientist and cybersecurity expert). Watch the recorded event here and be sure to read our lead article on cybersecurity for more details on how states can keep pace with growing cyber threats.

Washington, D.C.—The Department of Justice and the Department of Homeland Security jointly released their key findings and recommendations regarding foreign interference in the 2020 election. The investigations found no evidence that a foreign government manipulated any election results, though some security networks were still compromised.

Washington, D.C.—The Office of the Director of National Intelligence released an unclassified version of the intelligence community’s assessment of foreign influence and interference in the 2020 election. Foreign interference did not alter any election results, though the investigation did find that several countries sought to undermine public confidence in the electoral process and U.S. institutions.

Physical Security Concerns for the Election World

The Office of the Director of National Intelligence also released an assessment by the National Counterterrorism Center, the Federal Bureau of Investigation and the Department of Homeland Security regarding the physical security of government personnel and facilities. The investigation determined that domestic violent extremists are likely to pose heightened security threats to election officials in 2021.

U.S. Postal Service News

The U.S. Postal Service’s Inspector General released a report evaluating its service performance of election and political mail during the 2020 election. From Sept. 1 through Nov. 3, 2020, the Postal Service processed almost 135 million ballots and delivered 93.8% of such mail on time—an increase in timely processing from 2018. USPS also unveiled a 10-year strategic plan to achieve financial sustainability and service excellence by fiscal year 2023. Here’s a two-page glance if you prefer a summary.

TED Talk on Elections

Amber McReynolds, executive director of the National Vote at Home Institute (NVAHI), gave a TED talk on election systems and voting at home. In her talk, McReynolds discusses various options for voting outside the polling place and how such options—according to NVAHI—could bolster accountability, transparency and equity in our election systems.

EAC Announces Clearie Awards

The U.S. Election Assistance Commission (EAC) announced the recipients of the 2020 Clearinghouse Awards, also known as the “Clearie” Awards, for best practices in election administration. Awards were given to recognize election officials in the following categories: improving accessibility for voters with disabilities; recruiting, retaining and training poll workers; innovations in election cybersecurity and technology; innovations in election administration; and most creative and original “I Voted” stickers.


From the NCSL Elections Team

Mark your calendars: NCSL has decided when and where our conference-wide meetings will be this year. NCSL Base Camp, an online event, will take place Aug. 3-5, and the Legislative Summit will be held in Tampa, Fla. Nov. 3-5.

As election legislation continues to make headlines, our team is busy staying up-to-date and providing research and resources to legislators and legislative staff across the nation. If you have questions, comments or anything in-between, please reach out. We want to hear from you.

—Wendy Underhill, Brian Hinkle, Christi Zamarripa and Mandy Zoch

Loading
  • Contact NCSL

  • For more information on this topic, use this form to reach NCSL staff.