Mitch McConnell is Making the 2020 Election Open Season for Hackers
On May 21st, four commissioners who compose the U.S. Election Assistance Commission (E.A.C.) were asked to attest, in Congress, that they agreed with the findings of the special counsel Robert Mueller that Russia interfered in the 2016 U.S. election. It was a strange and oddly suspenseful moment in what might have been a routine oversight hearing of the House Administration Committee.
The E.A.C. is a small, relatively obscure agency, established by the Help America Vote Act of 2002 (H.A.V.A.), an election-modernization bill that was passed in response to the disastrous failure of voting equipment during the 2000 Presidential election. H.A.V.A. allocated over three billion dollars to the states to upgrade their election systems and authorized the E.A.C. to distribute it. The E.A.C. was also mandated to advise election officials and oversee the testing and certification of voting and vote-tabulation machines. Seventeen months away from the next Presidential election, it could be leading the charge against future cyberattacks. It is not.
“I want everyone to know that, in my view, what happened in 2016 will make what happens in 2020 look like small potatoes,” Senator Ron Wyden, the Oregon Democrat who sits on the Intelligence Committee, told me. “It’s not just the Russians. There are hostile foreign actors who are messing with two hundred years’ worth of really precious history.” Wyden recently reintroduced the PAVE Act, a wish list of election-security provisions that failed to get through the Senate last year. The measure includes the use of hand-marked paper ballots and a prohibition on wireless modems and other kinds of Internet connectivity, all of which have been advocated by computer scientists and other election experts for years.
But with the Senate Majority Leader, Mitch McConnell, making it clear that he will not advance any election-security legislation, the PAVE Act, and also other election-security bills, many of which have bipartisan support, will languish. McConnell has made 2020 open season for hackers aiming to undermine our election system. The E.A.C. has made this easier, by displaying not only intransigence and institutional weaknesses but also a willful disregard of the threats facing our elections.
Inadvertently, perhaps, H.A.V.A. made the E.A.C. the closest thing this country has to a national election authority. (The Federal Election Commission regulates campaign finance.) But American elections are not run by the federal government. They are run by the states, and, within the states, by counties and townships. This quirk of history—elections predate the establishment of the United States—has resulted in more than ten thousand autonomous election districts spread out across the country. If the election officials that administer these share one practice, it’s making sure that the agents of Washington keep their distance. As Lawrence Norden, the deputy director of the Democracy Program at the Brennan Center for Justice, testified in Congress recently, “There are more federal regulations for ballpoint pens and magic markers than there are for voting systems and other parts of our federal election infrastructure.” The E.A.C. can suggest best practices, but election officials are free to ignore them. It can certify election machines, but election officials are not obligated to use them. (At the end of 2018, twenty states, plus the District of Columbia, required testing to federal standards, fifteen states required federal certification, and two states required testing by an E.A.C.-accredited lab.)
Almost from its inception, the E.A.C. was controversial. The National Association of Secretaries of State (NASS), beginning in 2005, passed resolution after resolution requesting that Congress cut off its funding. (In most states, the secretary of state is the chief election official.) Republicans in the House of Representatives have introduced legislation to shut it down every other year since 2011. After Russian state agents hacked state-election systems in 2016, the G.O.P. made shuttering the E.A.C. again a priority. In 2017, a bill to terminate the commission was the first piece of legislation passed by the Republican-controlled House Administration Committee. (The first piece of legislation passed in 2019 by the newly Democratic-controlled House, HR1, contains various election-security-strengthening reforms.) In the Senate, Republicans figured out a different way to undermine the E.A.C.: they simply refused to confirm commissioners. Over time, Congress cut the E.A.C.’s budget by more than half—last year it was just over ten million dollars.
This year, for the first time in a decade, the E.A.C. has a full complement of commissioners—two Democrats and two Republicans, as H.A.V.A. mandates. The idea was to mute partisanship with bipartisanship. It hasn’t worked.
In January, 2017, one of the Republican commissioners, Christy McCormick, issued a public statement, on E.A.C. letterhead, dismissing the Russian hacking “narrative,” calling it “deceptive propaganda” and accusing the Obama Administration of playing “partisan politics” when it designated election systems as critical infrastructure. McCormick became the E.A.C. chair one year after the Wisconsin Republican Paul Ryan, then the Speaker of the House, did not reappoint her Republican colleague, Matt Masterson, who was the sole commissioner with an interest in cyber defense. At the same time, the agency’s executive director, Brian Newby, who famously refused to allow E.A.C. communications personnel to use the Associated Press style manual because it was too “liberal,” was accused, by members of his staff, of preventing them from attending cybersecurity meetings.
Newby, who came to the commission in 2015, after serving as the election director of Johnson County, Kansas, is a protégé of the former Kansas Secretary of State Kris Kobach. Among Newby’s first acts as director was to approve of one of Kobach’s signature voter-suppression tactics—allowing Alabama, Georgia, and Kansas to require documentary proof of citizenship on the federal voter registration form, even though the E.A.C. had rejected similar requests from states multiple times before. As Newby—and Kobach—knew, without documentary evidence, applicants would be denied the right to vote. The League of Women Voters, represented by the Brennan Center, sued. There is currently a temporary injunction preventing Newby from permitting the requirement, but the case remains unresolved.
The controversy surrounding Newby grew a few months after he took over the E.A.C. A Johnson County audit uncovered that he had made nearly forty thousand dollars of questionable purchases (Google glasses, numerous tablets, other electronics), which he charged on the credit card of a subordinate with whom he was having an affair. During the House Administration Committee hearing, Representative Marcia Fudge made a not-so-veiled reference to Newby’s malfeasance when she asked McCormick, “If you had an employee who, in his recent history, at an executive level, had misused and mismanaged public funds, who had abused his authority, who had engaged in an inappropriate relationship with a subordinate, who displayed lewd behavior in the workplace, what would you do with that employee?” “We had an employee who misused federal funds,” McCormick told her, and “that employee was retained.” So was Newby.
Even before Newby joined the E.A.C., some of its commissioners were rejecting widely supported reforms, such as the recommendation that local election officials replace touch-screen voting machines and use auditable paper ballots. Their resistance, according to Susan Greenhalgh, the policy director of the nonpartisan National Election Defense Coalition, stems from the fact that the E.A.C. has been “on the brink of extinction for so long” that it strives to avoid alienating local election officials. “The E.A.C. works hard to maintain the good will of election officials so the officials will support E.A.C.’s existence and funding to their congressional members,” Greenhalgh told me. “Because of this, E.A.C. avoids taking positions on election security which may be unwelcome or unpopular among some election administrators.”
The commission also has a close relationship with election-machine venders, who also resist change. One former commissioner has gone to work for a vender, one current commissioner has taken gifts from venders, a former director works for a vender, and, just last month, the E.A.C. hired the director of testing and certification of a major election-machine company to oversee the testing and certification of equipment made by her former employer and its competitors.
The E.A.C. is not testing election machines to insure they are safe from hacking. Its current testing standards, which were developed in 2005, do not include cybersecurity measures, and they do not prohibit Internet connectivity. They also do not extend to voter-registration databases or electronic poll books, both of which proved vulnerable in the 2016 election. The Washington Post and Politico both recently reported that that election vender, VR Systems, remotely accessed the central election computer in Durham County, North Carolina, the night before the 2016 election, as the company tried to determine why their electronic poll books were malfunctioning. VR Systems, as the Mueller report and a leaked N.S.A. document revealed, had been hacked by the Russians. The vender’s remote software was an ideal conduit for further interference.
Chris Vickery, the director of cyber-risk research at UpGuard, told me that remote access “can be activated by bad guys very easily.” In September 2018, Vickery discovered that a publicly accessible bucket of North Carolina State Board of Elections files were sitting in the Amazon Web Services cloud. “Someone would have had to actively change the permissions to make it public,” he said. But because those files included log-in passwords to voter-registration database, they could have been used by someone to enter the system remotely. Nearly three years after the 2016 election, the D.H.S. is finally conducting a forensic examination of the Durham computer system.
In 2005, when the commission passed the first iteration of its voluntary voting-system guidelines—the VVSG 1.0—few voter-registration databases were online, and e-poll books were just being introduced. Smartphones and ubiquitous wireless Internet did not exist, and persistent cyberattacks were not a threat. The dated standards have not evolved in the last fifteen years because of resistance within the commission and partisan politics outside of it. The relationship between the testing labs and the venders, who pay them to approve their products, also thwarts change. “When the vender goes to the lab and says, ‘We’ve got a system we want you to test; here’s the money,’ they’re paying them to test to the 2005 requirements, not anything else,” a source close to the process, who asked not to be named, told me. “I’m not faulting the labs, but they say, ‘We’re not being paid to offer an opinion; we’re being paid to say whether these systems pass these requirements or not.’ ”
In the past few years, subsequent efforts to update the guidelines have been stymied, either by the commissioners’ inability to come to an agreement or because there was not a quorum of commissioners to vote on new standards. The latest incarnation, the VVSG 2.0, a five-page statement of general principles that have been held up by Newby for the past two years, was finally voted on by the commissioners in February, and then it went out for public comment. The comment period was supposed to end on May 29th—the same day that Mueller resigned from office with a warning about interference in 2020—but, one week prior, the E.A.C., without notice, disabled its public-comment e-mail address.
The E.A.C. eventually tweeted an alternate, limited way to comment on the eve of the Memorial Day weekend. The commission’s explanation for taking down its comment site was that there was a sudden deluge of comments, which suggested that the agency was being spammed by bots. It was not. Public-interest groups said that fifty thousand people submitted comments after organizations pointed out that the new guidelines did not prohibit wireless technology or connections to telecommunications networks.
It’s not yet known what—if any—amendments will be made to the general principles as a result of the comments. In a change in policy, Newby required commissioners to vote on the guidelines before they went out for comment. It is also unclear how much the commissioners will take into consideration the findings of public working groups—comprising venders, advocates, and other stakeholders—that are currently debating how to enact the principles, or if the working groups themselves will be able to come to an agreement on crucial election-security measures such as Internet connectivity, wireless modems, barcode voting, and ballot secrecy. Even if they do find common ground, ultimately, the E.A.C. itself will have the final say. The earliest when we can expect to see election machines built to new standards—whatever they turn out to be—is 2024.