In the 2020 U.S. presidential election, successful cybersecurity attacks on voting machines and election management systems are less likely than successful hacks of voter databases.

Leading indicators

  • States and local governments, with technical and funding assistance from the federal government, have made significant progress since 2016 in protecting electronic voting infrastructure.
  • The most visible progress has been the replacement of older electronic voting machines with optical reader machines.  These have the quick tallying and reporting accuracy of electronic voting machines, with the added reliability of a real record of the votes on a paper ballot. The paper ballots can be used even if voting machines are out of action or compromised in some way.

Trends

In the 2016 presidential election, there were no successful hacks of voting machines or election management systems for tallying and reporting results.  In 2020 that infrastructure is even more secure.  However, hackers with ties to Russia and cybercriminals did gain access to voter databases in some counties, but they did not alter voter data.  The evidence of vulnerability of voter databases may tempt foreign actors and cybercriminals to go even further in 2020 – not only gaining access, but perhaps locking down voter databases with ransomware.

Ransomware attacks in the days just prior to the election could prevent the distribution of voter rolls at polling places. Without the voter rolls, election judges would not be able to verify registered voters.  Thousands and maybe millions of people in affected localities would have to use provisional ballots.  If the ballots run out, they may even not be able to vote at all.  Counting provisional ballots would have to wait until voter databases could be restored.  The overall effect could undermine public confidence in the validity of the election results.

Recommendations

In addition to assuring effective security of voting machines and voter registration records, state and local election boards should prepare contingency plans in the event of a cyber attack.  These plans should include backups of voter rolls on paper and laptops, availability of paper ballots, and the ability to rapidly staff up with qualified individuals to hand count paper ballots.