The authoritative guide to ensuring science and technology make life on Earth better, not worse.

Interview: Lawrence Norden on US election security

By Dawn Stover | September 5, 2024

Image of US Capitol in Washington, DC, by Pierre Blaché/Pixabay

Interview: Lawrence Norden on US election security

By Dawn Stover | September 5, 2024

The November election could determine more than just the individual races and partisan powers that are at stake. Lawsuits, campaign rhetoric, and disinformation are already challenging the validity of the vote itself. The outcome could have a huge impact on how US elections are conducted in the future.

American attorney Lawrence Norden, best known for his research on voting machines and other election infrastructure, is the senior director of the Elections & Government Program at the Brennan Center for Justice, a nonpartisan law and policy institute based at the New York University School of Law. He leads the Brennan Center’s work to ensure that US election infrastructure is secure and accessible to all eligible voters, and to protect US elections from disinformation and foreign interference.

Norden has testified before Congress and several state legislatures on numerous occasions. He and his colleague Derek Tisler have written about the rising threats that are making US election systems increasingly vulnerable to both foreign and domestic interference, and they have proposed policies to address these threats and secure the 2024 election—as well as the democratic process itself.[1] Norden is the lead author of the book The Machinery of Democracy: Protecting Elections in an Electronic World (Academy Chicago Press, 2006). He was a member of the US Election Assistance Commission’s Board of Advisors from 2019 to 2023.

Bulletin contributing editor Dawn Stover spoke with Norden about the security and integrity of US elections.

(This interview has been edited for brevity and clarity.)

 

Dawn Stover: Is there a conceivable way that a foreign country or other entity could steal a US election or severely compromise it?

Lawrence Norden: The intelligence agencies have been warning for some time that Russia, China, and Iran are attempting to interfere in our election. There are basically three kinds of threats against our elections: cyberthreats, physical threats, and disinformation. I think it would be extremely difficult to change vote totals, but less difficult to undermine confidence in those vote totals, including through a cyberattack but also through information warfare. And then there are the physical threats, which are often coming—not always—domestically. Iran was connected to threats to election officials in the last election. The threatening environment that we’ve seen for election officials has led many to just leave the field entirely. I think we are in a stronger position than ever to defend ourselves, but there’s no question that there’s a real threat to the integrity of our elections from foreign governments—as well as from some domestic actors.

Stover: How does US election security compare with other countries around the world?

Norden: Again, it depends if you’re talking about cybersecurity, physical security, or the information environment. On cybersecurity, the US is extremely secure compared to other nations. We made massive progress over the last decade or so in terms of securing our physical infrastructure. That’s not to say there isn’t room for improvement, but a decade ago a good portion of Americans voted on paperless voting systems. In this election, for about 99 percent of Americans, there will be a paper record of their vote, and most states audit those paper records to make sure the vote totals are accurate.

There has been a huge investment in resiliency. So we saw with the CrowdStrike failure, it had an impact on some voting in Arizona, but election officials were prepared with provisional ballots, with backup paper, to be able to continue voting.[2] None of the voting machines in Arizona were connected to the internet, so they weren’t affected, but things like checking people in and making sure that they could vote during that period were possible because of the resiliency that has been built up over recent years.

Stover: But voters still seem to worry a lot about the hardware and software used in elections, especially because of these security breaches that you mentioned, which seem to be affecting everything from cellphone data to airline flights. How can election officials reassure people that black boxes are trustworthy?

Norden: When it comes to voting machines, I think the best way to reassure them is to note that we have paper ballots for virtually every vote, and that we audit them afterward to make sure that the machines are recording votes accurately. I think part of the problem we have is that most people don’t understand the intricacy of election administration, so they’ll hear about things that aren’t voting machines—like electronic poll books, which are used to check people in, or voter registration databases—and there are occasionally successful attacks against those systems. The main thing for people to know is that there are backups that election officials keep and that they can turn to. And just more generally, election officials have gotten better at sharing information ahead of time.

One of the things about disinformation around elections is it’s generally the same themes over and over again in each election, and people who are looking to undermine confidence in our elections use a news hook about there being some kind of glitch or cyberattack, they use it to fit one of these tropes—whether it’s about voter fraud or voting machine accuracy or mail voter accuracy or electronic poll books. They have a pre-existing story that people have heard before, and they take the newshook and they attach it to that story.

What election officials have gotten much better at is telling the story about how elections work, early, so that people are inoculated: providing tours of their offices, doing videos or writing articles about the security measures that they have in place, and making sure that those stories get out to their voters. That’s critical in pushing back against the fears that people have and that some people are preying on when they’re trying to undermine confidence in our elections.

Stover: It sounds like some of the recommendations that you and others have made—like replacing paperless electronic machines and conducting these post-election audits—have already happened. Are there other important things that still haven’t happened?

Norden: You’re never done when it comes to election security. And the thing to remember about US elections is that it’s very de-centralized. There are around 10,000 election jurisdictions in the United States, and we don’t have uniform rules. Jurisdictions are different, and the rules are different, depending on what state they’re in [and] how many resources they have. We just did a poll of election officials back in May.[3] Ninety-two percent of election officials reported taking steps to increase security since 2020, but the steps they’re taking have varied depending on the jurisdiction and the resources that they’ve had. So a number—the highest number, 56 percent—reported increasing cybersecurity protections for election technology. Updating their polling-place contingency plans was another one that was very high.

A big one that has taken off, but still not as much as it should, is coordinating with law enforcement and community groups ahead of time to create emergency response plans. That’s a critical one, and about 41 percent of election officials reported doing that since 2020. But I would say more of that kind of pre-planning is really critical. And, of course, AI is a new threat.

Stover: I wanted to ask you about that, because AI has spread like wildfire throughout a lot of business sectors. What role might it play in elections?

Norden: There are a number of ways that AI might impact the election. I think what’s gotten a lot of attention is deepfakes with candidates, but in terms of election administration and the way the election is run, the bigger concerns, I think, are misinformation—maybe purporting to be from election officials about our elections, which can happen on social media through the use of AI—and using AI to try to fool election workers, whether through phishing emails or pretending to be somebody that is in the election office or a deepfake phone call, for instance. There’s a lot that election officials can do, and they’ve started to do, to protect themselves from that, like taking control of their online presence—making sure they have their own verified social media accounts and are looking out for fake accounts. And using the “.gov” website, which at this point many election officers do, but not all do. You want to make sure that the public knows where to go to get accurate information.

And with everything, having a coordinated plan is critical if there is false information spreading—whether it’s the result of AI or not—and knowing that there are community leaders who can reach voters. When it comes to thinking about AI, the threats aren’t new, it’s just that they may be more sophisticated, or it may be easier for somebody without many resources to create a misleading video or fake social media accounts.

Election Day, 2020, in Des Moines, Iowa, at the local high school. Image courtesy of Phil Roeder / Wikipedia under Creative Commons Attribution 2.0 Generic License

Stover: What about the machinery itself? Roads and bridges are aging; isn’t voting infrastructure aging, too? What would it take to bring voting machines, registration systems, and other election infrastructure up to date?

Norden: The problem with elections—and I think it’s mostly for the better—is that many of our systems are computerized in a way that they weren’t 30 or 40 years ago. So the voting machines that you’re voting on are computers, registration databases are on computers, and they require regular replacement and upkeep. We’ve had a fair amount of investment in our election infrastructure in the last two years. Congress invested about a billion dollars or a little bit more since 2016. But there’s more that’s needed.

I mentioned that fact that we’ve pretty much moved to replace all the paperless systems in the US, and that’s great, but we need to replace these machines every one to two decades, and the same thing for replacing registration databases. As potential cyberattacks become more sophisticated, you need to add on levels of security. If you have a database that’s 20 or 30 years old, it just becomes extremely slow if you don’t upgrade the system. We’re in the middle of a study, so I don’t have final numbers, but I would say it’s going to be hundreds of millions of dollars of investment that will be needed over the next few years.

Stover: You mentioned earlier that there are around 10,000 separate jurisdictions at the state and local level. Does that suggest trying to have some kind of standardized election system, or is it a good thing to not have all of our eggs in one basket?

Norden: Yeah, I would say both. There’s no question that the decentralized system we have in some ways adds a layer of security, because it’s not like you can go to one place and try to change all the votes. Whereas that might be possible in some other countries where there’s one centralized place that you’re tallying votes, or one kind of machine that you’re using. In the US, it’s not going to be possible to pinpoint that one place to attack, and that’s a security benefit. On the other side, many of our election jurisdictions—because there are so many—are quite small and don’t have [the] resources to protect their infrastructure that we might like to see, and maybe don’t have all of the cybersecurity that we would like to see. I do think creating some kind of floor of security—a minimum standard for any jurisdiction that has voting machines, that has a registration database, that is tallying votes—would be a good thing.

Stover: Are there certain places that are at the greatest risk?

Norden: Well, the smaller jurisdictions have the least resources. So you actually have many election offices where there’s only one person working, and it may not even be their full-time job. They don’t have an IT person on staff, for instance. On the other hand, there are not that many votes there, not that many voters. But it’s often the smaller jurisdictions that may have the most challenges in terms of keeping up to date and making sure that they have all of the protections that are recommended. The creation of the Cybersecurity and Infrastructure Security Agency—and having CISA provide assistance to all jurisdictions of all sizes, if they want it—has been very helpful in bringing up that floor, even for the smallest jurisdictions.

Stover: Is that an agency that Project 2025 is proposing to get rid of? I think you’ve warned that Project 2025 could be a threat to election security.[4]

Norden: Yeah, I’m actually writing something about that now. Their recommendation is to gut the agency and to disperse it among several other agencies. In particular, they have focused on the election security work of the agency, and that’s of great concern to me. CISA has been critical in upgrading election infrastructure security over the past six or seven years.


Portrait of Lawrence Norden, courtesy of Brennan Center for Justice

Stover: Are there any other provisions in Project 2025 that you’re worried about from an election standpoint?

Norden: Yeah. Project 2025 talks about limiting CISA’s role to assessing cyber hygiene, and there’s a lot that CISA does beyond that. Among other things, it does physical security, which is really critical, as we’ve seen attempts at threats to election workers but also attempts to access election equipment, and that’s a cyber threat even if it doesn’t fall within the gambit of cyber-hygiene.

Stover: What is cyber-hygiene?

Norden: I think what they mean by that is basically looking to ensure that there’s multi-factor authentication and other practices that would make it more difficult for somebody to remotely commit a cyberattack against the system. So that is one [concern]: the physical security assessments that CISA does for election officials, which [Project 2025] seems to suggest it would no longer be doing. CISA provides a lot of guidance to election officials. Again, it’s not clear under Project 2025 if they’re suggesting that should be eliminated. And then the other thing that it suggests is that the agency should step back from its work when it gets closer to election time, which is actually the exact opposite of what you want the agency to be doing. It’s exactly when infrastructure might be attacked, and when election officials are going to need the assistance of CISA, not just to track and assess what’s happened but to recover from any type of cyberattack.

Stover: You recently wrote in The Atlantic that government agencies should act fast to warn social media companies about interference in elections, especially now that the Supreme Court has cleared the way for the government to talk to these companies. What would you like the government to be telling tech companies?[5]

Norden: [According to] recent reporting, the kind of briefings and warnings that federal agencies have been giving social media companies about what they’re seeing have been less robust than they were in 2020. So I would like to see a return to the level of detail in reporting to social media companies, of what they’re seeing in terms of foreign efforts to interfere in the election.

And just more generally, making sure that they are communicating to social media companies—and to the public, frankly—the kind of foreign interference efforts they’re seeing. I have taken heart in the fact that [the Office of the Director of National Intelligence] issued a report at the beginning of July on what they’re seeing in terms of foreign interference, and they’ve said that they’re going to release one in the coming days—100 days out of the election—and will be doing so on a regular basis ahead of the election. I think that’s really important.

Stover: The Brennan Center has warned that the coming election is not just about the races that are at stake, but also about the future direction of American democracy itself.[6] What is the threat to democracy?

Norden: I’ll take one example that is very close to home for me, because I do a lot of work with election officials. They have been under threat for the last few years.

I think 38 percent in our last poll said that they’d been threatened, harassed, or abused just for doing their work, and that really is the result of lies that circulate about how elections work and what the job of election officials is. Some election officials have been subject to politically motivated investigations that [district attorneys] or law enforcement brought. [These investigations] were eventually dismissed or rejected by grand juries, but still upended the lives of the election officials, who are among the lowest-paid government workers.

I do worry about that becoming more intense in this election. Project 2025 talks about empowering the Department of Justice to bring actions against election officials for decisions it disagrees with. To me, that’s one of the things I mean when I say democracy is at stake. If we’re going to have threats to elections supercharged and weaponized by our own federal government, that’s extremely dangerous. We need people to stay in their jobs who are committed to being fair, and to not being swayed by politically motivated threats of prosecution.

Stover: If workers who are worried about that have quit, has that left a vacuum into which people who are maybe less fair have moved?

Norden: I think we’ve been pretty lucky so far. I think part of that is, frankly, a response from the public.

Yes, there’s no question that there are cases of people who have been election deniers who have come onto local commissions that oversee boards of elections. But for the most part, the people who have stepped up and replaced outgoing election officials have been people who believe in impartiality, who believe in security and integrity, and in many cases worked in elections themselves. And in 2022, we had a series of very high-stakes elections for secretary of state—the people that are the chief election officials for their states—and in all of the battleground states and pretty much across the country, election deniers lost and the people who were arguing for free and fair elections won.

I am worried, though, that if you have a federal government—a Department of Justice, an FBI—that is weaponized against these folks, that really becomes a lot more challenging.

The good news story of the last few years is that our democratic institutions have proved pretty resilient. There’s great interest, in a way that there hadn’t been in the recent past, in our democracy and in making sure we preserve it.

There’s this committee that I’m on, called the Committee for Safe and Secure Elections, that is mostly made up of law enforcement and election officials working together to think about how to increase security, to be prepared for threats, to make sure that there’s better communication and contingency planning, and those kind of networks didn’t exist a few years ago. I think it speaks to the fact that there are a lot of Americans who really care about protecting our democracy and civil society. They’re not necessarily people in the government who are directly charged with these issues, but they have stepped up—and that gives me a lot of hope.

 

Endnotes
[1]
See “Securing the 2024 Election,” The Brennan Center, https://www.brennancenter.org/our-work/policy-solutions/securing-2024-election

[2] On July 19, 2024, a routine software update from the cybersecurity company CrowdStrike caused a global Microsoft outage that disrupted airlines, banks, hospitals, businesses, and governments. Voter databases in Arizona and several other states were affected. The Republican National Committee and the Arizona Republican Party demanded answers about the closure of some voting centers in Arizona’s Maricopa County on July 19 (early voting in the county began on July 3 and continued to Election Day on July 30). Maricopa County election officials said the outage only affected the voter check-in system for early in-person voting.

[3] See “Election 2024,” The Brennan Center, https://www.brennancenter.org/election-2024

[4] Project 2025 is a detailed plan for consolidating presidential power under Donald Trump and reshaping the federal government to promote right-wing policies. Also known as the 2025 Presidential Transition Project, the initiative is led by two former Trump administration officials and was organized by the Heritage Foundation, a conservative think tank. Project 2025 proposes to place the entire federal bureaucracy under the direct control of the president, who would then dismantle many government agencies and programs, strip job protections from tens of thousands of civil servants, and infuse the federal government with conservative Christian values.

[5] See “The Government Needs to Act Fast to Protect the Election” in the June 28, 2024 issue of The Atlantic, https://www.theatlantic.com/ideas/archive/2024/06/murthy-v-missouri-supreme-court/678829/

[6] See “Election 2024,” The Brennan Center, https://www.brennancenter.org/election-2024

 

Together, we make the world safer.

The Bulletin elevates expert voices above the noise. But as an independent nonprofit organization, our operations depend on the support of readers like you. Help us continue to deliver quality journalism that holds leaders accountable. Your support of our work at any level is important. In return, we promise our coverage will be understandable, influential, vigilant, solution-oriented, and fair-minded. Together we can make a difference.


Get alerts about this thread
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

ALSO IN THIS ISSUE

RELATED POSTS