U.S. intelligence officials and security experts have spent years urging states to shore up their elections’ digital defenses, and the latest indictments from special counsel Robert Mueller drew fresh attention to Russia’s cyberattacks on the 2016 presidential election.

But less than four months before the midterm elections that will shape the rest of Donald Trump’s presidency, most states’ election offices have failed to fix their most glaring security weaknesses, according to a POLITICO survey of all 50 states.


And few states are planning steps that would improve their safeguards before November, even after they receive their shares of the $380 million in election security funding that Congress approved in March.

Only 13 states said they intend to use the federal dollars to buy new voting machines. At least 22 said they have no plans to replace their machines before the election — including all five states that rely solely on paperless electronic voting devices, which cybersecurity experts consider a top vulnerability.

In addition, almost no states conduct robust, statistic-based post-election audits to look for evidence of tampering after the fact. And fewer than one-third of states and territories have requested a key type of security review from the Department of Homeland Security.

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Almost none of the 40 states that responded to POLITICO provided full details of how they plan to spend their shares of the money.

The holes in states’ preparedness contrast with the alarming details that Mueller offered Friday about the extent of Russian hackers’ operations in 2016 — as well as Director of National Intelligence Dan Coats’ warning the same day that election systems and the other “digital infrastructure that serves this country is literally under attack.”

States have to take the threat seriously and not just wait for federal help, said Sen. James Lankford (R-Okla.), a member of the Intelligence Committee and one of the chief sponsors of the Secure Elections Act, a bipartisan bill meant to bolster security at the polls.

“It is not the federal government’s responsibility to pay for new machines for you,” he told POLITICO. He added, “Do what is your state’s responsibility to be able to take care of your own elections and make sure they’re secure.”

Lankford said he does not think states are being “apathetic” about implementing security safeguards at the polls. He said they are proceeding with caution given the sensitive nature of elections and closely contested races.

Still, he said the threat is real. “Russia tried to meddle in our 2016 elections — they'll be back in 2018 and 2020,” Lankford tweeted Tuesday.

Election officials in several states say they’re improving security as fast as they can, given realities like available funding.

In South Carolina — one state facing a lawsuit over its electronic voting machines — the State Election Commission is “continuing to work with the General Assembly to obtain funding to replace” these machines, spokeswoman Marci Andino told POLITICO. “South Carolina will be replacing its voting system in coming years.”

On Capitol Hill, both the Senate and House intelligence committees have weighed in on the election hacking issue in their separate Russia investigations, with both panels recommending that voting machines use paper ballots.

Sen. Roy Blunt (R-Mo.), who chairs the Rules Committee that has jurisdiction over federal elections, told POLITICO that “any system that doesn’t provide a paper trail where you could have a recount is troublesome.”

The five states that rely entirely on paperless voting machines are Delaware, Georgia, Louisiana, New Jersey, and South Carolina. In Georgia, lawmakers failed in March to pass a bill to replace the state’s electronic machines by 2024. As in South Carolina, election integrity groups are suing the state over voting security issues.

In a sign of the growing urgency in Congress for states to improve election systems, Sens. Mike Rounds (R-S.D) and Bill Nelson (D-Fla.), leaders of the Senate Armed Services cybersecurity subcommittee, on Tuesday became the latest co-sponsors of the Secure Elections Act.

At least one lawmaker is urging her state’s governor to speed up election security upgrades. In response to a recent House Democratic report that called out Illinois and several states for not doing enough to bolster election security, Rep. Robin Kelly (D-Ill.) said in a letter to Republican Gov. Bruce Rauner that her state’s efforts were “deeply disturbing and cause for great concern.”

Some states said they simply didn’t receive enough money from the federal government to make much of a change in their systems. Indiana, Kansas, Nebraska and Texas told POLITICO the amount of federal funding was not enough to overhaul their vast, statewide election systems.

So far, there’s been no indication hackers have tampered with voting machines or other systems in ways that have changed the outcome of an election. However, the Department of Homeland Security believes that Russians “scanned” all 50 states potentially looking for vulnerabilities in voter registration databases, senior DHS official Christopher Krebs said recently. In last week’s indictment, Mueller’s prosecutors charged Russian agents with hacking an election website in an unidentified state — believed to be Illinois — to steal sensitive information on about 500,000 American voters.

Voter databases are among the most vulnerable elements of the U.S. election system because they are connected to the internet and are often maintained by inadequately staffed or poorly trained IT departments.

Many states told POLITICO that they planned to improve systems besides voting machines, as well as increase cybersecurity training for poll workers and work with private cybersecurity firms.

States have been slow to take advantage of additional federal assistance for elections. DHS offers states help in securing election technology, which the department in early 2017 designated “critical infrastructure” on par with hospitals and power plants. But the department has received requests from only 18 states and territories for risk and vulnerability assessments, Matthew Masterson, a senior cybersecurity adviser at DHS, told the Senate Rules Committee last week.

Separately, the Election Assistance Commission — an agency established after the 2000 presidential election — is overseeing the distribution of the $380 million in federal election security funding. So far, 88 percent of that money has been transferred to the states, the commission announced Monday.

States have “wasted no time in requesting these funds and developing their plans to bolster election security and administration," EAC Chairman Thomas Hicks said in a statement. "Congress intended for these security funds to be extended to the states as quickly as possible to have a significant impact on the 2018 election and beyond.”

The commission plans to release detailed plans from all states next month.

Brianna Milord, Maria Curi and Martin Matishak contributed reporting to this report.

CORRECTION: An earlier version of this report misstated the states that rely entirely on paperless voting machines. They are Delaware, Georgia, Louisiana, New Jersey and South Carolina.