State election officials around the country are woefully unprepared for a cyber disruption around Election Day.

While states have spent years thinking about and planning for other types of crisis that can mess with voting — from hurricanes to power blackouts and terrorist attacks — they’ve been slow and ill staffed to develop contingency plans responsive to a hack attack that would adequately protect their systems in time for the 2016 presidential election.


“They’re waking up to it, but they largely don’t know what questions to ask,” said Jeremy Epstein, a senior computer scientist at the nonprofit research center SRI International and an expert on voting mechanics.

A dozen battleground state officials surveyed by POLITICO insist the voting systems themselves are safe, as nearly all parts of the balloting process take place in a secure, offline environment. But they also repeatedly acknowledged there are limits to what they can control, and they recognize they face legitimate challenges from cyber intrusions to the myriad adjacent parts that go into an election, including online registration records and publicizing vote tallies.

While any manipulation of a state’s official election results is seen as unlikely, there’s little denying that an Internet disruption or hack could cause significant confusion and chaos on Election Day, a dark conclusion to an ugly election plagued by accusations of Russian cyber espionage and evidence-less allegations of vote tampering and rigging.

Just last week, hackers temporarily froze a sizable chunk of the internet, a worst-case scenario that would cause serious problems around the country if duplicated on Nov. 8 — the day more than 100 million Americans are going to the polls.

A major cyberattack would leave the states on their heels as they sign in registered voters, and it would impede their work later in the day as they try to report results. Then there are the effects of an internet shutdown on voters themselves, who in many instances would be left without an integral way to look up their polling places, do last-minute research on candidates or simply track which candidate is winning.

“Certainly if Internet access in the state is down totally that’s a pretty substantial issue,” said Edgardo Cortes, the commissioner of the Virginia Department of Elections, which earlier this month had to deal with its online voter registration system crashing just ahead of a key deadline.

“If something like that happens, how we react to it is going to have a lot to do with the public and press having confidence” in the election, added Georgia Secretary of State Brian Kemp.

Kemp, a Republican, said he has been printing out news reports to study last Friday’s DDoS attack. That strike led to disrupted service across large parts of the country on about 80 major websites, including Twitter, Spotify and The New York Times. While declining to discuss many of the details behind Georgia’s contingency planning, Kemp explained that he’ll have his state police on standby and he could get additional resources if the governor was forced to declare an emergency. He also said he’ll be reaching out to state and local officials to make sure they’ve thought through the full breath of what could happen in a cyberattack.

“I’m going to double check this morning for the third time in the last three weeks to ensure there’s nothing else we need to do,” he said.

Federal, state and local officials have had practice dealing with the unexpected, though to this point there’s been little of substance to test them on the cyber front right around a general election. New York had to postpone a primary that was scheduled to take place the same day as the Sept. 11, 2001 terrorist attacks, and Hurricane Sandy in 2012 required the relocation of more than 250 polling places in New York and New Jersey and an extension on the deadlines for requesting and receiving absentee ballots.

But a post-Sandy assessment of contingency planning — convened by the National Association of Secretaries of State — didn’t broach the threats from a cyberattack, and many state officials involved in the 2016 election said they’ll be tested in the moment if they face a significant attempt to mess with their systems.

“At that point, we’d go to the law books,” said Arizona Secretary of State Michele Reagan, whose state was forced to shutter its voter registration system for a week earlier this year after being targeted by suspected Russian hackers.

In Utah, Lt. Gov. Spencer Cox said in an interview he would have “wiggle room” to bring in the state legislature for a special session if an emergency comes up on the cyber front that he’s not equipped to handle under current law.

“We’d need 24 hours, but we could do it very quickly,” he said.

Federal agencies have also been scrambling since the summer to help state and local officials prepare emergency plans for the 2016 election, including via an added emphasis on cyber risks. Breaches earlier this summer to the voter registration databases in Illinois and Arizona prompted the FBI to issue a nationwide alert to the other states. The Homeland Security Department has also gotten requests from 42 states seeking help shoring up their cyber hygiene practices and assessing their online vulnerabilities.

The Election Assistance Commission, an independent agency created in the wake of the 2000 presidential election debacle, has also been providing state and local officials with reminders relevant to a computer hack, including collecting emergency contact information ahead of time for major media outlets, election staff, utility companies, maintenance workers, polling place site owners and the attorneys and judges who would be needed in a pinch for court orders to extend voting hours or for other emergency moves.

Thomas Hicks, the EAC commissioner, said in an interview he’s urging the states to reexamine their own policies to take into account how prepped they are for newer risks like cyberattacks. “Things we looked at 20 years ago in terms of threats are not the same as the threats are for today,” he said.

Many of the states contacted by POLITICO explained that their primary focus when planning for election chaos had involved natural disasters, blackouts and, since 2001, the threat of a domestic terrorist attacks. But they have also begun adapting their contingency plans to take into account disruptions to the internet, including losing power and telephone services. That’s meant stocking up on back-up paper ballots if their computerized machines break down. They have provisional ballots in case registration lists have been tampered with. And they’re making paper printouts of the key information they’ll need about polling place locations and post-election audit procedures.

“The worst case scenario is making everyone register again,” said Matthew Dunlap, the Democratic secretary of State in Maine. “We could do it. It’d be an enormous undertaking. That’s how fail safe our system is that you can’t shut down our election.”

If some kind of outside event did force a change in the voting process, Dunlap said state and local officials would have to act fast in launching a public awareness campaign. “Like what happens if there’s a tsunami,” he said.

Several state officials said they’ve made recent adjustments to their policies to take into account some of the lessons learned from Sandy in 2012. In many states, that’s led to changes to the law so emergency workers can now cast absentee or online ballots if they’re put into service on Election Day and miss out on a chance to vote in person. They’re also requesting IT staff be on call from other state agencies. And in the event that registration rolls have been tampered with, voters will be required to sign affidavits when filling out provisional ballots. It’ll be time consuming, and could lead to longer waits, but the aim is to let voters participate so long as they’re in the line by a pre-established deadline.

“If a line builds up we don’t turn anyone away,” said Iowa Secretary of State Paul Pate.

Pate, a Republican, said Iowa officials had a chance to test their backup systems recently after a phone outage at the capitol complex in Des Moines. He also said the state won’t post election results online until around 9 p.m. local time on Election Day, and it would make adjustments if the state faced any significant problems accessing the internet.

“If we sense something is going on like that, we’ll turn our system off,” Pate said.

Like many other state officials, Pate maintained that his election system was safe from being hacked because most parts of the balloting process were not connected to the internet.

But many computer scientists say that fails to account for the many parts of the election process that do remain susceptible to cyberattack.

James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said the states face an inevitable challenge because they don’t have anywhere close to the budget or personnel expertise to deal with the many threats they face. “It’s interesting to hear state officials say that it is” safe from a cyberattack, he said. “It kind of shows how unqualified they are for their positions in the digital age.”