The 2018 Midterms Weren’t Hacked. What Does That Mean For 2020?

Leading up to Nov. 6, 2018, anyone with a stake in American democracy was holding their breath.

After a Russian effort leading up to 2016 to sow chaos and polarization, and to degrade confidence in American institutions, what sort of widespread cyberattack awaited the voting system in the first national election since?

None, it seems.

High turnout overwhelmed election administrators, causing some voters to wait hours to cast ballots. Florida maintained its reputation as a state that's been working out the kinks in its voting system for nearly two decades. And a congressional race in North Carolina is still up in the air as the state's Board of Elections investigates alleged election fraud by a political operative.

But an operation like the one Russia waged two years ago?

"We didn't see any coordinated effort or targeting that interrupted the elections process," said Matt Masterson, a senior cybersecurity adviser at the Department of Homeland Security. "[Nothing] that prevented folks from voting or compromised election systems in any way ... certainly nowhere close to what we saw in 2016."

Experts say that is not because U.S. election systems are hardened in a way that prevents such attacks.

Despite security improvements over the past two years and a newfound awareness of the threat, voting in America remains vulnerable. And it remains unclear whether lawmakers will allocate adequate resources soon enough to shore it up before a presidential election that is just 23 months away.

The issues that remain

J. Alex Halderman, a professor of computer science and engineering at the University of Michigan, has been among the most vocal critics of the cybersecurity of U.S. elections.

Halderman went to Capitol Hill earlier this year to demonstrate for lawmakers how an electronic voting machine could be manipulated, and he told NPR in February that without immense improvements, U.S. elections would be attacked again "and it's going to make 2016 look quaint by comparison."

"There are still so many gaps in our systems that sophisticated adversaries, including Russia, have the technical ability to do massive damage," Halderman said in an interview this week. "They just didn't [this year]."

A number of worrying election-related issues did arise in 2018, notably around political rhetoric that seized on fears about widespread election fraud and suppression, which may yet degrade the confidence of American voters.

But that's a domestic problem, and not the one election officials and lawmakers have been focused on for the past two years.

Initial data from a pair of polls seem to indicate that the public's fears specifically about election hacking decreased after November's election went by without a major cybersecurity incident.

Don't see the graphic above? Click here

In October, before the election, 55 percent of Americans thought the U.S. election system was not secure enough from hacking, according to a Pew Research Center survey of more than 10,000 adults. After the election, just 35 percent of Americans thought the same thing.

"There's some risk that people will look at 2018 and say, 'Well, nothing happened; that means we're OK,' " Halderman said. "Unfortunately, that's not the case."

Where this really matters is in state legislatures and in the halls of Congress.

Election infrastructure is undoubtedly more secure than it was two years ago, and the Department of Homeland Security is better positioned to detect threats than it was then as well.

A constant drumbeat of stories about the vulnerabilities in the election system after the 2016 election led Congress to allocate $380 million earlier this year toward improving election security across the country.

But while that money meant better protections for voter registration databases in some places, and more cybersecurity personnel in others, it wasn't nearly enough to address the most glaring vulnerability when it comes to voting: the lack of paper ballots for millions of voters.

This year, voters in more than a dozen states used electronic machines that do not produce a paper trail, including five states that exclusively use such equipment. Experts say there is no truly foolproof way to detect a cyberattack that changes votes on electronic voting machines that don't produce paper records.

For Halderman, it all comes back to the need for voting equipment to be updated.

"In 2018, we also saw issues with equipment failing and breaking down — this is largely attributable to how out of date much of the voting machinery is," Halderman said. "Forty-one states use equipment that is more than a decade old."

If funding is coming to update those election systems, however, it needs to come soon.

Election officials say election off years, like 2019, are the time when they can make meaningful changes, with enough time to install and prepare before a high-profile test like a presidential election.

The problem is, it's easier to lobby for the funding of those changes when the spotlight is on the voting system right before an election, or right after a major malfunction.

Outgoing Colorado Secretary of State Wayne Williams referenced the Pearl Harbor attack that brought the U.S. into World War II, and the action it spurred from the American military, when asked how timing changes an election official's ability to make the case for more resources.

"It's easier to sell defense spending on Dec. 8, 1941, than it was on Dec. 6," said Williams. "But we as election officials have to make the case for why it's important to act before a breach occurs."

Williams said Congress already allocated money this year to help the cause, so the responsibility now falls on state governments to improve their individual systems.

Voting experts say a successful funding model for elections should involve continual annual investments and not one-time infusions of money as was seen with the Help America Vote Act after the 2000 election.

"Cybersecurity is not something where you can just check the box and say you're done," Williams said.

Copyright 2018 NPR. To see more, visit