According to a recent survey of state voting officials in 41 states, two-thirds of states need to replace outdated voting machines but have no money to make that happen by 2020.
There's a Catch-22 when it comes to whether Congress will address the issue of voting security in time for this year's elections.
On the one hand, the threat posed by Russian hackers has brought significant attention to the issue, leading to the introduction of several pieces of bipartisan legislation to boost the nation's cybersecurity.
But some congressional Republicans worry that raising the Russian threat could call into question the legitimacy of President Trump's election, so they don't want to touch it.
That means that, despite repeated warnings from federal intelligence officials that Russian hackers will try early and often to tamper with elections again, state and local election officials will likely be on their own when it comes to finding the money to upgrade their equipment and software.
"I'm really worried we're too late for 2018," says Jamil Jaffer, founder of the National Security Institute at George Mason University Law School.
New reports warn of the problems facing states.
The Center for American Progress (CAP) released a study this week that found most states are deficient when it comes to election security. By CAP's reckoning, no state deserves an A grade. Eleven states received a B, while 17 states got either a D or an F.
"States aren't all secure," says Michael Sozan, a senior fellow at CAP and co-author of the study. "Some states are very far from secure."
Last week, the Brennan Center for Justice at New York University Law School released a survey of 500 election officials in 41 states. It found that two-thirds of them will need to replace voting machines by 2020 but lack the funding to do so.
The red states mark those with decade-old voting machines. The gray states were not included in the survey. (Source: Brennan Center for Justice)
"I don't think Russian hacking is as big a problem as that voting machines are old in most of the country and therefore more likely to break down," says David Kimball, a voting expert at the University of Missouri-St. Louis.
Kimball emphasizes, though, that while there are certainly challenges, the sky is not falling.
State and federal officials are trying to counter the growing narrative that the American voting system is not secure. They fear that the public will not believe in the integrity of the election process -- and perhaps many will not even vote as a result, as at least one poll conducted last year suggested.
After a federal official in charge of cybersecurity told NBC News last week that Russian hackers had "successfully penetrated" voter registration systems in several states, the Department of Homeland Security (DHS) and the National Association of Secretaries of State (NASS) pushed back.
"They were not successful. Our systems held," says Indiana Secretary of State Connie Lawson, the president of NASS.
DHS has said in the past that hackers -- likely Russian -- attacked the systems of 21 states, but they said they only penetrated one state, Illinois, and even there failed to make discernible changes to files.
Lawson also criticizes the Center for American Progress report for failing to acknowledge the steps states have taken to address security concerns.
"I don't know of one state that hasn't taken steps to heighten security on their systems," she says.
Secretaries of state are seeking security clearances to work more closely with DHS, which already has an intergovernmental council on voting in place. Seven states are participating in a pilot program to share information collectively on internet traffic and hacking.
The National Association of Secretaries of State is meeting in Washington, D.C., this weekend. It's clear that cybersecurity will be their top concern. Since voter registration systems are connected to the internet (and actual vote-tallying machines are not), that's generally the greatest point of vulnerability.
There are other problems as well.
Eighteen states do not legally require a post-election audit, according to the CAP study. Audits in 33 states "are unsatisfactory from an election security standpoint," according to the report.
"Without those audits, states really can't know whether their elections were tampered with or vote totals were changed," says Sozan, co-author of that study.
Academic researchers and hackers at last year's DefCon hacking conference showed that voting machines can be penetrated easily, often within minutes. The exercise drew considerable attention, but Lawson emphasizes that the experiment's results wouldn't be replicated in real-world conditions. Most of the machines at the conference weren't certified for use in the U.S., she says, while poll workers would have to be napping for hackers to open them up.
"Voting machines are not connected to the internet," Judd Choate, director of elections for Colorado, said at a Center for American Progress event on Monday. "You would have to be present, hacking in with a screwdriver."
In response to the DefCon exercise, however, Virginia required local officials to switch to paper ballots and electronic scanners, just weeks ahead of elections there last fall.
"We had quite a number of recounts in November, which really would not have been possible if we had not been using those machines," Edgardo Cortés, the former commissioner of elections for Virginia, said at the CAP event.
The seemingly anachronistic technology of paper has become perhaps the top priority for election officials worried about cyberattacks. Last Friday, Pennsylvania Gov. Tom Wolf ordered counties replacing their voting machines to buy ones that can create a paper trail. Last year, Iowa and Rhode Island passed laws requiring election officials to check machine counts against paper ballots.
But states are not always providing funds to counties or other localities to pay for the new machines that are required. Around the country, voting machines date from the flip-phone era and have weaker security software than new smartphones.
"Elections officials increasingly find themselves in a job they never signed up for: information technology managers tasked with protecting some of the most sensitive computer systems in the world," the Los Angeles Times reported Tuesday. "Yet they don't have the defenses of a major retailer such as Target or a financial institution such as Citigroup -- and even those operations are getting breached."
Nearly every state has depleted funding from the $4 billion federal Help America Vote Act of 2002. Pushing down responsibility for election security to the local level, aside from placing a burden on counties, means there are huge disparities between large counties with sizable budgets and smaller jurisdictions that are lucky to get IT help on a part-time basis.
State and local officials are asking Congress for renewed help. Congress has never allocated $396 million to the states that was authorized by the 2002 law. That money would certainly be welcome now.
"Election officials really need to have the federal government's help to fund their systems and machines, and also to make sure that DHS and other entities are as robustly engaged as possible," says Sozan.
Waiting on Congress, however, is often fruitless for states and localities. If there are more serious problems from election hacking this year, state and local officials can't say they weren't warned.
"The good news is that everyone knows they tried it once and they're going to try it again," says Kimball, the voting expert. "Hopefully, that means state and local election officials are being more careful and checking the vulnerability of their voter registration databases. That's the main vulnerability."
This story was originally published by Governing.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.