By Christopher Krebs / Special to The Washington Post
On Nov. 17, I was dismissed as director of the Cybersecurity and Infrastructure Security Agency, a Senate-confirmed post, in a tweet from President Trump after my team and other election security experts rebutted claims of hacking in the 2020 election. On Monday, a lawyer for the president’s campaign plainly stated that I should be executed. I am not going to be intimidated by these threats from telling the truth to the American people.
Three years ago, I left a comfortable private-sector job to join, in the spirit of public service, the Department of Homeland Security. At the time, the national security community was reeling from the fallout of the brazen Russian interference in the 2016 presidential election. I wanted to help.
Across the nation’s security agencies, there was universal acknowledgment that such foreign election interference could not be allowed to happen again. The mission was clear: Defend democracy and protect U.S. elections from threats foreign and domestic.
With the advantage of time to prepare for the 2020 election, we got to work. My team at the Cybersecurity and Infrastructure Security Agency, or CISA, had primary responsibility for working with state and local election officials and the private sector to secure their election infrastructure — including the machines, equipment and systems supporting elections — from hacking. (Other agencies handle fraud or other criminal election-related activity.) The Russian assault in 2016 had not included hacking of voting machines, but we couldn’t be sure that Moscow or some other bad actor wouldn’t try it in 2020.
States are constitutionally responsible for conducting the nation’s elections. At CISA, we were there to help them do it securely. Our first job was to improve CISA’s relationships with state and local officials, building trust where there was none. We also worked closely with representatives from across the election-security community, public and private, in groups called coordinating councils. A key development was the establishment of the Elections Infrastructure Information Sharing and Analysis Center to share security-related information with people who can act on it for defensive purposes. By the 2018 midterm elections, all 50 states and thousands of jurisdictions had joined the center.
We offered a range of cybersecurity services, such as scanning systems for vulnerable software or equipment, and conducting penetration tests on networks. Election officials across the country responded by markedly improving cybersecurity, including upgrading to more modern systems, hardening user accounts through additional log-on measures and being quicker to share suspicious-event information.
But there was a critical weak spot. Voting machines known as Direct Recording Electronic machines, or DREs, do not generate paper records for individual votes. And paper ballots are essential pieces of evidence for checking a count’s accuracy. With DREs, the vote is recorded on the machine and combined with voting data from other machines during the tabulation process. If those machines were compromised, state officials would not have the benefit of back-up paper ballots to conduct an audit.
In 2016, five states used DREs statewide, including Georgia and Pennsylvania, with a handful of others using DREs in multiple jurisdictions. Fortunately, by 2020, Louisiana was the last one with statewide DRE usage. Congress provided grant funding in 2018, 2019 and 2020 to states to help them retire the paperless machines and roll out auditable systems. As the 2020 election season began, Delaware, Georgia, Pennsylvania and South Carolina all swapped over to paper-based systems. Then the emergence of the pandemic prompted a nationwide surge toward the use of voting by mail.
The combined efforts over the past three years moved the total number of expected votes cast with a paper ballot above 90 percent, including the traditional battleground states. While I no longer regularly speak to election officials, my understanding is that in the 2020 results no significant discrepancies attributed to manipulation have been discovered in the post-election canvassing, audit and recount processes.
This point cannot be emphasized enough: The secretaries of state in Georgia, Michigan, Arizona, Nevada and Pennsylvania, as well officials in Wisconsin, all worked overtime to ensure there was a paper trail that could be audited or recounted by hand, independent of any allegedly hacked software or hardware.
That’s why Americans’ confidence in the security of the 2020 election is entirely justified. Paper ballots and post-election checks ensured the accuracy of the count. Consider Georgia: The state conducted a full hand recount of the presidential election, a first of its kind, and the outcome of the manual count was consistent with the computer-based count. Clearly, the Georgia count was not manipulated, resoundingly debunking claims by the president and his allies about the involvement of CIA supercomputers, malicious software programs or corporate rigging aided by long-gone foreign dictators.
The 2020 election was the most secure in U.S. history. This success should be celebrated by all Americans, not undermined in the service of a profoundly un-American goal.
Christopher Krebs is the former director of the Cybersecurity and Infrastructure Security Agency.