Local governments are a weak link in America’s defense against hackers targeting U.S. election systems, but Ohio’s top election official is trying to change that—and the Republican’s aggressive approach could set a new standard for securing the voting process.
In a series of directives to county election administrators over the past four years, Ohio Secretary of State Frank LaRose has ordered sweeping improvements to the cyber and physical security of election offices, personnel and equipment. LaRose has gone further than any of his colleagues around the country in imposing mandates on local-election officials.
States have traditionally let counties set their own election-security rules. But with U.S. intelligence officials warning that hackers working for Russia, Iran and other governments remain intent on interfering in American elections, LaRose’s assertive approach in Ohio—which has earned plaudits from national experts—could eventually become the norm in other states.
“Ohio is definitely at the forefront of states that have recognized the need for statewide leadership on uniform security practices,” said Lawrence Norden, senior director of the Elections and Government Program at New York University’s Brennan Center for Justice.
Despite some financial and logistical challenges, LaRose’s directives have significantly improved Ohio counties’ ability to protect elections—by hardening their websites against disruption and better preparing their offices for emergencies, among other things—increasing the chances that other states will require their counties to adopt similar defenses.
“Ohio sets a good example in being proactive about uniformity, in making counties aware of available resources, and in raising standards in a constantly-changing threat environment,” said Eddie Perez, a board member at the OSET Institute, a nonpartisan group that advocates for safer election technology.
The overlooked security gap
Counties, which run elections in most U.S. states, are top targets for hackers because they often lack dedicated cyber funding and expertise. County clerks have many responsibilities besides elections, and they can usually only count on a handful of dedicated election staffers to help them deal with everything from setting up voting machines to election results reporting. The problem is even more acute in states where individual cities and towns run their own elections.
Cybersecurity experts routinely urge more attention to election security at the county level, but questions of local autonomy and resistance to top-down mandates often discourage state governments from issuing strict requirements. Instead, for years, states have mostly left counties to fend for themselves.
That’s changing now, though, with Ohio taking the lead thanks to LaRose. “Across the country, there has been growing awareness that security needs far outstrip the resources that many localities have,” Norden said, “and that it’s critical states get involved by setting minimum standards and providing more support.”
Election officials recognize that “any state is only going to be as secure as it’s weakest link, so it’s important to have these standards,” Norden added.
Comprehensive protections
The rules for Ohio counties have helped elevate LaRose’s national profile among his fellow secretaries of state, most of whom are their states’ chief election officials. LaRose, now in his second term as secretary of state, previously served in the Ohio State Senate for eight years, embracing conservative positions on issues like union rights and abortion but also spearheading election modernization efforts related to polling-place equipment and campaign finance reports. He is a U.S. Army veteran who served with the Special Forces and earned a Bronze Star. (His spokeswoman said he was unable for an interview recently because he was on Army Reserve duty.)
The new directive from LaRose to Ohio counties and its three predecessors—issued in June 2019, July 2020, June 2022—require local election officials to take a wide range of vital steps, including signing up for free assessments from the federal Cybersecurity and Infrastructure Security Agency (CISA), enrolling in free monitoring services provided by the state government, training staff on physical security procedures and enabling key security features on election websites and email systems.
“Ohio’s comprehensive list of requirements is solid,” Perez said.
When the basic cyber hygiene mandates debuted in the 2019 directive, “it was challenging” to implement them, said Sherry Poland, the director of the board of elections in Hamilton County, Ohio. But doing so prepared officials for the chaotic 2020 election that followed, she said, by testing their ability to respond to emergencies and arming them with the information necessary to debunk conspiracy theories about election security.
“Once we entered 2020,” Poland said, “we were very grateful that we had sort of tightened our belt on security.”
Norden said LaRose’s initial mandate “put Ohio in a very strong position to adopt to new challenges going forward”—such as evolutions in the sophistication of misinformation fueled by artificial intelligence—“without having to worry whether the basics were covered.”
Ohio’s requirement that counties use CISA’s free services, which include phishing tests and vulnerability scans, introduced many local officials to those offerings for the first time, according to Poland. “A lot of counties were unaware that these services were available to them.”
Norden found something similar when the Brennan Center surveyed local officials nationwide. But after they used the services, counties implemented some of CISA’s recommended fixes. “Requiring participation will bring results,” Norden said.
One of the most notable provisions requires counties to include cybersecurity language in their contracts with voting equipment providers. Counties have historically had trouble overseeing the security of equipment provided by the small handful of companies that making voting technology, because they lack personnel who can scrutinize the companies’ practices. Yet these vendors’ products present significant risks to the counties using them if they’re left exposed to hackers.
“It’s absolutely incredible that there are still really not national security standards” for these vendors, Norden said, but Ohio’s approach “could get us part way there.”
Perez, a former director of product management for the election vendor Hart InterCivic, said “more states and counties should recognize that contractual obligations are a strong way to lead vendors” toward improved security.
The devil’s in the details
With their sweeping scope of cyber and physical security protections, LaRose’s directives offer a template that other states can use to oversee their own counties’ election security — as long as they’re prepared to deal with a myriad of potential challenges.
The biggest? “Money, money, and money,” Norden said. “Election offices are strained.” The vast majority of surveyed offices told the Brennan Center that “they need more money to meet basic election administration and security needs over the next several years,” he said.
LaRose’s team is offering counties $10,000 each to continue implementing the requirements, on top of the $50,000, $40,000 and $10,000 grants provided with the first three directives.
Other requirements could also present problems. Getting detailed information from vendors about how they maintain their products over time won’t be easy, Perez said. Regular backups and security reviews of new software could strain smaller counties to the breaking point—as could Ohio’s rule that counties must patch critical software vulnerabilities within 15 days.
But there are several ways for Ohio and other states considering similar mandates to smooth out any hiccups.
Perez recommend that LaRose deploy election security “navigators” who can walk counties through the steps and serve as easy points of contact with the state.
Kim Wyman, who served as Washington State’s secretary of state from 2013 to 2021, said she found it easy to get counties to follow her instructions “because we focused on having a strong partnership with them,” including through regular training sessions that explained the importance of what she was requiring.
A national model, with caveats
With election security entering its eighth year of national prominence, other states are doubtless eyeing Ohio’s county mandates and considering copying them. But while Ohio’s directives should inspire other states to focus on the same defensive measures, experts said, mandating them might not be the right approach everywhere.
“I do not believe states mandating security requirements is a workable solution for every state,” said Wyman, now a senior elections fellow at the Bipartisan Policy Center. “Local autonomy varies widely by state.”
Ohio has a long tradition of mandates from the secretary of state, Norden said. (The office handles many tasks besides elections, including corporate registration.) Other states might find it more difficult to issue mandates like that, he said.
States might struggle to copy Ohio’s approach for many reasons, including a shortage of state funds to support counties, a lack of consistent leadership focus on election security and differences in how local governments interact with the state. For example, the cities and towns that run elections in New England may be less prepared to take on these tasks than the larger counties that run elections in many other states.
Even so, Norden said, “I would recommend that states that aren’t doing something similar take a look at these directives and adopt as much as they can.”
Perez was more blunt: “The stakes for democracy are simply too high to leave cybersecurity and process considerations up to the counties’ discretion.”
