The first primary in the 2020 presidential race is a little more than 250 days away, but lawmakers and experts worry that elections will be held on voting machines that are woefully outdated and that any tampering by adversaries could lead to disputed results.

Although states want to upgrade their voting systems, they don’t have the money to do so, election officials told lawmakers last week.

Overhauling the nation’s election systems would mean injecting as much as $1 billion in federal grants that would then be supplemented by states, but top Senate Republicans have said they are unlikely to take up any election security bills or give more money to the states.

The deadlock could mean that even as federal government and private companies spend tens of billions of cybersecurity dollars annually to protect their computers and networks from attacks, the cornerstone of American democracy could remain vulnerable in the upcoming elections.

Legislation going nowhere

Sen. Amy Klobuchar, a Minnesota Democrat and 2020 presidential candidate who last week proposed new legislation to address election security, laid out the state of affairs at a recent hearing. “Forty states rely on electronic voting systems that are at least 10 years old,” Klobuchar, who is the top Democrat on the Senate Rules and Administration Committee, said at a hearing last week. “Twelve states have no or partial paper backup.”

The consequence is “if something happens in one county in a close state or in one state, the entire presidential election could be up in the air,” Klobuchar said. “We then wouldn’t be able to prove what happened if we have no paper ballot backup.”

Klobuchar’s bill is modeled on legislation introduced earlier this month by Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security committee, which would mandate paper ballots, require U.S. intelligence agencies to assess threats to elections, and ask that states test their systems nine months before an election.

It’s not just the age of the machines. A recent report by the Brennan Center for Justice found that 45 states use voting machines that are no longer manufactured and therefore lack maintenance support, which could leave local officials scrambling for spare parts.

The report also cited a South Carolina election official who said the state continues to use Windows XP software, which Microsoft first released in 2001 and discontinued support for in 2014.

Still, Microsoft released a security patch on May 14 noting that the old software, which is used by about 3.5 percent of computer users globally, had a severe unrectified gap that could allow an invasion by malware similar to WannaCry.

That malware spread across the globe in 2017, shutting down all kinds of computer systems, including many hospitals in the United Kingdom. “It is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” Simon Pope, Microsoft’s director of incident response, said in a statement accompanying the fix.

Of the five states that held 2018 elections with no paper ballot backups, Georgia and Delaware are moving toward systems with paper backup by 2020, leaving Louisiana, New Jersey and South Carolina in the paperless camp.

Nine other states — Arkansas, Florida, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee and Texas — held 2018 elections with many jurisdictions operating voting machines without a paper backup.

Pennsylvania has said all its counties will have paper systems by 2020. To get all states to use some type of a backup — either ballots that are marked in paper and scanned, or digital vote recorders that produce a paper trail — would require the federal government to provide $300 million in additional grants, said Edgardo Cortés, election security advisor at the Brennan Center for Justice.

Replacing decade-old systems across the country would require another $700 million, said Cortés, who previously served as Virginia’s commissioner of elections.

States also need to examine cybersecurity practices in their voter registration systems, electronic poll books and vote tallying systems, Cortés said.

Pattern of hacking

In the 2016 elections, Russian intelligence agencies and their operatives targeted as many as 21 state election systems and managed to break into seven, although the Department of Homeland Security and the FBI have said that no votes were altered.

Just last week Florida Gov. Ron DeSantis said the FBI had informed him that two state counties were breached by Russians in the 2016 election.

Congress approved a $380 million federal grant to states last March to boost election security, but state officials have said it was long overdue and essentially was money left over from a 2002 law and not new money in light of the vulnerabilities identified in 2016.

When Democrats regained the House in January, they passed HR 1, a sweeping political overhaul bill that included changes to lobbying, fundraising and other rules but also several election security measures, including requirements that all states have paper ballots and grants to do so.

Senate Majority Leader Mitch McConnell has said he would not allow a vote on the measure. At the Senate Rules committee hearing last week, when Democrat Richard J. Durbin asked if any election security measures would be taken up, Chairman Roy Blunt said, “At this point I don’t see any likelihood that those bills would get to the floor if we mark them up.”

“I think the majority leader is of the view that this debate reaches no conclusion,” Blunt said. “And frankly, I think the extreme nature of HR 1 from the House makes it even less likely we are going to have that debate.”

McConnell’s office pointed to his May 7 floor speech in which he noted that in the 2018 midterm elections the Trump administration had “focused on election security like never before.”

Klobuchar and 37 Senate Democrats on Friday proposed a standalone election security measure, hoping to pick up Republican support. The bill would require all states to have paper backup systems, conduct post-election audits, and provide federal grants. It’s unclear if the bill will get any Republican sponsors.

Underfunded, understaffed

The federal grants are dispensed to states through the U.S. Election Assistance Commission, a federal body created after the disputed 2000 presidential election.

The agency has told Congress that states have spent about 30 percent of the last year’s grants and the rest will be spent on upgrades before the 2020 election. The agency itself has been hobbled, with its annual budgets slashed, and faces severe staff shortages. The result has been a slowdown in one of its core functions: setting standards and certifying voting machines so states can then choose from qualified vendors.

The agency’s first set of standards for voting machines was published in 2005, known as Voluntary Voting System Guidelines, and updated once in 2015. But none of the vendors or the machines were certified against the updated 2015 standards, which means election officials are still using the 2005 standards, Commission Chairwoman Christy McCormick told lawmakers last week.

The commission is now preparing updated guidelines, but it could be as late as 2024 before voting machines are tested and certified to those standards, commission spokeswoman Brenda Bowser Soder said.

Experts say it’s not clear if the new standards would prohibit the inclusion of any type of wireless or internet capability in voting machines. In some sense, anything that has an internet connection can be hacked.

The commission has outlined broad principles for the new standards, but there’s no mention of whether it would ban wireless connections as Brennan Center and others have called for, Cortés said.

Wireless capability, even if the functionality can be turned off through hardware or software, poses risks of remote access by adversaries, he said.

Voting machines that can connect to the internet should be banned, but machines may still need to have some type of wireless communication system so that administrators can upload new ballot information ahead of each election, said Marian Schneider, president of Verified Voting, a nonpartisan organization that advocates for good voting practices.

Some counties and precincts insert manual cartridges into machines to upload ballot information, but others push out that information wirelessly because it’s easier, Schneider said.

The software on new models of voting machines would also need routine updates, and that would require some type of connectivity, she said. “The question is, how you do it safely?” she said.

All the security measures cannot eliminate the risk of an attack or interference, Schneider said. “Because we can’t reduce the risk to zero, we need to do audits to check the results after,” she said. Post-election audits, in which samples of cast paper ballots are recounted, is considered the gold standard for verifying election results, but few states conduct them.

Niels Lesniewski contributed to this report.