localized date
Current Time
.png)
When Russian operatives attacked the 2016 presidential election, Pennsylvania’s aging, paperless voting systems made it one of the nation’s most vulnerable states, experts found.
All 50 states were targeted by Russian affiliated cyber actors. But in 2018, Pennsylvania earned a spot on a list of the 18 most vulnerable states in a report from the Democrats on the House Committee on Administration — a group responsible for the oversight of federal elections. There is no evidence that hackers changed any votes, according to Volume 1 of the Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election.
But the attacks moved lawmakers to improve election security across the country.
A decade later, where do things stand? Here’s a look at four of Pennsylvania’s biggest changes to election cybersecurity:
Paper is the “single biggest advancement” in election cybersecurity since 2016, said David Becker, founder and executive director of the Center for Election Innovation & Research, a nonprofit that works to build trust in elections.
In 2018, Pennsylvania was one of only 14 states still using paperless electronic voting machines, according to Pitt Cyber, at the University of Pittsburgh’s School of Law.
Paperless machines grew in popularity after 2002 when Congress banned punch cards, the outdated voting mechanism that fueled contention in the Florida presidential race between Al Gore and George W. Bush.
But researchers soon proved the machines to be hackable; in 2006, Princeton University researchers released a study that detailed paperless machines’ “very serious vulnerabilities.”
What’s more, “there was no way to go back and have a paper trail,” said Tim Germani, Lawerence County election director.
But in 2018, the Pennsylvania Department of State issued a directive for counties to choose a voting system that produced voter-verifiable paper records. By June 2, 2020, the day of the Pennsylvania primary elections, all 67 counties used paper ballots, according to the Department of State.
The work isn't finished, said Ron Bandes, Pittsburgh-based election integrity specialist for the League of Women Voters. Rather than hand-mark all paper ballots, several counties use ballot marking devices. These devices are “not the gold standard,” Bandes said.
“A ballot that is marked by a machine and not directly by the voter cannot be said to be voter-verified,” Bandes said. “Most of the counties use them primarily for voters with handicaps, but a few counties use them for all voters.”
In Southwestern Pennsylvania, Washington, Greene, and Westmoreland counties use the devices for all voters, according to Verified Voting, an organization that tracks and promotes secure election technologies.
“With ballot-marking devices, hacks are difficult to detect and impossible to correct,” Princeston University computer science professor emeritus Andrew Appel told the Pennsylvania Senate Committee on Government in 2024.
After voters submit paper ballots, machines tally the votes. The machines’ tallies are then checked by audits and partial recounts.
Since 1980, Pennsylvania has required 2 percent of votes to be recounted (or 2,000 votes, whichever’s less) to check for accuracy.
A workgroup through the Department of State determined the best method for the audit to be a risk limiting audit, which is mathematically flexible to each election, unlike the 2 percent partial recounts.
Beginning with the Nov. 8, 2022, general election Pennsylvania counties were required to participate in a risk limiting audit if selected in a random draw.
Reports on the audits are available here. State law still requires 2 percent recounts in addition to the audits.
For several years following the Russian cyberattacks, election cybersecurity was a bipartisan issue in Washington D.C., said Andrew Grotto, a Stanford University researcher and former senior director for cybersecurity policy at the White House under Obama and the first Trump term.
At the end of the Obama administration, in 2017, election systems became designated as critical infrastructure, opening the door to more federal support against cyberattacks.
In 2018, Trump signed a bill to create the Cybersecurity and Infrastructure Security Agency, or CISA, to protect critical infrastructure from threats.
Until 2025, CISA funded programs at the Center for Internet Security, a nonprofit that safeguards organizations against cyber threats. The Center for Internet Security, through their Multi-State Information Sharing and Analysis Center (MS-ISAC) and Election Infrastructure Information Sharing Analysis Center (EI-ISAC), provided free cybersecurity services to state and local election offices, including cybersecurity hardware, software, and incident threat analysis.
“If it’s Christmas Eve, and there’s a tiny little water authority office in some rural county in Iowa,” Boockvar said, “and he’s the guy that drew the short straw to be staffing the office on Christmas Eve, and he gets an email, and he accidentally clicks on a link, and he suddenly thinks, oh no, what did I do? And nobody is around. He could call the ISAC at any hour of any day and get a human who could do the assessment.”
Republican support for CISA disintegrated in 2020, said Grotto, when its then-head, Chris Krebs, announced that year’s election was the most secure election of all time.
“It’s hard to claim that the election was stolen if the election was, in fact, the most secure election of all time,” Grotto said. That’s when bipartisan consensus began to crumble, he said.
CISA cut funding to the Center for Internet Security for MS-ISAC and EI-ISAC in 2025. The Center for Internet Security still operates the programs, but membership is no longer free.
For a local voting jurisdiction, membership costs about $1,500 per year, said Paul Lux, supervisor of election in Okaloosa County, Fla., and chair of the Elections Infrastructure Information Sharing and Analysis Center.
In 2025, there were several other cuts made to programs that could have deterred foreign influence on elections, according to a report from the Institute for Responsive Government, written by Boockvar and election expert Matt Crane, executive director of the Colorado Clerks Association.
CISA cut the Election Security and Resilience team, eliminated Regional Election Security Advisors, fired Regional Election Security Advisors, and curtailed field-based CISA services according to the report.
The DOJ also cut the Election Threats Task Force, the report said.
“As you might imagine, the federal government has historically been the best source for foreign intelligence on these issues,” Boockvar said. “That's a big loss, because there's much less sharing of intelligence.”
The voter registration system — the Statewide Uniform Registry of Electors, or SURE — is aging, according to a 2019 report from the Blue-Ribbon Commission on Pennsylvania’s Election Security, a group of election experts hosted by Pitt Cyber.
In March 2025, Pennsylvania Secretary of State Al Schmidt announced the replacement of SURE with a new system from Civix by 2028.
Civix will replace more than just voter registration. It will replace systems for election night reporting, campaign finance, and lobbying disclosure registration and reporting.
Hannah Frances Johansson is a reporter for the Pittsburgh Media Partnership newsroom. She holds a master's degree from the UC Berkeley Graduate School of Journalism. Reach her at hannah.johansson@pointpark.edu.
Pete Sirianni, editor of the New Castle News, contributed to this story.
The PMP Newsroom is a regional news service that focuses on government and enterprise reporting in southwestern Pennsylvania. Find out more information on foundation and corporate funders here.
Header image: Ballot dropbox, used until 1968, on display in the lobby of County Office Building in Downtown Pittsburgh, home to the Allegheny County Election Division office. Photo taken by Hannah Frances Johansson on March 10, 2026.
.png)
