Less than nine months before midterm elections, a new election security study shows that most state election systems remain vulnerable to hacking and other interference by foreign governments bent on disrupting the election process.

The Center for American Progress conducted research and interviewed election officials to determine their election security preparedness after U.S. intelligence agencies concluded that Russia tried to influence the 2016 election by targeting state voting systems.

As events have shown, election security is now a matter of national security, especially because U.S. intelligence officials have predicted that hostile nation-states such as Russia again will attempt to penetrate U.S. election infrastructure in 2018 and 2020.

The study assigns grades to all 50 states and the District of Columbia based on adherence to best practices under seven categories, including adopting minimum cybersecurity measures for voter registration databases, using paper ballots, and conducting post-election audits.

“This report should spur demand across the country for urgent steps needed to defend America’s election security against another attempt by a foreign nation to disrupt our elections,” said Danielle Root, lead author of the report. “While vulnerabilities in the election infrastructure still exist, it’s encouraging to see some states taking steps to better protect their elections.”

While all states have taken steps to protect their elections from outside influence or system failure, the report found that election infrastructure in most states remain susceptible to attacks by sophisticated enemies.

Among the findings:

  • Arizona received a D.
  • No state received an A and only 11 states received a B. Another 23 states received a C, 12 states received a D, and five states received failing grades. Even states receiving a B are vulnerable to attack.
  • The biggest threat to election security is the continued use of paperless electronic voting machines, which are vulnerable to hacking and do not leave a reliable paper trail that can be audited to confirm election outcomes. Fourteen states use paperless DRE machines in at least some jurisdictions; five states rely exclusively on paperless DRE machines for voting.
  • Only two states (Colorado and Rhode Island) have good post-election auditing requirements in place. The report found that 33 states have post-election audit procedures that are unsatisfactory from an election security standpoint.
  • At least 10 states do not provide cybersecurity training to election officials.

CAP’s research and report card are designed to identify vulnerabilities in election infrastructure in order to build urgency for appropriate solutions and arm stakeholders with information to demand increased security measures. Overall, states still lack the necessary funding and resources to adequately protect future elections from interference by hostile nations such as Russia. Despite bipartisan efforts in Congress to bolster election security and provide needed funding, legislation remains blocked.

Liz Kennedy, CAP’s senior director of Democracy and Government Reform, added: “In this threat environment, Congress needs to step up and provide more resources to invest in America’s election infrastructure so that states can do the job right.”

There have been some recent signs of progress. Last fall, for example, Virginia switched out its paperless voting machines for paper ballots, while Rhode Island joined Colorado in requiring risk-limiting post-election audits. And on Friday, Gov. Tom Wolf’s administration in Pennsylvania—which still uses paperless voting machines in some jurisdictions—ordered counties looking to replace their voting systems to purchase machines with paper records.

Read the report: “Election Security in the States: Defending America’s Elections,” by Danielle Root, Liz Kennedy, Michael Sozan, and Jerry Parshall.