To protect election systems from hacking, states are getting cozier with Homeland Security

It might be a snow day in Washington, but the Senate Intelligence Committee hearing on election system security continued as planned. During Wednesday’s hearing, Homeland Security Secretary Kirstjen Nielsen and her predecessor Jeh Johnson appeared with a panel of state election officials to hash out the recommendations issued by the committee on Tuesday.

“This issue is urgent,” said Senate Intel Chairman Richard Burr in his opening statements. “If we start to fix these problems tomorrow, we still might not be in time to save the system for [2018] and 2020.”

The hearing often turned to what broke down during the 2016 election, describing the kind of measures and policies that need to be put in place to allow federal and state officials to communicate smoothly around future threats, including the established threat from Russia. We learned last year that Russia targeted election systems in at least 21 states. Many members of the committee expect other U.S. adversaries to adopt that same model around known vulnerabilities.

“Despite evidence of interference, the federal government and the states had barely communicated about strengthening our defenses,” said Senate Intel Vice Chair Mark Warner. “It was not until the fall of 2017 that DHS even fully notified the states they had been potential targets.”

So what’s changing?

For one, Homeland Security won’t let coordinating the security clearances for as many as 150 relevant state election officials get in the way of handing down important election system intelligence. Only 20 officials out of that 150 number have that clearance now.

“We’ve worked out the processes whereby if we have actionable information we will provide it to the state and local officials on a day read-in so we are not letting the lack of clearance hold us back,” Nielsen said. “If we have information to share with them in respect to a real threat, we will do so.”

According to Amy Cohen, executive director of the National Association of State Election Directors, an organization that brings together election officials in all 50 states, states have made “great strides” since the former DHS secretary designated all election systems as critical infrastructure in January of 2017.

States that may have been nervous about federal overreach after the critical infrastructure designation (which applied to all aspects of federal state and local elections including polling places, storage facilities, voter registration databases and the voting machines themselves) seem to be warming up to and opting into the “technical resources” that Homeland Security has on offer. As of today, more than half of the states have signed up for Homeland Security’s optional cybersecurity audits. That program helps states identify potential system vulnerabilities and makes recommendations based on its findings.

“To be clear, there has been a learning curve on the sharing of information,” Nielsen said. One challenge is understanding how states vary in operating and organizing their elections. For example, an election that would be run by a county in one state might be the domain of the governor or the secretary of state’s office in another.

“Today I can say with confidence that we know whom to contact in every state to share threat information,” Nielsen said. “That did not exist in 2016.”

While Homeland Security and the states have made progress since the 2016 election, those improvements are incremental and uneven. State budgets vary and some rely more heavily on federal funds for required steps for securing their elections, like purging insecure election machines and purchasing new machines that leave an auditable paper trail. Many states are currently undertaking the steps necessary to get their election systems up to Homeland Security’s recommended standards, even as U.S. adversaries likely continue to probe existing systems for cyber weaknesses.

“The threat of interference remains,” Nielsen admitted. “We recognize that the 2018 midterm and future elections are clearly potential targets for Russian hacking attempts.”