States and counties are not ‘sitting back’ on election cybersecurity, officials tell Congress

Four state, local and federal officials briefed members of Congress Tuesday on the need to increase cybersecurity around voting infrastructure, a task that grows more urgent for state and local governments as the November midterm elections approach.

While the nearly three-hour hearing before the House Oversight Committee was frequently sidetracked by representatives’ diversions into topics including the investigation being conducted by Special Counsel Robert Mueller, federal agencies’ search rankings and President Donald Trump’s latest tweets, the witnesses also got a few words in about how ready election officials are to repel cyberattacks and how well states are partnering with the federal government to make voting more secure.

Many states have undertaken measures to overhaul the security of multiple aspects of how they conduct elections, including replacing ballot machines, implementing new security procedures on computer systems and signing up for regular assessments from federal agencies. With most primaries wrapped up and the general election less than four months away, those upgrades are about to be put to the test.

The officials testifying Tuesday tried their best to explain their preparedness and their needs. In her opening testimony, New Mexico Secretary of State Maggie Toulouse Oliver set the stage by quoting Homeland Security Secretary Kirstjen Nielsen’s speech earlier this month to the National Association of Secretaries of State in Philadelphia, in which Nielsen noted that “election security is national security.”

Christopher Krebs, the Homeland Security undersecretary in charge of cybersecurity programs, echoed that assessment.

“Let me state plainly and clearly: The 2018 midterm elections remain a target for Russian cyber and influence operations,” Krebs told lawmakers. “We are planning and preparing as if they’ll try again this fall and beyond.”

But Krebs, who spent much of the first half of the year visiting states as they conducted primaries , added that local election officials “are not taking cybersecurity sitting back.” Specifically, he pointed to increased communications between state and federal officials, and greater information sharing between local governments with the formation of the Election Infrastructure Information Sharing Analysis Center, or EI-ISAC. The center, which was established in February, has already enrolled all 50 state governments and more than 1,000 counties and municipalities.

Through the EI-ISAC, which is operated out of the Center for Internet Security , many more local governments have obtained cybersecurity tools — including intrusion-detecting devices known as Albert monitors — that they didn’t have in 2016, Krebs said. Members are also able to get regular vulnerability assessments from DHS’ cybersecurity division.

Del. Eleanor Holmes Norton, a Democrat representing Washington, D.C., told Krebs she was puzzled by a statement he gave to another House committee on July 11 that foreign hackers likely attempted to penetrate election systems in all 50 states, despite a 2017 DHS report stating that just 21 states were targeted. Krebs said the states listed in the DHS finding were where sensors had already been deployed and hacking attempts could be detected.

“Since February of this year, we’ll have quadrupled our coverage,” he said.

More glue needed

But securing voting systems has proved to be a prolonged operation. Both Toulouse Oliver and Ricky Hatch, the clerk and auditor of Weber County, Utah, said that while federal funds authorized earlier this year for election security were welcome, much more will be needed in the future.

“During the 2016 election, counties managed more than 100,000 polling locations,” Hatch said. “But elections are not one-day events. The integrity of the election process is our main goal, and security is a key component.”

Beyond just the machines voters use to cast their ballots, Hatch and Toulouse Oliver told Congress that election security also involves voter registration systems, the computers used by election officials and websites that present the public with election-night tallies. The Election Assistance Commission, which is currently distributing $380 million to states, “has been the glue” in making recent improvements, Hatch said, but that more is needed.

“We urge Congress to support a dedicated, predictable funding stream to help local governments adequately secure elections,” said Hatch, who was in Washington on behalf of the National Association of Counties.

Some lawmakers, however, sounded unconvinced by Hatch’s request. Republican Rep. Paul Mitchell asked EAC Chairman Thomas Hicks if his home state of Michigan had requested anything on top of the $10.7 million it was awarded earlier this year. Hicks said Michigan had not asked for more.

And Rep. Mark Meadows, a Republican from North Carolina, told Hicks that Tuesday’s hearing was the first time he’d heard of the EAC. “When I Google you, you’re not in the top 10 of the search results,” Meadows said.

Hicks replied that “that means we’re doing our job,” and that he was recently in North Carolina helping election officials there certify new voting equipment.

Toulouse Oliver, who serves as NASS’s treasurer, backed up the call for more federal support.

“Election security is not a one-time issue,” she said. “Interference happened before 2016, it will happen after 2016. I think 2016 just brought an awareness of how serious this issue is. I believe elections are underfunded considering how serious they are.”

The $380 million that the EAC is currently doling out, she said, is not even enough to cover replacing equipment in the five states that exclusively use ballot machines that do not produce paper trails, much less the full suite of cyber-hygiene protocols and assessments that federal and state officials recommend.

Tangents and distractions

During the course of the hearing, members’ and witnesses’ views of additional steps toward election security varied, sometimes wildly. Several Democratic members were spurred on by the recent indictment of 12 Russian intelligence officers for hacking Democratic Party organizations and state voter files during the 2016 election. Rep. Carolyn Maloney of New York asked Krebs if he shared Trump’s oft-tweeted assessment that Mueller’s investigation is a “witch hunt.”

“Ma’am, this is a duly authorized investigation under the supervision of the deputy attorney general,” he responded.

And Democratic Rep. Raja Krishnamoorthi passed over asking the witnesses about the Russians’ alleged theft of the personal information of 500,000 voters from a state believed to be his home state of Illinois. Instead, he asked Krebs to respond to a 25-minute-old presidential tweet suggesting Putin — who said last week he wanted Trump to win the 2016 election — would tell his intelligence agencies to favor Democrats the next time around.

Said Krebs: “I’ve made it my job to work with state and local election officials and not interpret headlines and Twitter.”

Rep. Jamie Raskin, a Democrat from Maryland, brought up a Russian matter much closer to the witnesses’ skill sets: the recent revelation that the vendor that manages its statewide voter registration database had been acquired by an investment firm controlled by a billionaire with ties to the Kremlin.

Hicks said the EAC isn’t able to comment on an ongoing investigation, though Krebs said his agency is looking into the Maryland case. “This is actually one of those stories of progress,” he said. “When the state board of elections was notified, they immediately reached out to us for help.”

Between the lawmakers’ diversions, Krebs, Toulouse Oliver and the other witnesses squeezed in more updates about what they’re trying to do to give elections better cybersecurity. Toulouse Oliver said New Mexico is making frequent use of DHS’s assessment tools, which have revealed that nearly 30 counties in her mostly rural state still need a lot of help, especially those that don’t have full-time information technology staffs.

Krebs also said that DHS will be overseeing a three-day tabletop exercise in August, simulating a variety of election-related cybersecurity disasters.

The hearing continued to drift away from cybersecurity as it dragged on, with Rep. Gary Palmer, a Republican from Alabama, bringing up the defunct community-organizing group ACORN, which ceased operations in 2010, and Rep. Glenn Grothman, a Republican from Wisconsin, asking Toulouse Oliver if New Mexico would consider requiring its voters to present photo identification at the polls as the nation of Mexico does.

“You must be familiar with Mexican law, right across the border,” Grothman told Toulouse Oliver.

“I am not an expert on Mexican law,” said the secretary of state of New Mexico, which became United States territory in 1848.