If states want to evaluate and fortify their election systems’ security against cyber threats, they’ll have to wait up nine months to have the Department of Homeland Security (DHS)’s most thorough and exhaustive security screening, said officials who spoke to Politico.
The wait could leave some states only weeks to prepare for the 2018 midterm elections and election officials still “may remain unaware of flaws that could allow homegrown cyber vandals or foreign intelligence agencies to target voter registration databases and election offices’ computer networks,” wrote Politico’s Tim Starks.
The top-of-the-line DHS scan — called a “risk and vulnerability assessment” — involves DHS personnel on the ground in an election district for weeks, probing an election system’s weaknesses at every level. Officials admit that the test is of little use, however, if the district has no time to implement changes and shore up its defenses.
“Security experts, voting integrity groups and many lawmakers have expressed dismay at the lack of action on Capitol Hill and across the Trump administration to help states protect their election infrastructure,” said Starks.
Hackers believed to be associated with the Russian government attacked at least 21 state electoral systems in 2016. The attacks have called attention to the U.S.’s outdated, creaking vote infrastructure, which is held together via a patchwork individual states’ systems, all presenting different levels of vulnerability.
While it’s believed that Russian agents were unable to alter total vote counts in individual states, Sen. Ron Wyden (D-OR) said in October that in fact, no one knows for sure because no forensic examination of the election results have been conducted.
Congress has not passed any legislation aimed at protecting the nation’s voting system and Attorney Gen. Jeff Sessions all but threw up his hands and said it was too complicated for his Justice Department to handle during testimony earlier this year.
“The matter is so complex that — for most of us — we’re not able to fully grasp the technical dangers that are out there,” said Sessions.
The DHS has stepped up in an attempt to address the danger and declared that state voting systems are critical infrastructure as much as hospitals and power plants. As such, they receive priority treatment from the agency with regards to cyber threats.
Former Pennsylvania Secretary of State Marian Schneider was the only state election supervisor to get a DHS risk and vulnerability assessment prior to the 2016 election.
Schneider — who now works for voting integrity group Verified Voting — said the full DHS check is “pretty extensive.” Pennsylvania administrators filled out a questionnaire and signed on to a complicated legal agreement. DHS sent four officials to carry out the probe.
“It’s resource-intensive,” Schneider told Politico. “The reason there’s a waitlist is because a lot of states want it done because they do it at no cost. To have that backlog is a problem, but it’s a good thing states are wanting the service.”
However, she said, “The fact they might have to wait until third quarter of 2018 — it’s not great, but they should get on the waitlist.”
Vermont, Connecticut, Colorado and New York have all contacted DHS requesting risk and vulnerability assessments and were told to expect waits from 2 to 9 months. This would mean even the earliest states to complete the assessments will be barely ready for the beginning of primary season in March.
The agency needs more funds and personnel but during his brief tenure as Secretary of Homeland Security, now White House chief of staff John Kelly told Congress the agency didn’t need additional resources to protect and secure “critical infrastructure.”
In the meantime, there are dozens of election security services offered by DHS that are less intensive that the full risk and vulnerability assessment.
Schneider said that the most intensive DHS program is the best way for state’s to protect their midterm voting, “but it’s just one tool in the box.”