States: Seize this Moment to Compel Congress’ Help in Shoring Up Voting Systems

One year ago this week, Americans headed to the polls to pick the nation’s 45th president. Since then, we’ve learned disturbing details about the lengths of Russia’s efforts to interfere with the election that day.

There is no indication or evidence that Russia changed vote totals in any way. But the scope and sophistication of the attack demands urgent action from Congress. And states and local election officials have a key role in spurring change, using their voices to break through the partisan divide plaguing Washington. 

First, some background. The Department of Homeland Security notified 21 states in September that Russian actors had targeted their election systems. That news was immediately followed by an announcement from Senate Intelligence Committee leaders, who said their panel’s investigation would likely point toward a similar conclusion. The Committee’s chair, Republican Sen. Richard Burr, issued a prescient warning.

“The Russian Intelligence Service is determined, clever, and I recommend that every . . . election official take this very seriously,” he said.

Some states are shoring up their defenses in anticipation of future attacks, both by Russia and other actors. West Virginia’s elections team, augmenting past practice of using a cybersecurity expert, has added one to permanent staff. Colorado and Rhode Island could soon require automatic audits that would compare paper records with electronic vote tallies to verify election results. Delaware is moving its voter registration list off the state’s aging mainframe computer and preparing to replace a 21-year-old electronic voting system that does not leave a paper record at all. And, Virginia decertified direct-recording electronic voting machines prior to this week’s election for governor. That move comes after the technology was successfully infiltrated by individuals at DefCon, an annual hacker convention.

The federal government is showing signs that it, too, is taking this threat seriously. DHS convened a council of federal and state officials to leverage resources and share expertise on America’s critical infrastructure, which now includes election systems. And most significantly, there is reason to believe Congress may finally move forward with bipartisan legislation that provides states with needed resources to strengthen cybersecurity before the 2018 elections. But too many state election officials have remained tight-lipped in response to the recent congressional activity.

The Russians’ actions are rightly considered a violation of states’ sovereignty and an affront to the most fundamental of democratic processes — voting. Instead of using the notifications from DHS as an opportunity to highlight the urgent need for action, too many states instead boasted of their successful defense against the attacks and then downplayed them as “run-of-the-mill” incidents.

Iowa’s Secretary of State Paul Pate, for example, said that his state “continues to deflect” attempts from bad actors to hack the system. North Dakota Secretary of State Al Jaeger said security measures in his state have “proven to be effective” and his office continues to update cyber defenses as new “means of targeting are identified.” Oregon’s Chief Information Security Officer said her team blocks “upwards of 14 million attempts . . . every day.” And Ohio Secretary of State Jon Husted’s press secretary said, “DHS reported to us an incident. . . . However, it lasted less than a second, and no security breach occurred. Nothing.”

The basic message being: “Nothing unusual to see here. Please move on.”

Some states saved their harshest words for DHS rather than the Russians, irritated by its delay in notifying state election officials. Wisconsin even demanded — and received — an apology for what it believed was an erroneous notification. Hackers had targeted the Wisconsin Department of Workforce Development, rather than the state elections commission. DHS believes it was an intentional move designed to gain information about targeting election systems, and notified the state as a result. Wisconsin said the “scanning attempts were unremarkable,” and that the notifications were “an unnecessary distraction from the fact that Wisconsin’s systems are secure and have not been breached in any way.” Rather than investigating the precise methods used by the hackers, the Wisconsin Elections Commission Chair directed WEC staff to look at why elections officials were not notified by DHS earlier.

To be fair, election officials have a delicate balancing act to perform. They need to acknowledge that their systems were targeted without damaging public confidence in elections. But addressing the hacks would not indict election officials’ work or past successes; It is an opportunity to focus on the urgent need to enhance election security so we can handle future breaches. State election officials are now on the frontlines of a global cyberwar that seeks to undermine the health of our democracy, and they should act accordingly.

In an age where neither government (the Office of Personnel Management, the Department of Defense, the White House) nor the private sector (Equifax, Target, Yahoo, Sony) are immune from cyber intrusions, and with state funds increasingly difficult to come by, states should call for Congressional resources to help bolster their defenses. Most currently rely on voting machines that are more than 10-years-old and run on outdated software, which exacerbate their disadvantage against increasingly sophisticated adversaries. And when the hackers return next time, as intelligence experts have warned they will, they’ll have the added benefit of knowledge and insight from their previous tries. Those include successful attempts in Illinois to hack a voter registration database — where they gained access to the records of tens of thousands of voters, and in Arizona — where hackers gained access to the password and credentials of a county elections worker. It’s clear hoping for the best under current security measures is no longer a viable strategy.

A bipartisan group of national security leaders recently wrote to Senate leadership, saying “we do not expect the states to defend themselves against kinetic attacks by hostile foreign powers, nor should we leave them to defend against foreign cyberattacks on their own.”

Connecticut Secretary of State Denise Merrill agrees, saying: “It is clear that Congress needs to act swiftly, both to investigate and publicize Russian interference in the 2016 presidential election, and to appropriate the necessary funds so that our state and local governments have the resources they need to adequately protect our election infrastructure.” If her colleagues hope to instill continued confidence in their election infrastructure, they would be wise to follow Secretary Merrill’s lead in demanding action from Congress.