With the midterm congressional primaries about to go into full swing, the Department of Homeland Security is playing catch-up in helping to ensure that state election systems are secure against cybertampering by the Russians or others bent on mischief.
The department said it has completed on-site risk assessments of election systems in just nine of 17 states that have formally requested them so far. It has pledged to do so by November for every state that asks.
The security reviews are designed to identify any weaknesses that could be exploited by hackers; such examinations are routinely conducted in the private sector. They are just one tool, although an important one, in ensuring a computer network has a robust defense.
Homeland Security officials attribute the backlog to increased demand for such reviews since the 2016 presidential election and say they are devoting more money and shifting resources to reduce wait times. The reviews typically take two weeks each.
“Elections remain a top priority,” said Matt Masterson, the department’s senior adviser for cybersecurity.
Among those still waiting for Homeland Security to conduct a risk assessment is Indiana, one of four states with primaries on Tuesday. Its ballot includes several hotly contested races, including a Republican primary for U.S. Senate.
But Indiana, like other states, is not without any defense against hackers. It has used a private vendor to conduct a risk assessment, and is also one of 33 states and 32 local election offices that are receiving remote cyber-scanning services from Homeland Security to identify vulnerabilities in their networks.
Indiana Secretary of State Connie Lawson said she is confident state officials have done what they can to safeguard Tuesday’s voting, but acknowledged: “I’ll probably be chewing my fingernails during the entire day on Election Day.”
The concerns aren’t just theoretical.
The nation’s intelligence chiefs warned earlier this year that Russia remains interested in disrupting U.S. elections after a multipronged effort to interfere in 2016. That included attempts to hack into the election systems of 21 states.
There is no indication Russian hackers succeeded in manipulating any votes, but U.S. security agencies say they did manage to breach the voter rolls in Illinois. That state and Texas are the only two to hold statewide primaries so far this year, and neither reported any intrusions into their election systems.
But a local election in Tennessee last week highlights the concern: Knox County has hired a cybersecurity firm to investigate why a website that reports election results crashed after the polls closed.
The county’s technology director said some of the unusually heavy traffic came from overseas servers. DHS spokesman Scott McConnell said there is no indication so far that the outage was caused by a “malicious actor.”
Homeland Security designated elections systems critical infrastructure just months after the 2016 White House election, adding them to a list that includes chemical plants, dams and nuclear reactors.
The vast majority of primaries around the U.S. are in May and June. At least 28 states said they want Homeland Security to conduct the risk assessments, according to a 50-state survey of state election officials by The Associated Press.
Some states prefer to do the security checks on their own, with some, such as New Hampshire, expressing concern about federal overreach in a country where elections are run by state and local governments.
Cybersecurity experts say that as long as the process is robust, it should not matter who conducts the risk assessments.
“You could do this right in a number of different ways,” said Mike Garcia, lead author of a handbook for state and local election officials released recently by the nonprofit Center for Internet Security. “What matters is that you are doing it right.”
The delays have caught the attention of Congress, including the Senate Intelligence Committee, which recommended in March that Homeland Security expand capacity to reduce wait times.
“DHS and the FBI have made great strides, but they must do more,” committee chairman Sen. Richard Burr, a North Carolina Republican, said at the time.
Of the other states holding primaries on Tuesday, the traditional battlegrounds of North Carolina and Ohio said they had received on-site reviews by Homeland Security. Election officials in the fourth state, West Virginia, told the AP they have yet to request a federal risk assessment but plan to do so before the November election. They asked the National Guard to help monitor the state’s election networks on Tuesday.
Other states that told the AP they had received the DHS reviews are Colorado, Maryland, Nebraska, New Mexico and Oregon.
Nine states whose election systems were targeted by Russian hackers during the 2016 campaign said they were still waiting for DHS risk assessments, according to the AP survey.
Two of the states targeted in 2016 — Alabama and Oklahoma — have yet to request a DHS security review.
Alabama Secretary of State John H. Merrill said the state could still decide to make the request before the election.
“We are trying to be as prepared as we can possibly be with our existing partners,” Merrill said. “We want to keep every option open that we have.”