States await election security reviews as primaries heat up
With the midterm congressional primaries about to go into full swing, the Department of Homeland Security has completed security reviews of election systems in only about half the states that have requested them so far.
The government’s slow pace in conducting the reviews has raised concerns that the nation’s voting systems could be vulnerable to hacking, especially after U.S. intelligence agencies warned that Russia plans to continue meddling in the country’s elections.
Among those still waiting for Homeland Security to conduct a risk assessment is Indiana, one of four states with primaries on Tuesday. Its ballot includes several hotly contested races, including a Republican primary for U.S. Senate.
Indiana Secretary of State Connie Lawson said she is confident state officials have done what they can to safeguard Tuesday’s voting, but acknowledged: “I’ll probably be chewing my fingernails during the entire day on Election Day.”
Like other states, Indiana used a private vendor to conduct a risk assessment and is one of 33 states and 32 local election offices that are receiving remote cyber scanning services from Homeland Security to identify vulnerabilities in their networks.
The concerns aren’t just theoretical.
The nation’s intelligence chiefs warned earlier this year that Russia remains interested in disrupting U.S. elections after a multipronged effort to interfere two years ago. That included attempts to hack into the election systems of 21 states.
Election officials in nine of those states said they were still waiting for a DHS risk assessment, according to a nationwide AP survey.
There is no indication Russian hackers succeeded in manipulating any votes, but U.S. security agencies say they did manage to breach the voter rolls in Illinois. That state and Texas are the only two to hold statewide primaries so far this year, and neither reported any intrusions into their election systems.
But a local election in Tennessee last week highlights the concern: Knox County has hired a cybersecurity firm to investigate why a website that reports election results crashed after the polls closed.
The county’s technology director said some of the unusually heavy traffic came from overseas servers. DHS spokesman Scott McConnell said there is no indication so far that the outage was caused by a “malicious actor.”
Homeland Security designated elections systems critical infrastructure just months after the 2016 presidential election, adding them to a list that includes chemical plants, dams and nuclear reactors.
The department said it has completed risk assessments of election systems in just nine of the 17 states that have formally requested them so far. It has pledged to finish them by November for every state that asks, but the reviews are not likely to be done in time for some state primaries, many of which are in May and June.
The number of states is likely to grow. At least 28 said they want Homeland Security to conduct the risk assessments, according to a 50-state survey of state election officials by The Associated Press.
The security reviews are designed to identify any weaknesses that could be exploited by hackers; such examinations are routinely conducted in the private sector. They are just one tool, although an important one, in ensuring a computer network has a robust defense.
Homeland Security officials attribute the backlog to increased demand for such reviews since the 2016 election and say they are devoting more money and shifting resources to reduce wait times. The reviews typically take two weeks each.
“Elections remain a top priority,” said Matt Masterson, the department’s senior adviser for cybersecurity.
Some states prefer to do the security checks on their own, with some, such as New Hampshire, expressing concern about federal overreach in a country where elections are run by state and local governments.
Cybersecurity experts say that as long as the process is robust, it should not matter who conducts the risk assessments.
“You could do this right in a number of different ways,” said Mike Garcia, lead author of a handbook for state and local election officials released recently by the nonprofit Center for Internet Security. “What matters is that you are doing it right.”
The delays have caught the attention of Congress, including the Senate Intelligence Committee, which recommended in March that Homeland Security expand capacity to reduce wait times.
“DHS and the FBI have made great strides, but they must do more,” committee chairman Sen. Richard Burr, a North Carolina Republican, said at the time.
Of the other states holding primaries on Tuesday, the traditional battlegrounds of North Carolina and Ohio said they had received on-site reviews by Homeland Security. Election officials in the fourth state, West Virginia, told the AP they have yet to request a federal risk assessment but plan to do so before the November election. They asked the National Guard to help monitor the state’s election networks on Tuesday.
Other states that told the AP they had received the DHS reviews are Colorado, Maryland, Nebraska, New Mexico and Oregon.
Two of the states targeted in 2016 — Alabama and Oklahoma — have yet to request a DHS security review.
Alabama Secretary of State John H. Merrill said the state could still decide to make the request before the election.
“We are trying to be as prepared as we can possibly be with our existing partners,” Merrill said. “We want to keep every option open that we have.”
Associated Press writers Tom Davies in Indianapolis contributed to this report.
Follow Christina Almeida Cassidy on Twitter at http://twitter.com/AP_Christina