With the first primaries of the 2018 elections less than a month away, you might expect federal officials to be wrapping up efforts to safeguard the vote against expected Russian interference.
You'd be wrong.
Federal efforts to help states button down elections systems have crawled, hamstrung in part by wariness of federal meddling. Just 14 states and three local election agencies have so far asked for detailed vulnerability assessments offered by the Department of Homeland Security — and only five of the two-week examinations are complete.
Illinois, for instance — where primary voters go to the polls on March 20 — requested an assessment in January. The state is still waiting, and its officials can't say whether it will happen before the primary election. DHS says the assessments should be finished by mid-April.
Meantime, fewer than half of the estimated 50 senior state elections officials who requested federal security clearances have received them, DHS says. That can hinder information sharing designed to help states deal with election disruptions.
And Congress is still sitting on three bipartisan bills that address election integrity issues, including funding to upgrade antiquated equipment.
Overall, experts say far too little has been done to shore up a vulnerable mishmash of 10,000 U.S. voting jurisdictions that mostly run on obsolete and imperfectly secured technology. Russian agents targeted election systems in 21 states ahead of the 2016 general election, DHS says, and separately launched a social media blitz aimed at inflaming social tensions and sowing confusion.
The heads of the CIA and State Department have recently said they already see indications that Russian agents are preparing a new round of election subterfuge. Texas will hold the first primary of 2018 on March 6; Illinois follows two weeks later.
That makes local election officials "the front lines of the information age," said Eric Rosenbach, co-director of Harvard's Belfer Center and a former Defense Department chief of staff in the Obama administration. "After what the Russians did, every other bad guy is going to come after our democracy now."
Since last July, a bipartisan team at Harvard — including former U.S. Marine and Army cyberwarriors, national security eggheads and Google engineers — has been trying to shore up that local line. The group, which calls itself the Defending Digital Democracy initiative, has just drafted its latest protect-the-vote election "playbooks" intended to prepare state and local officials for the worst.
"It's not a question of whether somebody is going to try to breach the system," said Robby Mook, manager of the 2016 Clinton campaign, which was stung by multiple email thefts later traced to Russian agents . "The question is: 'How resilient are we and what are we doing to protect ourselves?'"
Mook helps run the effort with Matt Rhoades, who managed Mitt Romney's 2012 presidential run. Over six months, the authors visited 34 state and county offices and ran simulations to help local officials improve their "threat awareness."
The team's findings highlight resource-strapped election systems that can't secure their own operations, vulnerable voting-equipment vendors and the threat posed by insiders and people looking for political advantage.
There's no evidence that any hack in the November 2016 election affected election results. But there are also cases — such as in Georgia, where a key election-staging server was exposed on the open internet for months then wiped clean without a forensic exam — that haven't been independently investigated.
And federal delays are legion. In the last election, DHS took nearly a year to inform the affected states of hacking attempts, blaming it in part on a lack of security clearances. But it hasn't made up enough lost ground to satisfy critics on Capitol Hill.
In Illinois, for instance, the executive director of the state elections board submitted his application in August and has yet to receive his clearance, according to agency spokesman Matt Dietrich.
As a stopgap, DHS is providing one-day "read-ins" on secret information this week in Washington to about 100 senior state officials — secretaries of state and elections directors — gathered there for a meeting. "That's a way to deal with the fact that the process hasn't worked as quickly as we'd hoped," Bob Kolasky, deputy assistant secretary at DHS for infrastructure protection, said in an interview.
The Harvard team recommends a variety of election safeguards, such as background checks for everyone with access to sensitive election systems, universal use of voting machines that produce a paper trail, and routine, rigorous audits of election results — currently standard only in Colorado and Rhode Island.
Elections officials "made us all a little nervous" in their handling of disinformation scenarios during tabletop exercises — such as bogus online reports of two-mile-long lines certain polling stations, said Rosenbach.
"They do not want to talk to the press, much less communicate at all," he said. A hack is just one element of a modern election attack — "the more potent part is often info ops."