WASHINGTON — Federal and state officials say that though there has been progress in fortifying the cyber-security of America’s election infrastructure, future elections are vulnerable to attacks by foreign entities.
Half a dozen panelists, including current and former secretaries of the Department of Homeland Security, Vermont’s chief election official, and security specialists from academia, addressed election security issues on Wednesday in testimony before the Senate Intelligence Committee.
Vermont Secretary of State Jim Condos told the panel that while it is important to understand the efforts to attack American elections in 2016, it is critical to create a system that will address evolving threats.
“The bad actors that tried to hack us yesterday are going to try a different way today and are going to be different tomorrow,” he said.
Intelligence officials have said that Russian hackers targeted election systems in 21 states, and successfully breached the voter rolls of at least one state.
The day before the hearing the committee released a set of recommendations for defending against potential future efforts by foreign entities to attack the American election infrastructure.
A number of states, including Vermont, already are implementing many of the committee’s recommendations, Condos said.
Condos, who appeared before the committee in his capacity as president-elect of the National Association of Secretaries of State, said the most important step Congress could take would be to provide states with more financial support to address cyber-security threats.
Funding for election security is expected to be included in the appropriations omnibus bill, which lawmakers have said they hope to pass by Friday. As of Wednesday afternoon, details of the bill had not been finalized, though negotiations were reported to be complete.
Condos told lawmakers that Vermont already has implemented many of the initiatives considered best practice, such as having paper ballots and doing weekly digital hygiene scans. The state anticipates having two-factor security authentication in place for all towns by May or June, he said. Other initiatives also are underway.
Condos acknowledged there was skepticism in August 2016 when the Department of Homeland Security’s then-Secretary Jeh Johnson held a conference call with state election officials to talk about election security.
The call “kind of caught us out of the blue,” Condos said. There was pushback across the political spectrum from state officials concerned about federal meddling in elections, which fall under the jurisdiction of states.
It wasn’t until September 2017 that federal officials alerted the 21 states that had been the target of Russian efforts, Condos said. Vermont was not among the states identified by DHS as having been affected.
Condos said he believes there have been improvements in communication, about election security, between the federal government and states.
Johnson, who was homeland security secretary in the Obama administration, and Kirstjen Nielsen who is the current secretary, appeared side by side before lawmakers at the start of the discussion.
Nielsen described ongoing efforts by the agency to improve communications between the federal government and states, including providing security clearance to approximately 150 state election officials. So far, 21 have received clearance, she said.
Under questioning from senators, Johnson defended homeland security’s handling of the security threats preceding the 2016 election.
Committee members said he had not made it clear that the Russian government was suspected of involvement in the attack on America’s election infrastructure, and that the conference call with state election officials in August 2016 had only added to the confusion.
Johnson said that federal officials were not ready to go public with the news that a foreign government was suspected of being behind the attack.
Panel members expressed the need for a clearly articulated national approach to cyber-security. One senator compared it to having a policy of nuclear retaliation.
Asked by Sen. Mark Heinrich, D-NM whether it would be helpful if President Donald Trump were to address Russia’s role in the attacks on the election infrastructure, Nielsen responded that he has.
“I think he has said that it’s happened,” Nielsen said. “The line that he’s drawing is that no votes were changed. That doesn’t mean there’s not a threat.”
Both Nielsen and Johnson said there are no indications that outside actors succeeded in changing any votes in 2016.
Sen. Angus King, I-Maine, said the information in the draft report detailed a “sophisticated, thorough, comprehensive, maligned and malicious” attack on U.S. elections.
“What worries me is that although the intelligence is uniform and no votes were changed, they were not doing it for fun in 2016,” King said. “What it looks like is a test.”
Burr said that there is a “clear distinction” between the focus of the hearing, which was on how an outside actor could tinker with electoral results, and the Russian-led effort to sow chaos in the electoral process using social media and other channels.
Others in attendance pointed out that hacking into an election infrastructure is not the only way to create discord and undermine the public’s faith in the democratic process.
“They don’t have to actually get in and change votes in order to achieve the result that they are seeking,” King said.
Eric Rosenbach, a researcher from Harvard University, responded to King that such a scenario has played out in Ukraine, where hackers gained access to the webpage where election results were being posted. The country, he said “was left in chaos for days afterwards.”
“We need to look at that playbook,” Rosenbach said. “They will do it to us.”
Among those aspects of the electoral process that are particularly vulnerable to attack, Rosenbach said, are the campaigns themselves, which he characterized as the “soft underbelly” of the system. They tend to be hastily assembled and often do not have good cyber security protocols, he said.
After the hearing, Condos said it was good to see the committee putting forward recommendations, many of which Vermont already has put in place.
Vermont has been thorough about ensuring the integrity of its elections, but it has come at a price, Condos said, stressing the importance of states having the resources to ensure electoral integrity.
“It seems to me we’re on the same page now, where this is not just a state or a local issue, that it’s also a federal issue,” Condos said. “It’s the very basis of our democracy.”
He said there is a need for states and local jurisdictions to cooperate, to ensure that people are notified when there is a security issue.
“If one state gets hacked or one town gets hacked, we should be considering all 50 states being hacked,” he said.
