Demings alluded to some of the report's most eyebrow-raising content, which discussed, in great detail, how difficult it was for DHS to work with state and county officials to try to detect and prevent attacks on the different computer systems overseeing voting. (Voter registration databases are one system; another system tabulates the votes.) That cooperation was also hampered by Republicans in Congress and states that didn't trust the Obama administration -- even though DHS is not a regulatory agency.
"DHS was slow to gain the trust and buy-in of its state partners," the report said. "On September 28, 2016, with the election nearing and fewer than half the states requesting assistance from DHS, bipartisan congressional leadership wrote to state election officials to urge them to take advantage of resources to secure their network infrastructure, including those offered by DHS. At the same time Congressional leadership promised to 'oppose any effort by the federal government to exercise any degree of control over the states' administration of elections by designating these systems as critical infrastructure.'"
The report notes that DHS was unable to expeditiously help states as 2016's election came to a close, even where its assistance -- such as running tests to see if voting networks could be hacked -- was wanted.
The report's authors have drafted legislation in which DHS can play a significant role. As a result, the report alternates between critical passages like the above paragraph, and supportive passages about what DHS achieved, such as: "With consistent prodding, DHS provided cyber hygiene scans to election officials in 33 states and 36 local jurisdictions and shared over 800 cyber threat indicators officials could use to identify attempted intrusions, as well as other tactics, techniques and best practices, with officials in thousands of jurisdictions across the country."
But the problems of DHS coordinating with states that want its help has persisted since the 2016 election, the report noted. In one example, states had to wait nine months to have the federal agency assess their cyber vulnerabilities. That track record, apart from promises of help by top DHS officials, was troubling, election officials told the report's authors.
"Election officials also had difficulty squaring DHS' offer of 'priority access' to services with the nine month waiting list for certain services like Risk and Vulnerability Assessments," the report said. "These delays render the benefit useless in light of the compressed time frame of an election cycle."
While these revelations don't mean DHS officials aren't trying to help states, they underscore how difficult it is to make systemic changes that are needed to safeguard elections. Another example given was that DHS kept telling governor's offices what was needed, but the messages were never given to senior state election officials -- because election offices use different computer systems for their data and communications.
"Although DHS officials testified in June 2017 that Russia targeted voting systems in 21 states, for example, it did not notify state election officials whether their election systems were targeted until late September, almost a year after the election," the report said. "In part, DHS attributed these information sharing challenges to the nature of its existing information sharing channels and reporting structures within each state. As a general rule, DHS shares threat information at the state level through state Homeland Security Advisers, Fusion Centers, CIOs and other agents of the state governor. Each state government is organized differently, but for the most part, Secretaries of State and other chief election officials are independently elected officials who do not report to the governor and exist outside the executive branch chain-of-command. As a result, information shared by DHS did not automatically flow to them under existing information-sharing relationships."
Little Political Will to Fix Voting Systems
These kinds of delays and communication snafus show a system that operates at a snail's pace relative to the speed of cyber probes and attacks. To make matters worse, in many states -- and in Congress, as seen in the just-passed federal budget -- there's no willingness to spend the funds needed to modernize voting in the United States.
"State and local election officials are acutely aware of the threats they are facing, but they lack the necessary funds to safeguard their voting infrastructure," the report said. "In most states, legislatures are not increasing their election security budgets. In some cases, Governors [Florida, Ohio, Wisconsin] are actively undermining election security efforts. Moreover, state and local officials have expressed a desire for Congress to step in."
The report recites the known vulnerabilities of electronic voting systems -- problems that so-called election integrity activists have repeatedly raised for more than a dozen years. They note paperless systems, which are still used in 13 states for about one-fifth of the country's voters, can mistakenly record votes and cannot be audited. The report recommends replacing all of the remaining paperless systems with paper ballot-based machines. It said ink-marked paper ballots are the best way to have a verifiable vote, one that could be audited for accuracy even if those ballots were electronically scanned. It cited one academic estimate that it would cost between $130 million to $400 million to make that transition in all remaining states with paperless systems, and noted that "over $300 million" remains in federal funds from a past law to buy voting machines.
It also said states should institute much more rigorous post-election audits to see if their machinery is properly counting votes. And Congress should empower and fully fund a little-known federal agency, the Election Assistance Commission, to help with developing and implementing the technical standards needed to meet cyber threats.
But mostly, the report said states have to spend more money "to replace outdated technology and hire IT support. It is important to note that cyber threats evolve at a rapid pace, and a one-time lump sum investment is not enough. States also need resources for maintenance and periodic upgrades, and cybersecurity training for poll workers and other election officials."
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).