Hack-proof

The time to hack-proof the 2018 election is expiring — and Congress is way behind

'Not a lot of time, no question,' one senator says.

By MARTIN MATISHAK

Lawmakers are scrambling to push something — anything — through Congress that would help secure the nation’s voting systems ahead of the 2018 elections.

But it might already be too late for some critical targets. By this point during the 2016 election cycle, Russian hackers had already been in the Democratic National Committee’s networks for at least three months.

Members of both parties insist they can get something done before Election Day 2018, but concede that the window is rapidly closing. Voters in Texas and Illinois will take to the polls in the country’s first primaries in just over three months — a narrow timeline for implementing software patches, let alone finding the funds to overhaul creaky IT systems, swap out aging voting machines or implement state-of-the-art digital audits.

“Not a lot of time, no question,” Senate Intelligence Chairman Richard Burr (R-N.C.), who is leading an investigation of Russia’s election-year meddling, told POLITICO.

It’s not for a lack of ideas. Lawmakers on both sides of the aisle have proposed a raft of legislative solutions aimed at inoculating future U.S. elections from foreign meddling. But the efforts have been stalled amid partisan fighting, ideological disagreements over who should fund election security and — perhaps most prominently — a packed congressional calendar that has prioritized repealing Obamacare and pushing through a tax overhaul.

“I don’t think anything can come that fast, unless you are a tax bill or something like that,” said Mississippi's Bennie Thompson, who co-chairs a House Democratic election task force formed to explore bolstering the country’s decentralized election infrastructure ahead of the 2018 midterms.

Thompson’s group is planning to issue its own legislation next month and Thompson, the ranking member on the House Homeland Security Committee, insisted it would go through “regular order,” with extensive hearings, debate and amendments — a process that could take weeks or months.

“There’s no question from the standpoint of what we need to do, we’re behind,” he said. “And by being behind, we’re at risk for any future federal election.”

Cybersecurity experts have long warned that America’s election system is a sitting duck for hackers looking to cause chaos. Voter rolls have regularly been been stored on inadequately protected systems, and the country has for years relied on outdated electronic voting machines. At the state and local level, governments can lack the funds to hire elite cyber professionals or properly train staff.

And campaigns themselves are often harried and slapdash, with little thought given to digital security.

The 2016 election vaulted these realities into the public spotlight. The U.S. government accused Russian President Vladimir Putin of deploying his hackers in an orchestrated scheme to infiltrate political parties, campaigns and state election networks. The effort was wildly successful, pilfering and selectively leaking internal files from the Democratic Party and Hillary Clinton’s campaign, spurring intra-party bickering and generating weeks of splashy headlines based on the exposed personal emails.

And U.S. intelligence leaders have warned that Moscow will be back, leveraging the lessons of 2016 to try and destabilize future elections. Already, officials and researchers have accused the Kremlin of using similar tactics in subsequent elections around Europe.

Yet Capitol Hill has not passed any legislation that specifically addresses the issue.

Sens. Amy Klobuchar (D-Minn.) and Lindsey Graham (R-S.C.) pushed a bipartisan proposal that would allow states to apply for federal grants to update election technology after proving they had adopted certain federal cybersecurity standards. But the legislation hasn’t received a floor vote. And a companion House bill is stuck in limbo.

Sens. Martin Heinrich (D-N.M.) and Susan Collins (R-Maine) are another across-the-aisle duo offering their own bill that would speed through security clearances for top election officials, giving them access to classified information on hacking threats. The measure hasn’t gotten off the ground. And independent Maine Sen. Angus King pressed Senate appropriators — to no avail — for $160 million to help state and local governments purchase auditable voting machines. A slate of other mostly-Democratic proposals have similarly gone nowhere.

“I’m concerned that there’s not enough urgency broadly to move legislation forward,” Heinrich told POLITICO. “But we’re going to keep pushing, because I think these problems are not going away.”

Perhaps the most high-profile policy recommendations will arrive sometime early next year when Burr’s Senate Intelligence Committee releases the findings of its monthslong examination of Russia’s digital meddling efforts. Burr and panel ranking member Sen. Mark Warner (D-Va.) have vowed their final report will include suggestions for how to ensure the Kremlin can’t repeat its 2016 success in future elections.

But it’s unclear if lawmakers will swiftly act on the committee’s advice — or if it would even help at that point.

“It’s high-time we got started, and it will be too late soon if there isn’t action,” said J. Alex Halderman, a University of Michigan computer scientist and a leading expert on digitally securing elections.

Halderman said it’s probably already too late for the midterms to make many hardware upgrades to voting equipment — such as replacing paperless, touch-screen machines with ones that produce a paper trail — and that there’s only a window of about six to nine months to make the switch in time for 2020, due to the winding procurement process involved.

Earlier this year, Virginia was able to swiftly ditch any remaining paperless touchscreen voting machines just a few months before Election Day in the state’s closely watched gubernatorial race.

But Halderman noted that, “in terms of a coordinating, national effort to really address the cybersecurity threats to elections head-on, we don’t yet have that strategy in place and we need to get it going urgently — within the next very small number of months — if it’s going to help 2018 in a significant way.”

Congress is a “critical missing piece” in terms of leadership and allocating resources, said Lawrence Norden, the deputy director of the Democracy Program at the Brennan Center for Justice at the New York University School of Law, who has worked on multiple reports detailing ideas to keep digital meddlers out of elections.

Currently, Norden noted, state and local officials are left to make piecemeal ties with the Department of Homeland Security — which has worked to boost the election security tools it offers states — and the Election Assistance Commission, a federal agency that helps administer elections but operates on a limited budget.

Even if a consensus bill emerged on Capitol Hill, however, Thompson expressed reservations that GOP leadership would let it get a floor vote.

“There’s no guarantee that it would ever see the light of day,” he said.

But several prominent Republicans, including Burr and Senate Majority Whip John Cornyn told POLITICO they might support some type of congressional or federal action, even if it isn’t as extensive as Thompson would prefer.

“We’re already late,” Cornyn said. “But it might not hurt to provide some best practices or some guidelines so that those states that aren’t as well prepared can deal with it, because it’s going to be ongoing.”

Such sentiment has given even the typically pessimistic cybersecurity crowd some restrained hope that something may be accomplished.

“I don’t want to sound too pollyannaish or optimistic but I haven’t given up on the fact something significant could happen from this Congress in time to have an impact on 2018 and certainly 2020,” Norden said.

But, he added, “the longer they wait, if something does happen … then I think that they will be blamed. No question.”