2018 election-hacking

The latest 2018 election-hacking threat: 9-month wait for government help

Some states might not get an intensive DHS review until weeks before the midterm elections.

By TIM STARKS

States rushing to guard their 2018 elections against hackers may be on a waiting list for up to nine months for the Department of Homeland Security’s most exhaustive security screening, according to government officials familiar with the situation.

That means some states might not get the service until weeks before the November midterms and may remain unaware of flaws that could allow homegrown cyber vandals or foreign intelligence agencies to target voter registration databases and election offices’ computer networks, the officials said. Russian hackers targeted election systems in at least 21 states in 2016, according to DHS.

The scanning, known as a “risk and vulnerability assessment,” is the crème de la crème of security exams: DHS personnel come in person to do an intensive, multiweek probing of the entire system required to run an election. But department officials acknowledge that it’s of limited use if it doesn’t come soon enough for states to correct their flaws before voters go to the polls.

The nine-month wait is “not a good metric” for states hoping to boost their security, admitted Christopher Krebs, one of the DHS officials leading election security efforts. ”We are working to prioritize.”

Few fault the DHS itself for the holdup, but the delay is yet another dramatic example of how the government is struggling to safeguard the upcoming election season as the clock ticks toward Election Day.

Security experts, voting integrity groups and many lawmakers have expressed dismay at the lack of action on Capitol Hill and across the Trump administration to help states protect their election infrastructure. It’s especially critical after Russian hackers raised awareness during the 2016 elections of the creaky computer networks that house voter rolls, the country’s aging voting machines and the often overburdened election officials tasked with protecting the vote.

Congress has yet to pass any bill that specifically addresses election security, and Attorney General Jeff Sessions caused consternation when he admitted in a hearing that “we’re not” doing enough to block hackers from meddling in the 2018 elections. “The matter is so complex that, for most of us, we’re not able to fully grasp the technical dangers that are out there,” he said.

DHS has stepped into this void. In the final weeks of the Obama administration, the agency classified the country’s election systems as “critical infrastructure,” putting them on par with hospitals and power plants, which receive priority status for the department’s cybersecurity assistance.

Since then, DHS officials have been navigating choppy waters — persuading states to work with them despite their suspicions about federal overreach, waiting for President Donald Trump to appoint new cybersecurity leaders and shifting money and personnel.

The agency offers states a menu of election security services, ranging from sharing basic information on the latest hacker activity to weekly remote scans of election networks to the soup-to-nuts “risk and vulnerability assessment.”

Marian Schneider got one of the full-scale, in-person assessments last year as deputy secretary for elections and administration at Pennsylvania’s Department of State. It was the only state to do so before the 2016 elections.

“It is actually pretty extensive,” said Schneider, now head of Verified Voting, an election-integrity advocacy group. The state had to fill out a questionnaire. It had to sign a legal agreement that required lawyers some time to process. DHS sent four experts to do the probing.

DHS says the probes take two to three weeks.

“It’s resource-intensive,” Schneider said. “The reason there’s a waitlist is because a lot of states want it done because they do it at no cost. To have that backlog is a problem, but it’s a good thing states are wanting the service."

“The fact they might have to wait until third quarter of 2018 — it’s not great, but they should get on the waitlist,” she added.

Among the states POLITICO contacted, officials in Vermont, Connecticut, Colorado and New York said DHS told them to expect that any multi-week, in-person assessment would take time to get started — some officials said the estimates ranged from six to eight weeks to nine months. That means that even with the low-end estimate, states would not be finished with the assessment until shortly before primary season begins in March.

A DHS official told POLITICO that state by state, “the time frame varies, but we can shift around to address priorities.” The official didn’t have figures on how many states have requested or received the assessments.

Some of the wait depends on the states themselves, said Krebs, who is functioning as head of DHS’ main cyber wing, the National Protection and Programs Directorate.

“What we’ve seen more than anything is that when we have availabilities, the nimbleness of a state to say, ‘Yes, we can take that, we’re ready,’” he said. “We had a state a couple weeks ago that was able to do a snap [risk and vulnerability assessment] because we had a cancellation. We turn around to the top of our list, say to this state, ‘Are you ready to go?’ And they said, ‘Yup, we can do it.’”

Krebs said DHS is also moving personnel to accommodate demand.

“What we’re looking at doing is consolidating some of our teams and bringing people into the orbit” of the teams that conduct the assessments, he said. “With more people, I can do more. We are bringing resources in and reprioritizing across internally from a personnel perspective to ensure we've got more capabilities.”

Gregory Touhill, a former top DHS official and the federal government’s chief information security officer until January 2017, applauded Krebs’ efforts, but added that “I wouldn’t be satisfied because we’ve got an election that's in less than a year.”

Touhill, now president of digital security firm Cyxtera’s federal group, suggested DHS could also explore amplifying its election security teams with military cyber personnel or contractors.

Similarly, Congress could approve funding for extra personnel, said Schneider, the former Pennsylvania election official. But the agency might have already hurt its chances of making such an appeal to Capitol Hill. At a March hearing, then-DHS Secretary John Kelly said he didn’t need any additional money to carry out the agency’s duties under the “critical infrastructure” decision, which include the risk and vulnerability assessments.

The stance puzzled some lawmakers.

“Given the secretary’s position, I am concerned about reports of nine-month wait times for states and localities to receive some of the more in-depth cyber services DHS provides,” Missouri Sen. Claire McCaskill, the Senate Homeland Security Committee’s top Democrat, wrote in an October letter.

In the meantime, DHS has delivered on an array of election security services that are more easily implemented. For instance, 31 states receive regular DHS “cyber hygiene” scans that probe election systems remotely and report vulnerabilities to those states.

A DHS official told POLITICO those scans take just a week or two to schedule.

Touhill stumped for the service: “The ongoing cyber hygiene scans with affected parties are really producing really good results and heightening awareness.”

States can also tap other valuable DHS digital defense tools.

The agency offers a cyber resilience review that focuses on helping election officials conduct their own self-assessments. It takes approximately two weeks to schedule and one day to finish, the DHS official said.

And upon request, the agency will also conduct a cyber infrastructure survey — an expert-led assessment accomplished through an informal interview. The survey takes approximately two weeks to schedule, according to the official.

So while the risk and vulnerability assessment is impressive and helpful, Schneider said, “It’s just one tool in the toolbox.”