With just over 100 days left until the 2018 midterm elections, the federal government is scrambling to shore up the country’s election infrastructure to defend against foreign cyberattacks.

But it may be too late.

The American intelligence community concluded in January of 2017 that the Russian government orchestrated a sophisticated, multipronged cyber campaign to disrupt the 2016 presidential election. Eighteen months later, the United States’ election systems are still remarkably vulnerable.

State governments have failed to fully take advantage of federal resources, including the $380 million Congress gave to the states this year, and President Donald Trump has repeatedly equivocated on the significance of the threat, which has left the Republican Party apprehensive about being aggressive on election cybersecurity.

Robert Mueller's recent indictment of 12 Russians for interfering in the last presidential election and Trump’s deferential remarks toward Russian President Vladimir Putin at last week's Helsinki summit has the federal government scrambling into action and sounding the alarm.

"Today, the digital infrastructure that serves this country is literally under attack," Dan Coats, Trump’s director of National Intelligence, said last Friday, citing Russia, China, North Korea, and Iran. "It was in the months prior to September 2001 when, according to then-CIA Director George Tenet, the system was blinking red. And here we are nearly two decades later, and I'm here to say, the warning lights are blinking red again."

The Justice Department announced Thursday that it would be taking a more public-facing approach to foreign meddling in order to notify people when foreign governments were targeting them with political propaganda. It coupled that announcement with a 156-page report detailing all the ways foreign actors can try to disrupt American elections, including spreading propaganda online and hacking into election systems like state voter files, voting machines, and candidates' campaigns (see: John Podesta).

“Operations aimed at removing otherwise eligible voters from the rolls or attempting to manipulate the results of an election (or even simply spreading disinformation suggesting that such manipulation has occurred) could undermine the integrity and legitimacy of our free and fair elections,” the report warned.

Even Congress seems to be at least thinking about doing something. The House of Representatives’ Oversight Committee announced a hearing next week, dubbed “Cyber-securing the Vote: Ensuring the Integrity of the U.S. Election System.”

Secure Elections Act

Republican Sens. Mike Rounds of South Dakota and Jerry Moran of Kansas also threw their support behind the bipartisan Secure Elections Act, which had been languishing since Democrat Sen. Amy Klobuchar of Minnesota and Republican Sen. James Lankford of Oklahoma introduced it last fall. Republican Sen. Lindsey Graham of South Carolina, who's also a co-sponsor of that bill, tweeted that “[a]ll relevant agencies should provide us their suggestions and recommendations about how to harden our 2018 election systems against foreign interference, and Congress should act quickly as time is running out regarding the 2018 elections.”

While these efforts may raise public awareness about potential meddling, time's running short to build up the necessary defenses against intricate cyberattacks before this fall's election. Even if the federal government were to appropriate hundreds of millions more, as many Democrats in Congress called for this week, states would likely not be able to spend significant amounts before Election Day.

Congress already appropriated $380 million in state grants for election security this year and almost all of it has already been given out. But state election bureaucracies, and the labyrinth of county and municipal bureaucracies below them, have been slow in using that money to fix the biggest vulnerabilities: voter databases and voting machines.

A Politico review of all 50 states found that “at least 22 do not have plans to replace their machines before the election — including all five states that rely solely on paperless electronic voting devices.” Such machines do not leave a paper trail on Election Day, meaning it's difficult to track any alteration of vote totals.

The Department of Homeland Security has also offered to conduct a risk assessment of individual states' election systems, but so far only 18 states have asked for one.

Election Systems and Software, one of the biggest players in voting machines and election management systems in the country, admitted earlier this year that it installed remote-access software — which is susceptible to hacking — onto its election management systems for years, as reported by Motherboard last week.

More money, fast

Still, some Democrats are arguing that more money is needed now to prepare for elections beyond 2018 as well. “We can be sure that [Russians] intend to interfere in the 2018 midterms and the presidential election in 2020,” Rep. Mike Quigley of Illinois said this week on the House floor as he argued for millions more toward election security in the next fiscal year (House Republicans have been trying to kill that funding but it could be restored in the Senate). “The Russians attacked our Democratic process. They will be back, and we are not ready. The president is unwilling to meet this challenge. But we must be willing to meet this challenge,” Quigley said.

The problem goes well beyond state infrastructure. Many campaigns have also been slow to adopt robust cybersecurity despite the frenzy that ensued in 2016 from the release of emails from the DNC and Clinton campaign chairman John Podesta.

“Many campaigns have stepped up their game. Many haven’t done nearly enough,” Clinton campaign manager Robby Mook told VICE News, who launched a bipartisan project at Harvard’s Belfer Center in 2017 to assist campaigns in cybersecurity. “But last week’s indictment was proof that the federal government needs to assist campaigns more directly.”

The government may finally be willing, but the clock is ticking.