With primaries underway and less than four months to go until this year's midterm elections, early signs of attack have already arrived—just as the US intelligence community warned. And yet Congress has still not done everything in its power to defend against them.

At the Aspen Security Forum on Thursday, Microsoft executive Tom Burt said that phishing attacks—reminiscent of those carried out in 2016 against Hillary Clinton's campaign—have targeted three midterm campaigns this year. Burt stopped short of attributing those efforts to Russia, but the disclosure is the first concrete evidence this year that candidates are being actively targeted online. They seem unlikely to be the last.

“The 2018 midterms remain a potential target for Russian actors," said Matt Masterson, a senior cybersecurity adviser to DHS, at a Senate hearing last week. "The risks to elections are real."

Meanwhile, a trend of destabilizing denial-of-service attacks against election-related systems has also emerged, including one that caused a results-reporting website to crash during a municipal primary in Knox County, Tennessee, in May, along with two reported DDoS assaults on unnamed Democratic campaigns. DDoS attacks have become common enough that both Alphabet's Project Shield and Cloudflare's Athenian Project have been offering free DDoS protection to election-related groups, like political campaigns, state and local governments, and boards of elections.

"This is now a national security issue, and Congress actually does have a responsibility in that arena." Lawrence Norden, NYU Brennan Center

Homeland Security assistant secretary Jeanette Manfra noted this week that DHS has so far not seen the volume of phishing activity and election infrastructure probing it recorded at this time in 2016. But that could simply mean that attackers have already done their reconnaissance, or have moved on to more refined techniques. And in addition to evolving threats, reports continue to surface new, critical vulnerabilities in areas like voting machines—several of which have inadvisable remote-access software installed—and voter data handling.

Top officials have made it clear that they are bracing for attacks. "The warning lights are blinking red again," said director of national intelligence Dan Coats last week during a talk at the Hudson Institute think tank. "Today, the digital infrastructure that serves this country is literally under attack." On Thursday, deputy attorney general Rod Rosenstein echoed this conclusion. "These actions are persistent, they are pervasive, and they are meant to undermine America’s democracy," Rosenstein said.

Slow Progress

Despite these active, ongoing concerns, the Trump administration's mixed messages about the extent of the Russian threat have hampered momentum on defense. President Trump indicated on Monday that he still doubts that Russia attempted to disrupt US democracy in 2016, and on Wednesday he appeared to dismiss the current threat from Russia as well. He later walked back some of those statements, and the White House released a compendium of its work on election defense, stating, "President Donald J. Trump and his Administration are defending the integrity of our election system."

The National Association of Secretaries of State said in a pointed response on Tuesday, "Secretaries of State ... across the nation are working hard each day to safeguard the elections process ... We ask, however, the White House and others help us rebuild voter confidence in our election systems by promoting these efforts and providing clear, accurate assessments moving forward."

And state election officials have worked for months to improve election infrastructure defenses at both the state and local levels, prioritizing cybersecurity more than in past years. But that step has been hard won, given that researchers have warned about the dangers of insecure voting machines and other infrastructure components for more than a decade. And much of the recent progress—including basic improvements to cybersecurity hygiene on voter databases and election infrastructure networks—is just a first step. Larger projects, like replacing old, insecure voting machines and those that don't produce a paper backup, or implementing robust audits to confirm electoral results, are still either nascent or nonexistent in most states.