Election security: Most state election officials lack clearance to learn of cyber threats

Erin Kelly | USA TODAY

WASHINGTON — Only 21 of the nation's 150 top state election officials have the federal security clearance they need to be informed of threats to their voting systems as they scramble to stop Russian hackers from interfering in this year's elections, homeland security officials told a Senate panel Wednesday.

And only 19 states and local governments have completed — or are undergoing — risk assessments offered by the Department of Homeland Security to identify election system vulnerabilities that could be exploited by hostile foreign governments, Homeland Security Secretary Kirstjen Nielsen told the Senate Intelligence Committee.

Primary elections for congressional and gubernatorial elections began this month.

"I hear no sense of urgency to really get on top of this issue," said Sen. Susan Collins, R-Maine.

Nielsen said the Department of Homeland Security is sponsoring a maximum of three election officials per state to obtain security clearances so that they can be told about cyber threats. She said those clearances are caught up in the backlog of more than 700,000 people who are awaiting approval by the Office of Personnel Management.

However, Nielsen said homeland security officials are going ahead and telling state election officials about any imminent threats.

"If we have something to share, we will share it that day, with or without a clearance," she said. "If we have information to share on a real threat, we will do so."

The department is offering "cyber hygiene" scans of state voting systems, but so far only 14 states and five local governments are participating in the voluntary program, Nielsen said.

Sen. Angus King, I-Maine, suggested that the Department of Homeland Security hire "a red team" of hackers to try to break into state election systems to show them how vulnerable they really are.

"We encourage states to take us up on our risk assessments but, yes, we need to help them understand where they're vulnerable," Nielsen said.

Homeland security officials revealed last year that Russian hackers tried to breach election systems in 21 states in 2016. Although no actual votes were changed, hackers broke into Illinois' voter registration database.

Sen. Dianne Feinstein, D-Calif., said the Department of Homeland Security should tell the public which states were affected. So far, the federal government has not released the list, although some individual states have revealed that they were targets.

Feinstein said the public has a right to know if their states are not doing enough to protect their votes.

"America's the victim," the senator said. "And if there are states that have been attacked, America has to know what's wrong."

Nielsen said it's a delicate balancing act, because states may decide not to report cyber attacks to the federal government if they believe those attacks will be publicly exposed.

"We've got to find a way to encourage reporting," she said.

In response to a question from Sen. Ron Wyden, D-Ore., Nielsen said she thinks that states that don't provide paper ballots or a paper trail of votes that can be audited are "a national security concern." Fourteen states still use paperless voting machines.

Nielsen, echoing previous testimony from top U.S. intelligence officials, said the 2018 elections are "clearly potential targets for Russian hacking attempts."

Vice Chairman Mark Warner, D-Va., said the Trump administration needs to "accelerate its efforts" on election security.

"Perhaps most of all, we need a president who will acknowledge the gravity of this threat, and lead a 'whole of society' effort to harden our defenses and inoculate our society against Russia’s malicious interference," Warner said in his opening statement.

He criticized President Trump for calling Russian President Vladimir Putin on Tuesday to congratulate him on his election victory without raising the issue of Russian meddling in the 2016 American presidential election.

"The fact that the President did not even bring up the topic of our election security when he called Vladimir Putin to congratulate him on his 'victory' in a pre-cooked election, is extremely troubling," Warner said.

"The fact is, this is not a Democratic or a Republican issue, but one that threatens all of us. We’re going to need both parties to stand side by side to push back against Russia."

Wednesday's hearing came a day after the committee issued election security recommendations and urged Congress to pass urgent funding to help states improve their voting systems' cybersecurity.

Chairman Richard Burr, R-N.C., said Wednesday that he expects Congress to approve new funding for the states in a sweeping government spending bill that Congress is scrambling to pass by midnight Friday. The bill will reportedly provide $380 million in grants to states for new technology to guard against cyberattacks, as well as millions of dollars in additional funding for the FBI to combat possible Russian meddling in the 2018 elections.

"This issue is urgent," Burr said. "If we solve this problem tomorrow, it still might be too late for 2018 and 2020."