Skip to main content

Politico: Cash-strapped states brace for Russian hacking fight

September 3, 2017
In the News

This article was published on September 3, 2017. A link to the article can be found here.

By Cory Bennett, Eric Geller, Martin Matishak, and Tim Starks

The U.S. needs hundreds of millions of dollars to protect future elections from hackers — but neither the states nor Congress is rushing to fill the gap.

Instead, a nation still squabbling over the role Russian cyberattacks played in the 2016 presidential campaign is fractured about how to pay for the steps needed to prevent repeats in 2018 and 2020, according to interviews with dozens of state election officials, federal lawmakers, current and former Department of Homeland Security staffers and leading election security experts.

These people agree that digital meddlers threaten the public's confidence in America's democratic process. And nearly everyone believes that the danger calls for collective action — from replacing the voting equipment at tens of thousands of polling places to strengthening state voter databases, training election workers and systematically conducting post-election audits.

But those steps would require major spending, and only a handful of states' legislatures are boosting their election security budgets, according to a POLITICO survey of state election agencies. And leaders in Congress are showing no eagerness to help them out.

"States ought to get their own money up," said Sen. Richard Shelby (R-Ala.), who chairs the Senate Committee on Rules and Administration, which oversees federal elections. "We're borrowing money. We got a big debt limit coming up."

In fact, some in the Capitol are trying to defund the 15-year-old federal agency that helps states and counties administer elections. The National Institute of Standards and Technology, which has three full-time staffers examining elections, would also see budget cuts in the pending congressional spending bills.

"We just don't fund elections," said Lawrence Norden, deputy director of the Democracy Program at New York University Law School's Brennan Center for Justice, who co-wrote a recent report on digitally securing America's elections. "Nobody's really sure who's responsible for this."

States are largely united, though, in wishing for more dollars from Washington. Of the 33 states that responded to POLITICO's survey, 21 — red, blue and purple — called for the federal government to authorize new funds to strengthen election security or replace voting machines. Five said they were open to it if the money came with no strings attached. But some were realistic about the likelihood of Congress opening its wallet anytime soon.

"If we want to enhance people's confidence in our elections, Congress absolutely should secure funding for the modernization and securing of voting systems," said Nicole Lagace, communications director for the Rhode Island Department of State.

"Don't see that in our future, however!" Delaware Election Commissioner Elaine Manlove said by email.

Georgia, North Dakota and Utah opposed the idea. "The last thing we need to do is create more government bureaucracy and throw federal money at a problem when the states can devise a solution," said a statement from Georgia Secretary of State Brian Kemp, who had earlier criticized the Obama administration's offer of help to secure the 2016 election.

States mostly aren't filling the breach, however. Just five state election agencies told POLITICO that they or a related office had received extra money for security — often a few hundred thousand dollars — in their most recent budget, while Washington state expects to receive $5.8 million for election modernization. Most told POLITICO they had either not asked lawmakers or had been rebuffed, with several citing statewide budget shortfalls.

Separately, about one-fifth of states have a funding plan in place to replace aging voting equipment, a primary need for nearly every state.

But elections are about much more than the ballot box. States need money to upgrade the digital voter registration systems that alleged Russian hackers probed and infiltrated in 2016. They need money to provide cybersecurity training to local county officials, who administer elections in many states and are often seen as the weakest link in the digital chain. And they need money to adopt new post-election audit procedures that can detect vote tampering.

Some experts and lawmakers fear that the U.S. will be unprepared for what intelligence officials consider an inevitable return of Russia's digital army.

"I'm concerned that we are almost as vulnerable, perhaps, now as we were six, nine months ago," former Homeland Security Secretary Jeh Johnson said in August on CBS' "Face the Nation."

"There's every likelihood that there will be further attempts to tamper with state election systems," said Sen. Angus King (I-Maine), who is pressing Senate appropriators to provide $160 million to state and local governments to buy auditable election systems. "For us to ignore that risk … would be a huge mistake."

Still, election officials almost uniformly expressed confidence in the integrity of their systems and their preparations for 2018, pointing to myriad steps they have taken.

In Virginia, the Department of Elections created a digital security position and is buying servers and upgrading the software that supports the state's voter registration database. In Nevada, the legislature voted to set up a cyber defense office. In Arizona — one state where hackers infiltrated voter registration databases during the 2016 campaign — officials are updating training for election officers to include cybersecurity education for the first time. In Illinois — another state infiltrated last year — officials took the entire voter registration system offline to review public-facing websites for flaws, taking the opportunity to make security upgrades.

At the federal level, DHS is offering its cybersecurity services to the states — if they want them. So far this year, only two states have formally requested the agency's digital flaw scanning services.

Still, security experts believe that broader fixes are needed, along with the money to pay for them.

But election funding touches on deeply ingrained American norms. The Constitution grants states the power to run elections, creating a clean division that existed until the indecipherable punch-card ballots that plagued the 2000 presidential contest in Florida exposed the nation's widely varying voting procedures and often-outdated equipment.

In 2002, Congress responded by passing the Help America Vote Act, which provided nearly $4 billion to enable states to update their voting equipment. The law also created the federal Election Assistance Commission to work with them.

The commission has now awarded all but $301 million of the appropriated funds, and states have expended most of what they received. Thirteen states have spent their entire allotment, and 28 states have spent over 90 percent. Also, Congress has yet to appropriate $395 million of the total.

Election officials in numerous states say it's unrealistic to expect their legislatures to fill the gap.

The Illinois State Board of Elections has spent the past two-plus years simply "trying to keep the lights on and the doors open," said General Counsel Ken Menzel, amid a recently ended budget standoff between the Democratic legislature and Republican Gov. Bruce Rauner.

In Oklahoma, "most agencies took pretty large cuts" this year, said Bryan Dean, the public information officer for the state election board. Many public schools were forced to shorten the school week to four days.

The main election agencies in four other states — Arizona, Nebraska, New York and Pennsylvania — said they had pressed for additional money, ranging from tens of thousands of dollars to a few million, but were rebuffed.

"There were very few new appropriation requests that were approved," said Nebraska Secretary of State John Gale in a statement.

Pennsylvania officials said another state agency that helps secure election systems may have received a bump in cyber funding, although it wasn't broken out as a line item. And in Michigan, the agency that manages the state's IT networks did get a general cyber funding boost.

In California, after years of being turned away by their legislature, election officials are instead backing a billthat would create a bond to raise funds.

The biggest financial need is replacing voting machines. Flush with Help America Vote Act money in the early 2000s, states purchased new machines, with many opting for electronic touchscreen devices for the first time. But by now, 43 states rely on at least some electronic machines that are more than 10 years old, according to the Brennan Center.

"That kind of gear you usually figure should have a lifespan of eight years, maybe 10," said Menzel, of the Illinois election board. "Most of it's been running 10 years, maybe 12."

Moreover, election security experts say these aging machines are riddled with flaws, and warn that electronic devices that leave no paper trail make it impossible to check the results against a physical vote count. At least four competitive states in the 2016 election still used paperless electronic voting machines.

Eight states have approved a funding plan to purchase new machines, with estimated costs running anywhere from $7 million to $82 million, according to data from the National Conference of State Legislatures. Some states are tapping leftover HAVA funds, while others are sharing the burden with counties.

"States have very different capacities for paying for all this," said Connecticut Secretary of State Denise Merrill, who is also a former president of the National Association of Secretaries of State. "But in the federal budget, it's a blip."

Voting machines aren't necessarily the most pressing cybersecurity concern for state election officials, however. Election and homeland security officials have repeatedly stressed they have no evidence that hackers altered any votes in 2016.

But bountiful evidence exists that hackers probed and infiltrated voter registration systems around the country, for motives that may have included a desire to manipulate or steal voter data. Arizona and Illinois have acknowledged their systems were cracked, and DHS has said the suspected Russian hackers probed these networks in at least 21 states.

Voter rolls present ample opportunity for hackers to undermine elections. For example, attackers could delete specific categories of people from the rolls, causing confusion and delays on Election Day and possibly suppressing the vote of one targeted demographic.

One area where cyber experts believe states could save money and reassure the public is by adopting a type of post-election check known as a "risk-limiting" audit. The method uses software to double check a sample of paper ballots against digital tallies to determine whether results were tabulated correctly.

Colorado recently became the first state to mandate that each county conduct a risk-limiting audit for at least one statewide and one countywide race per cycle. A few others, like Virginia, say they are following close behind.

Overall, 31 states and Washington, D.C., require some kind of post-election audits, the National Conference of State Legislatures says. But many existing audits "may not be rigorous enough to have a high confidence of detecting a cyberattack because they were designed largely prior to computerization," said J. Alex Halderman, a University of Michigan computer scientist.

States need the technical means to implement risk-limiting audits, though, and several election officials told POLITICO they will need to upgrade their systems first.

Even without new federal money to upgrade systems, states can get free help from Washington.

In January, DHS declared the country's election systems to be part of the "critical infrastructure" that undergirds America's economy and national security, a tag that also applies to hospitals and banks. The designation allows states to tap DHS for weekly scans of their systems for vulnerabilities, and even to request in-person inspections.

While only two states have requested a DHS scan of their systems since then, many told POLITICO they welcome DHS help, and 33 accepted some form of assistance during the 2016 election. Still, some states are wary of the agency's overtures.

"There's always going to be a rub between trusting the government and not trusting the government," said Phyllis Schneck, who was a top DHS cyber official until January. She emphasized that the designation "does not add any new regulation and is a way of prioritizing resources."

The Election Assistance Commission should also offer states more help, said Minnesota Sen. Amy Klobuchar, the top Democrat on the Senate committee that oversees elections. She's pushing a bill that would put the commission in charge of creating digital defense standards for elections, then authorize $325 million for grants to help states implement the guidelines. The measure has the broad support of Democrats but little chance of moving.

And the EAC may not even exist by the 2018 election. House Republicans are trying to defund the agency, insisting that it is ineffective and outdated and could easily be consolidated into the Federal Elections Commission, which oversees compliance with campaign finance laws.

"The EAC has nothing to do with hacking," said Rep. Gregg Harper (R-Miss.), chairman of the House committee that oversees elections. "Cybersecurity, that is not, was never, in their message or mission."

Election security experts and many Democrats fear that all this deliberation will be for naught unless security advocates can persuade President Donald Trump to act.

"Any other Republican president might be easier to communicate with," said Rep. Mike Quigley (D-Ill.), a House Intelligence Committee member backing an amendment to restore EAC funding. "This one now believes any discussion about how the election was operated is through the prism of questioning the validity of the election. I desperately want to get past that."

When the president has floated ideas, it has mostly sparked confusion. In July, for example, he cryptically tweeted that he and Russian President Vladimir Putin had "discussed forming an impenetrable Cyber Security unit" to prevent election hacking.

Hours later, Trump seemingly disavowed the idea.

Issues: