For all the uncertainty surrounding the Trump campaign's associations with Russia, one thing remains clear: A foreign power interfered in the US presidential race, with hackers targeting the election systems of 21 states to do so. And yet the government has done precious little to keep it from happening again. The inaction stems not from laziness or ignorance but a deep, possibly unbridgeable divide between state and federal powers.
So far this year, a handful of special elections in the US have gone smoothly, but the threat from Russia still looms, especially as the 2018 midterm races approach. France recently saw Kremlin-led meddling in its own presidential contest, and Germany has expressed fears over its upcoming election as well. Alarmism may not be productive, but states do have reason to worry.
Local officials, though, have bristled at the Department of Homeland Security's move to designate election systems as "critical infrastructure," a move designed to unlock resources for system defense upgrades and improve state–federal communication. Everyone agrees that security matters; how to get there is another matter entirely.
The secretaries of state for each state (who, in most cases, act as the top election officials) argue that the move effectively federalizes elections, and imposes uniformity in a way that threatens the diversity and independence that makes the current US election system robust. It hasn't helped matters that DHS continues to keep them in the dark about information relevant to potential threats—including which 21 states Russia breached.
"How many elections have they run? That would be zero," says Maine Secretary of State Matt Dunlap about DHS. "The critical infrastructure designation gives me pause because it gives them significant control over how the states run their elections. While they say, 'We have no intention of taking this over,' the history of the relationship between the federal agencies and state governments is that they know better and they’re going to tell us what to do."
DHS claims that the designation simply makes security expertise and funding available, while also improving communication and threat information-sharing between federal and state groups. "The establishment of a subsector does not create federal regulatory authority," DHS cyberdivision special advisor Samuel Liles said in testimony before the Senate Select Committee on Intelligence, in June. "Elections continue to be governed by state and local officials, but with additional prioritized effort by the federal government to provide voluntary security assistance."
The National Association of Secretaries of State, which has vocally opposed the critical infrastructure designation from the start, remains skeptical. Many NASS members contend that DHS has already left states out of the loop about last year's election-meddling, despite the agency's promises of information-sharing. NASS spokesperson Kay Stimson also notes that despite repeated requests in the past seven months, secretaries still have no way to obtain security clearances so that they can directly discuss classified election system threats with federal officials. The Department of Homeland Security did not return a request from WIRED for comment.
Experts say that spats between NASS and DHS groups have created problematic delays in efforts to secure electoral systems. "Nobody is feeling this urgency enough," says Lawrence Norden, who coauthored the a recent report, "Securing Elections From Foreign Interference," from New York University School of Law's Brennan Center. "There’s a collective action problem. In 2000 everyone looked at Florida and said, 'What a massive disaster these systems are. We need to replace them.' So even though you had the breaches this time, nobody can point to one terrible thing that happened to voters on Election Day, and I think that’s a big difference."
Election officials, like it or not, have made at least some progress in working with DHS to develop the bones of the critical infrastructure setup. And they agree that aid from the federal government has the potential to reinforce strong defenses in states that already have them in place, while crucially helping to raise the bar in states that lag behind. And many secretaries of state acknowledged, at a recent NASS conference, that their aging voting systems need to be replaced.
The designation has found more robust support from the bureaucrats who comprise the National Association of State Election Directors, who generally have prior election experience, and report to the elected secretary of state. Election directors coordinate the technical and logistical on-the-ground operations of elections in each county. "One of the reasons that NASED is more accepting of the DHS designation and thinks it will ultimately be good for us is that not every state has on-site quality personnel that really understand the IT needs," says NASED president and Colorado election director Judd Choate. "Colorado has 75-plus people who are available to work on elections and elections-related IT any day, any night, whenever we need. Some states have more like two to three employees that do elections and they have to get IT help out of office. So I love the idea that we can get people who can help to advise and assist states that need that assistance."
Given that participation in DHS programs remains voluntary, opposition to the critical infrastructure designation could keep states that need funding for system overhauls—like Georgia—from reaping the full benefit. "We’ll see how open those states are to accepting it as we go forward," Choate says. Across the board, officials and analysts agree that lack of DHS communication and focus on state input at the beginning of the critical infrastructure process put officials on the defensive and led them to fear a counterproductive federal takeover of something that has always been a state process.
As work on the designation progresses, some officials have become more hopeful about the state/federal collaboration. But state's rights issues are complicated. Take the recent example of the White House election integrity commission's controversial voter data collection plan, initiated last month. A number of secretaries of state are on that commission—including Maine's Dunlap, Kansas Secretary Kris Kobach, and NASS president Connie Lawson, of Indiana—and though they supported the initiative as committee members, they resisted it as representatives of their respective states, only offering information that they could legally provide under their states' laws.
Dunlap says he didn’t oppose the commission’s plan to request voter data, but he advocated for clear language about the requirements. “What we said is that they should ask for it not demand it, and they should only ask for information that’s publicly available. The problem came in from the interpretation of the request letter, which was drafted by the White House and sent out.” That's indicative of the general approach the states have to electoral issues; federal help has value in some contexts, so long as it's optional.
DHS claims that state participation in election security programs is voluntary, but NASS opposes it just the same on the basis of overreach. "I am part of the bipartisan majority of secretaries of state who support a push to rescind the measure, which clashes with some of the most basic principles of our democracy and already seems likely to cause more problems than it actually solves," NASS's Lawson said in Congressional testimony three weeks ago.
The Brennan Center's Norden notes, however, that in his research security experts and election officials overwhelmingly agree about the most effective approaches to strengthening elections systems—measures like replacing aging and insecure voting machines, ensuring that every county has a system for creating paper vote backups, and hiring network security personnel in each state. And given that election security has now become a pressing national security issue, he argues that the costs of these upgrades (one-time costs in the tens of millions of dollars, and yearly maintenance in the millions or less) are minuscule compared to other types of national security spending.
"There has been a gradual move to greater security around election systems, which we shouldn’t discount," Norden says. "But the threats are moving so much more quickly and I think that hasn’t really sunk in for a lot of people."
The longer officials debate the merits of the critical infrastructure designation, of course, the less time there will be to actually roll out protections. With crucial elections coming next year, there isn't much more of it to waste.
