The intelligence community fears that Russia’s meddling in US elections did not end in November 2016, and that when the Kremlin tries to intervene again, state and local voting systems will be a prime target. “They will be back,” former FBI Director James Comey warned in June. Many election systems would prove an easy target. Last month, hackers at the annual DEF Con conference demonstrated this vulnerability when they easily breached multiple voting machines. A 16-year-old hacked a machine in 45 minutes.
In response to this threat, the Department of Homeland Security has taken a major step to protect elections by prioritizing the cybersecurity of state and local voting systems. Yet several members of President Donald Trump’s controversial election commission oppose DHS’s move, and two of them have dismissed the threat entirely as a ploy for the federal government to intrude on states’ rights. Their opposition is a signal that the commission, tasked with finding vulnerabilities in the country’s election system, is not likely to take cybersecurity seriously.
On January 6, the same day that the intelligence community released a declassified report alleging Russian meddling in the election, DHS announced that it would make additional cybersecurity assistance available to states that request it. This was done by classifying election infrastructure as “critical infrastructure,” a designation that already brings heightened security measures to critical infrastructure such as dams and the electrical grid. The move means that DHS will provide risk assessments, system scanning, and other cybersecurity services to states that request them. But several election officials and experts who sit on the Presidential Advisory Commission on Election Integrity quickly condemned the designation.
Christy McCormick, a Republican commission member, said in a statement the next day that Russian interference was a hoax used by the federal government to gain access to state-run election systems. “This declassified report was not about the November elections; it was about politics,” said McCormick, who is also a member of the bipartisan Election Assistance Commission, which helps states administer elections. “Connecting the allegations in the report to the election administration process and asserting that it rose to the level of interference in our elections is a gross and incorrect characterization.”
Rather than accept the findings of the intelligence agencies, McCormick turned to John McAfee, the eccentric founder of the McAfee antivirus software company, as an expert on the question of Russian interference. McAfee, who ran unsuccessfully for the Libertarian Party’s presidential nomination in 2016, has spent the last year on a crusade to exonerate Russia from the intelligence community’s assessment that it hacked the Democratic National Committee. McAfee has found an audience in Russian state-run media outlets, conspiratorial radio host Alex Jones, and pro-Trump right-wing blogs such as Gateway Pundit. “McAfee believes that the report is deceptive propaganda perpetrated on the American public, and I agree,” McCormick said.
The following week, Hans von Spakovsky, a commission member who has long warned about illegal voting and led efforts to make it harder to vote, published an approving blog post on McCormick’s objections to the critical infrastructure designation. Von Spakovsky has his own theories about why DHS decided to designate voting systems as critical infrastructure. When DHS first began to consider the designation last summer, following the first reports of breaches of state election systems by the Russians, von Spakovsky posited that the Obama administration was using the threat of hacks in order to gain entry into state and local election systems and help its preferred candidates win.
After the Supreme Court invalidated part of the Voting Rights Act in 2013, the Justice Department lost the ability to send poll watchers to jurisdictions previously subject to federal oversight. “That must be very frustrating to the partisans who inhabit parts of the Justice Department these days and want their staff out there making sure their political friends get elected,” von Spakovsky wrote last August. A critical infrastructure designation, he concluded, would allow federal officials to call the shots in local elections and alter the outcome. He called it the Obama administration’s “election Trojan horse.”
Von Spakovsky also dismissed the possibility that a cyberattack could affect US elections. “There is no credible threat of a successful cyberattack on our voting and ballot-counting process because of the way our current election system is organized,” he wrote.
Though less conspiratorial in their objections, other commission members have opposed the critical infrastructure designation as an unwelcome intrusion into states’ business. In February, the National Association of Secretaries of States, representing the officials who oversee elections in all 50 sates, the District of Columbia, and US territories, passed a resolution condemning the designation. Among those who voted in favor were at least two members of the election commission: Republican Connie Lawson of Indiana and Democrat Matthew Dunlap of Maine. (All the commission’s members were appointed by Trump.)
DHS’s poor handling of the rollout contributed to these initial objections. The agency failed to alert top state election officials before announcing the designation, generating ill will from secretaries of state who wondered if the federal government was trying to meddle in their jobs. DHS fueled this problem by not providing details about what the designation would mean—details that are still being worked out in conjunction with state officials and the Election Assistance Commission. Moreover, DHS kept state officials in the dark about Russia’s attacks on election systems in 2016 because the officials didn’t have proper security clearances. This poor communication contributed to feelings of distrust among some state officials.
Eight months later, however, the relationship between DHS and state officials is on the mend. Federal and state officials have created a Sector Coordinating Council to make decisions about the aid and resources the designation will make available, and how to implement those policies. DHS is working to get security clearances to state election officials so they can be informed about threats.
The extent of Russia’s interference and states’ vulnerabilities is becoming clearer to state officials and the public. In June, DHS officials testified before Congress that the Russians had attacked systems in 21 states, with varying levels of success. NPR reported last week that on Election Day in Durham County, a liberal part of the swing state of North Carolina, electronic systems erroneously marked some voters as having already cast a ballot. The county quickly switched to paper lists of registered voters, creating chaos and long lines. It’s possible that human error caused the problem, but the third-party vendor that supplied the electronic lists, VR Systems, was targeted by the Russians last year.
Still, many state officials remain hostile to the idea of federal help in state election administration—including those on the president’s election committee. Dunlap, the Democratic secretary of state of Maine, continues to object to the designation, saying it could lead the federal government to tell states how to run their elections. He also has cast doubt on the threat of a cyberattack on the nation’s voting systems. “While the issue of hacking has become a real concern for many aspects of our daily lives, voting is not one of them,” Dunlap said in a statement. “There is no nationwide voting system that is accessible via the Internet or a network; thus, any attempt to alter the vote would require a massive conspiracy of thousands of poll workers from both parties that is simply not feasible.” It’s true that the country’s decentralized election system protects if from a single nationwide attack, but attacks targeting swing states or districts could change the outcome of an election.
A spokesperson for Lawson, the Republican secretary of state of Indiana, confirmed that she continues to oppose the designation. McCormick and von Spakovsky did not respond to questions about whether the new evidence of Russian meddling had changed their views. The office of Kansas Secretary of State Kris Kobach, the vice chairman of Trump’s election commission, did not respond to questions about his views on the designation.
Rather than focus on security, many members of the commission believe voting fraud is the greatest threat to election integrity. Multiple members, including Kobach and von Spakovsky, have pushed for laws that make it harder to register to vote and cast a ballot. At the commission’s first meeting in July, most members were more focused on preventing individual acts of fraud than on upgrading and securing election systems and machines. However, the group did decide to take up the issue of cybersecurity as one of several topics to include in its final report.
The critical infrastructure designation has prominent supporters in state and federal government. John Kelly, who served as homeland security secretary until becoming White House chief of staff last month, encouraged states to ask DHS for help. “I think they’re nuts if they don’t, because in the world we live in cyber-wise, any second, third, fourth objective look at what you’re doing would make sense,” Kelly said at the Aspen Security Forum, an annual gathering of national security and intelligence experts, in July. He also stressed that the designation is not a takeover. “If they don’t want the help, they don’t have to ask,” he said.
Some state election officials are happy to receive the help. “When you’re talking about states or locals going up against nation-states in terms of cybersecurity, we really need whatever additional help the federal government can provide,” says Edgardo Cortés, the commissioner of the Virginia Department of Elections. “I think it will be a collaborative effort to keep our elections safe.”
Cortés thinks it’s impossible for the designation to prompt a federal takeover of state-run elections, because the Constitution gives the states wide latitude to run elections. “I think that concern is really overblown,” he says. “I don’t think anything that they have offered, things like assistance in scanning your systems, assistance in coming in and helping you do threat assessments and things—I mean, none of that strikes me as things where there’s an attempted takeover of the process.”
Despite the change in administration, Cortés says that DHS officials have made clear the designation is here to stay. But it’s also unknown who will ultimately replace Kelly at DHS. That person may make another call on whether election infrastructure gets prioritized in the face of the continuing threat of Russian hacking.