Homeland Security Jeh Johnson urges more states to take up the department's offer.
Less than 20 percent of states have asked the Homeland Security Department for help assessing the security of machines at the polls and for scans of online voter registration databases ahead of the presidential election, a DHS official says.
DHS, the federal agency tasked with protecting U.S. networks, on Friday issued a statement reflecting a respect for the independence and reliability of state election systems but also a word of caution about the magnitude of the cyber threats menacing the 2016 race.
In the message, Homeland Security Secretary Jeh Johnson urged more states to take advantage of security protections the department makes available to outside organizations.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
As of Wednesday, "we have received requests and are currently working with nine states on scans and assessment services," DHS spokesman Scott McConnell told Nextgov. He did not disclose the names of the states.
Election officials can take advantage of a variety of DHS services, including exchanges of information about cyber incidents and on-site assessments conducted by DHS experts of network configurations and digital voting machines, McConnell explained.
The on-site risk and vulnerability assessments can take up to three weeks, Johnson said. Security researchers, for more than half a decade, have shown it doesn't require the internet or a nation-state cyber gang to manipulate the nation's outdated ballot devices.
Another option Johnson said DHS provides is “cyber hygiene scans” that run remotely on voter registration databases—like the internet systems in Arizona and Illinois allegedly compromised by Russian hackers, online election night reporting tools, and other internet-connected election management systems.
"It is important to emphasize what DHS assistance does not entail," he said. "DHS assistance is strictly voluntary and does not entail regulation, binding directives, and is not offered to supersede state and local control over the process. The DHS role is limited to support only."
Acknowledging localities have checks and balances built into electoral systems, Johnson said DHS has confidence in the overall integrity of state voting operations for the Hillary Clinton and Donald Trump contest.
But "we must be vigilant" in a country targeted by "a range of increasingly capable actors," including nation states, hacker activists and crooks, he said. "A number of states have reached out to us with questions or for assistance. We strongly encourage more state and local election officials to do so," he said.
On Thursday, the DHS cyber incident response team issued a security tipsheet for online voter registration databases.
One technique bad guys use to meddle with voter registration websites, called a SQL injection, enters commands into those online forms on a webpage that can allow the hackers entry into back-end databases, according to the U.S. Computer Emergency Readiness Team. Other assaults, like a denial-of-service attack, try to freeze voter registration websites by generating a barrage of bogus user traffic. Misconfigured servers and fraudulent emails also can let intruders grab voter information or disrupt voting operations, US-CERT said.
The DHS security tips discourage paying hackers who use "ransomware" that locks voter files until the attackers receive a bounty. Wiring the ransom "does not guarantee access will be restored to a compromised [voter registration database],” according to Homeland Security.
Amid fears of a hacked election, what really scares some state officials is that such fears will undermine trust in the democratic process.
At a Sept. 8 meeting of the federal Election Assistance Commission, West Virginia Secretary of State Natalie Tennant said her biggest concern about the November event is "that questioning and that lack of confidence that people might start perceiving."
Louisiana Secretary of State Tom Schedler told the commission the election security rhetoric in the media and in Congress should be ratcheted down.
"The last we thing we need is the creation of a new post office department or a new TSA in the area of elections in this country," he said, referring to the formation of the Transportation Security Administration under DHS. "Leave it in the states. That's what the Constitution says. Leave it there. We know what we're doing. We need your assistance. We want it. But let's everybody stay in their lanes."