The bottom line is future elections are in danger of Russian meddling and we haven’t done enough to secure them.
The Senate Intelligence Committee held rare a two-panel hearing on election security Wednesday, a day after releasing its big-picture takeaways from the committee’s months-long investigation into Russian meddling in the 2016 election.
Here are five big takeaways:
1. Just because there’s no evidence votes were changed this time doesn’t mean they won’t be changed next time.
Public officials and pundits have made much of the fact that investigators turned up no evidence that Russian hackers changed actual vote totals in the 21 states where they probed election systems in 2016.
That doesn’t mean hackers won’t successfully change votes in 2018 or 2020, though, and our electoral process does them some big favors.
Here’s how former Homeland Security Secretary Jeh Johnson, who oversaw the department’s initial response to the Russian meddling operations put it: “The reality is that, given our electoral college and our current politics, national elections are decided in this country in a few precincts in a few key swing states and the outcome, therefore, may dance on the head of a pin.”
Though Homeland Security tries to steer clear of electoral politics, the department does take into account that adversaries might be more likely to target swing states and districts, Assistant Secretary Jeanette Manfra told Sen. Kamala Harris, D-Calif., during the hearing. Manfra called it part of the department’s “risk-based approach.”
Because states have overall authority over elections, however, the department can only vet and secure election systems in states that request that help. So far, only 19 states and localities have requested that vetting, Homeland Security Secretary Kirstjen Nielsen told lawmakers.
2. State election systems aren’t the only good targets.
If Russia or another adversary wants to sow chaos around an election, hacking voting systems isn’t the only way to do it.
For example, prior to the 2016 election, then-Secretary Johnson became concerned that malicious hackers might compromise systems the Associated Press uses to project election victories based on partial vote totals and exit polls, he said.
Johnson spoke with the AP CEO and was convinced that the organization had enough safeguards and redundancy in its systems that it was reasonably safe, he said. If AP had incorrectly called numerous swing states or the entire election, however, it could have created serious doubts about the election results.
Hackers might also target the companies that manufacture voting machines before they reach states, Sen. Ron Wyden, D-Ore., noted. Wyden has pressed voting machine companies about how well they adhere to cyber best practices and whether they undergo regular audits and been disappointed by their responses.
Even a breach that didn’t reach critical voting systems could raise questions about an election outcome if federal and state officials don’t convince the public about the limits of the breach or get their facts wrong, said Eric Rosenbach, a former top cyber official at the Pentagon and now co-director of Harvard’s Belfer Center for Science and International Affairs.
Rosenbach encouraged states and the federal government to beef up their ranks of public relations professionals who can ensure accurate information gets out in a crisis.
3. States are still worried about a federal takeover of elections.
Homeland Security’s decision to designate election systems as critical infrastructure makes it easier for the department to funnel money and resources to protect those systems, and sends a message to Russia and other adversaries that hacking those systems will invite consequences. It also makes it easier to share cyber threat information with state election officials and to give them security clearances.
State officials remain wary, however, that the designation represents a federal power grab of an inherently state function.
“In our hearings, we’ve found that states do not want a critical infrastructure designation,” Committee Chairman Richard Burr, R-N.C., said. “There’s a red line there and we’ve learned that…We’ve seen that it’s visceral.”
That visceral dislike can be overcome, Burr added, if states come to trust Homeland Security and see the benefits of its assistance.
Burr and other committee members also stressed multiple times—and listed as the first finding of their investigation—that states “should remain firmly in the lead on running elections” while the federal government “should ensure they receive the necessary resources and information.”
Johnson told lawmakers he took a road trip to speak with state election officials in August of 2016 and previewed a possible critical infrastructure designation. The response was so negative that Johnson shelved the idea, he said, believing that a contentious election year was a bad time to make the move.
After the election, however, Johnson went ahead and made the designation anyway.
4. But someone has to hold states accountable.
Even if states are in charge of elections, however, someone needs to hold those states accountable if they’re not doing what’s necessary to secure election systems against hacking or to provide an auditable paper trail of votes, the committee’s ranking member Sen. Mark Warner, D-Va., said.
“I believe the public does have a right to know if their state or their community basically is ignoring this problem,” he said.
When Homeland Security is having a problem with intransigent state officials, it often reaches out to those states’ U.S. senators as a way to gain leverage, Nielsen told Warner.
Nielsen noted that two states are “not working with us as much as we’d like right now,” but did not name the states.
A handful of states do not have an auditable paper trail for all their votes—a best practice highlighted by the Senate Committee report.
5. We haven’t gotten it right yet, but we’re still working.
Early in the hearing, Johnson stated the obvious. “With the benefit of hindsight,” he said, the sanctions the Obama administration imposed in December 2016, in response to Russian election meddling “have not worked as an effective deterrent.”
Additional sanctions recently imposed by the Trump administration and indictments by Special Counsel Robert Mueller, though recent, also have yet to make a substantial difference.
Homeland Security’s efforts to beef up state election security have also faced roadblocks. Only about 20 of 150 state officials slated to receive security clearances have received them so far, Nielsen said, and only 19 states and localities have asked Homeland Security to vet their election systems for cyber vulnerabilities.
There’s some positive news, though.
The not-yet-released omnibus spending bill contains something close to the $25 million Homeland Security requested for election security, several senators said.
Committee Chairman Burr and ranking member Warner also pledged, at the close of Wednesday’s hearing, to add their names to an election security bill sponsored by Sens. James Lankford, R-Okla., and Harris, giving it a significant boost.
“States should not be asked to stand alone against a nation,” Burr said, praising Homeland Security for becoming “a true partner to the states.”