Some states and localities are still struggling to practice basic cyber hygiene when it comes to securing election infrastructure, according to a top federal cybersecurity official.
The nation's top cybersecurity official told Congress that the ability to audit voting machines after elections is critical for ballot security.
"The area that I think we need to invest the most in the nation is ensuring auditability across infrastructure," Christopher Krebs, head of the Cybersecurity and Infrastructure Security Agency said at a Feb. 13 hearing of the House Homeland Security Committee. "If you don't know what's happening and you can't check back at what's happening in the system -- you don't have security."
While 34 states and the District of Columbia have some laws mandating post-election audits, according to the National Conference of State Legislatures, Congress has been unable to agree on how hard or soft to make such language in legislation.
Krebs and Election Assistance Commission (EAC) Chair Thomas Hicks endorsed the need for greater auditability, though both deferred to states on the question of whether it should be done digitally or by hand.
In particular, states and Republicans have pushed back on bills, including the H.R. 1 legislation currently before the House, that seek to tie eligibility for federal election security grant funding to mandates for paper ballots and risk-limiting or hand-counted post-election audits, which require some form of paper trail.
While most Democrats support mandates around paper ballots and hand-counted or risk-limiting audits, there are indications that if resistance from congressional Republicans and states continue, those demands could soften if it means sending more dollars to states and localities for election infrastructure upgrades.
Most election security experts endorse the two measures because they say that if a machine is hacked and vote totals are altered, the hacker would also be able to change the electronic image of the results that are used as a baseline for auditors to compare vote counts.
Krebs testified that over the past two years, CISA has conducted individual vulnerability assessments and penetration tests for the election infrastructure of at least 26 states and localities and found significant overlap for some of the most easily recognizable vulnerabilities.
"The interesting thing that we found was that of all those assessments, the findings were generally similar: unpatched systems, misconfigured systems, lack of multi-factor authentication," said Krebs.
Those findings were used to create guidance for states to use in spending $380 million in leftover Help America Vote Act funding allocated in 2018. Cooperation between the federal government and states is "light years" ahead of where it was in 2016, Krebs said, but "there's certainly more to do."
"The federal government -- especially Congress -- must understand the resource constraints of local election officials and partner with them to address vulnerabilities to election infrastructure though grants and services," committee Chairman Rep. Bennie Thompson (D-Miss.) said in his opening statement.
Hicks said early results from analyzing federal financial reports of the $380 million sent to states last year show that 58 percent was spent on "shoring up cybersecurity" while 33 percent went to replacing machines. Hicks emphasized those numbers are not final and could change as the commission analyzes more data.
New voluntary guidelines for purchasing voting machines are expected to be approved by EAC later this year, but they must go through public comment first. Several lawmakers expressed concern that such guidance will not be available to states in time to affect purchasing decisions for the 2020 elections.