Myriad election systems complicate efforts to stop hackers

WASHINGTON — A new Senate report on Russian interference in U.S. elections highlighted one of the biggest challenges to preventing foreign meddling: the limited powers and ability of the federal government to protect elections run by state and local officials. That has given fuel to those who argue that a larger federal role is needed.

The Senate Select Committee on Intelligence issued the first part of its report into Russian interference in the 2016 election on Thursday, noting that Russian agents "exploited the seams" between federal government expertise and ill-equipped state and local election officials. The report also emphasized repeatedly that elections are controlled by states, not the federal government.

It called for the reinforcement of state oversight of elections — a view blasted as inadequate by Sen. Ron Wyden, an Oregon Democrat on the committee. He called on Congress to establish mandatory cybersecurity requirements across the country.

"We would not ask a local sheriff to go to war against the missiles, planes and tanks of the Russian Army," Wyden wrote. "We shouldn't ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia's cyber army. That approach failed in 2016 and it will fail again."

As the 2020 elections loom, questions of who bears responsibility for securing the vote are becoming more dire — even as President Donald Trump has been largely silent on the subject, and the Republican-controlled Senate has refused to consider legislation by Wyden and others to fortify election security.

Tensions flared in August 2016, when then-Homeland Security Secretary Jeh Johnson raised the possibility of designating the nation's election system, comprising some 10,000 separate jurisdictions, as critical infrastructure to free up federal resources to support states. Some state officials decried it as a "federal takeover" of elections.

Concerns were compounded in September 2017 when Homeland Security officials notified election officials in 21 states that their systems had been targeted by Russians. Authorities have since said they believe all states were targeted to varying degrees.

Over the last two years, Homeland Security, the department tasked with securing elections, has been working to build up trust with wary state and local officials through increased communication, training and offers of cybersecurity support. Both sides say the relationship has improved greatly.

Homeland Security officials have been reluctant to weigh in on whether there should be more federal oversight and say they want to focus on their work assisting states.

But many cybersecurity experts say that more must be done. They support legislation stalled in Congress that would require states to have a voter-verified paper record of every ballot cast and require states to implement more rigorous audits of election results.

In 2018, 10 states had more than half of their jurisdictions still using machines without a paper trail, which experts warn are vulnerable to hacking. Just four states have laws requiring "risk-limiting" audits that use statistical methods to identify voting irregularities.

"There is no question that the authority resides with the states, but Congress not only has the right but an obligation to make sure federal elections are secure," said Lawrence Norden, a voting technology expert with the Brennan Center for Justice at NYU School of Law.

Norden said, "There is a place for Congress to say that we want all Americans to trust in our elections and there are minimum standards that everyone should abide by."

Defining those standards has proved difficult.

Senate Republicans have been uninterested in taking up election security legislation, saying the Trump administration has already made strides in protecting the vote and no additional federal funding is needed beyond the $380 million in grants sent to states last year. They have also been responsive to concerns like those of Alabama Secretary of State John Merrill, who is wary of a bigger federal role in elections.

"The most important feature to a good election security bill is to create one that provides necessary resources to the states without creating unfunded or underfunded mandates and strangling restrictions through federal overreach," Merrill, a Republican, told a congressional committee in February.

But Wyden and other lawmakers, including Massachusetts Sen. Elizabeth Warren, say federal requirements are needed. Warren, a Democrat, released an election security plan last month as part of her presidential campaign that would essentially wrest control of federal elections from states.

Experts say it would be challenging to implement standardized equipment and massive protocol changes across the country, requiring a complete overhaul of how elections occur. They note that the decentralized system does provide certain advantages.

"If we were to federalize elections, we're not just going to flip a switch on that," said David Becker, founder of the Center for Election Innovation & Research, which works to improve election administration through research. "It would be a long-term, really expensive solution and it would create a new bureaucracy."

Trump has shown little interest in election security, and his interactions with Homeland Security mostly deal with immigration.

Trump has called 2016 election interference by the Russians a hoax, a claim that former special counsel Robert Mueller rejectedin his congressional testimony Wednesday. Mueller also warned that Russia remains interested in interfering in U.S. elections, telling lawmakers: "They are doing it as we sit here."

California Secretary of State Alex Padilla said it was wrong to suggest that federal support for elections, especially when it comes to security, would be considered overstepping.

"We have no choice but to work together given the modern-day threats to our democracy," said Padilla, whose state has among the strictest cybersecurity enforcement for elections.

He thinks the federal government must play a role in developing best practices and guidelines to secure against cybersecurity attacks.

"Anyone who doesn't embrace partnership and best practices is guilty of malpractice," said Padilla, a Democrat.