Homeland Security Department inspectors aren’t turning up anything shocking when they assess state and local election systems for cybersecurity vulnerabilities in advance of the 2018 midterms, an official said Tuesday.
Most of what Homeland Security is turning up in the risk and vulnerability assessments are the same issues you’d see in any information technology environment, Matthew Masterson, a senior cybersecurity adviser, told members of the Senate Judiciary Committee. That includes unpatched software, outdated equipment and misconfigured systems.
Homeland Security has conducted risk and vulnerability assessments of 17 states and 10 localities so far, Masterson said.
The $380 million Congress appropriated to secure those systems is, similarly, going mostly to standard security measures, said Masterson, who previously served on the Election Assistance Commission, which is distributing the federal funds.
In the near term, that includes instituting more regular patching schedules for software and training election workers on how to spot phishing emails.
Some states, including Florida and Illinois, are also considering deploying “cyber navigators” at local election sites to help prepare for and manage issues that come up during election day, Masterson said.
Longer term, the highest priority for the new money will be ensuring election results have auditable paper trails, have better built-in cyber defenses and can continue to operate resiliently after a digital attack, Masterson said.
The Election Assistance Commission had distributed 55 percent of those funds to 26 states as of last week.
Russian government-linked hackers probed election systems in at least 21 states in advance of the 2016 election, according to U.S. intelligence officials, but there’s no evidence they were able to change any votes.
In advance of the 2018 and 2020 contests, states are trying to strike a balance between focusing on securing systems that are most vulnerable versus those that are most vital to a secure and trustworthy election, Masterson said.
For example, internet-connected systems, such as online voter registration tools and election night reporting systems, are more vulnerable to hacking, but are far less vital to ensuring an accurate vote count, Masterson said.
Voting machines, by contrast, are far more difficult to breach but are fundamental to ensuring the vote count is accurate.
He described the sometimes-rocky relationship between Homeland Security and state election officials as in good shape, especially when it comes to the federal government sharing cyber threat information with state counterparts. He acknowledged, however, that many top state election officials remain “appropriate skeptical of the federal role in this space.”