More than 100 state and local election jurisdictions that reached out to the federal government for help ensuring the digital security of their election-related systems have instead found themselves on a waitlist ahead of next week’s midterm elections, according to two people familiar with the backlog.
The tests in demand from the Cybersecurity and Infrastructure Security Agency — the Department of Homeland Security department responsible for providing tools to protect state-run election systems — include risk and vulnerability assessments, as well as penetration tests, both of which determine how vulnerable computer networks are to hackers, including foreign state actors.
States are not required to undergo such tests. The Cybersecurity and Infrastructure Security Agency, known as CISA, offers the services on a voluntary basis.
The vast majority of voting machines are not connected to the internet, meaning a credible threat to the election system by foreign hackers as a whole is practically impossible. But some election information does run through the internet, like voting registration, official information about how and where to vote, and election officials’ email systems. So it could be possible to delete voters from rolls or change the way a website projects an election winner, creating chaos and confusion.
In a statement, CISA did not deny the backlog but noted that it has provided free cyber hygiene tests for what it says are 425 “election-related entities” across all 50 states, the District of Columbia and U.S. territories. The tests are less labor-intensive than the ones on backlog.
“We have found most organizations derive the greatest benefit from cyber hygiene vulnerability scanning, shared services, and capabilities offered in our free services catalog,” said Kim Wyman, CISA’s senior election security lead.
Both sources attributed the backlog in part to staffing shortages at CISA. A major contractor, Idaho National Labs, recently stopped providing such services to states and election machine manufacturers, a spokesperson for the company said.
A U.S. official familiar with the backlog described the cause as a “bandwidth issue,” but CISA would not comment on the existence or reasons for the backlog.
“This has been the case for months and months,” the official added.
CISA’s cyber hygiene assessments can be almost as simple to use as adding a county to its list of websites to check. The risk vulnerability assessment program, which is backlogged, is far more resource-intensive, involving dispatching staffers to run tests on computer networks in person.
The sources declined to say which states and election jurisdictions have not received the help they asked for or how many.
State and local election officials sought to beef up their security software after special counsel Robert Mueller’s report in 2019 revealed Russian interference in the 2016 election. The report found that Russian intelligence sought access to state and local computer networks and was able to compromise the Illinois State Board of Elections, even extracting “data related to thousands of U.S. voters before the malicious activity was identified.”
The Mueller report did not find that Russia or any other actor was able to change the election results, but it did raise concerns about election software vulnerabilities.
Jen Easterly, CISA’s director, has repeatedly said she does not expect a major cyber event to disrupt the 2022 vote. In a talk hosted Tuesday by the Center for Strategic and International Studies, a think tank, Easterly said she was “very confident that we have done everything we can to make election infrastructure as secure and as resilient as possible.”
“There is no information credible or specific about efforts to disrupt or compromise that election infrastructure,” Easterly said.
The fact that states and local election jurisdictions have been unable to get all the help they need from CISA has been unknown until now, as the agency has repeatedly said it is ensuring states have what they need.
“We have protective security advisers, cybersecurity advisers, cybersecurity state coordinators that are working hand in hand on the front line with those election officials to ensure they have what they need,” Easterly said in an interview last week. “And we have made this the top priority at CISA over the past year to ensure that we are supporting those election officials.”