The Trump administration has improved how it informs states about voting system breaches since the 2016 elections, but not fast enough for lawmakers who complained Wednesday that officials must take more urgent, comprehensive steps to deter and publicize threats before November’s midterms.
“We know for certain that Russians were relentless in their efforts and also that those efforts are ongoing — and yet when I listen to your testimony, I hear no sense of urgency to really get on top of this issue,” Sen. Susan Collins (R-Me.) told Homeland Security Secretary Kirstjen Nielsen on Wednesday during a Senate Intelligence Committee hearing.
Nielsen appeared before the panel alongside her predecessor in the Obama administration, Jeh Johnson. Both addressed missed opportunities, challenges and developments in the government’s efforts to counter cyberthreats since it was determined that Russia interfered in the 2016 elections. Nielsen stressed that her department “recognize[s] that the 2018 midterm and future elections are clearly potential targets for Russian hacking attempts,” saying President Trump shared that view.
“He has said that it’s happened, but the line that [Trump’s] drawing is that no votes were changed,” Nielsen said. “That doesn’t mean it’s not a threat.”
Nielsen touted policy changes the administration has adopted, such as identifying three election officials in each state to receive security clearances, allowing them to view intelligence related to threats. Twenty of the 150 officials identified have already received their clearances, Nielsen said, noting that while others go through security review, it will be the department’s policy to read in state officials when threats are detected.
“Today I can say with confidence that we know whom to contact in every state to share threat information,” Nielsen added. “That ability did not exist in 2016.”
She also said that the department was prioritizing election security “over all other infrastructure sectors” and encouraging the declassification of relevant intelligence so officials can share information widely.
Nielsen and Johnson said some states remain unwilling to fully cooperate with federal officials.
Johnson told senators that his efforts to declare election infrastructure as critical infrastructure in 2016 — he ultimately did so in January 2017 — had spooked some state leaders, an assessment with which the panel’s chairman agreed.
“We’ve found that states do not want a critical infrastructure designation,” said Sen. Richard Burr (R-N.C.), noting that while the reaction was “visceral, it’s something that can be overcome with trust.”
Nielsen said that only 33 states have their voting systems certified by the U.S. Elections Assistance Commission and that two are resisting other efforts to improve cooperation with DHS.
Lawmakers and administration officials emphasized that the federal government is not trying to take over of the nation’s election systems. But they still face resistance, the secretaries said, when it comes to reporting security breaches or asking for the department’s help.
Nielsen and Johnson said DHS lacks recourse when states refuse to publicize breaches, even when DHS detects it.
“Very often the victims of a cyberattack are very sensitive to the disclosure of the fact they are the victim,” Johnson said.
“When it comes to this situation, the victims stop reporting; when they stop reporting, we’re just not aware of the attacks,” Nielsen added.
This did not satisfy senators, who noted that DHS has yet to publicly identify the 21 states targeted in 2016 — creating confusion and potentially complicating the public’s ability to demand a response.
Other senators were frustrated that DHS hasn’t put more pressure on state officials.
“Our constituents, our voters, need to know when a state or jurisdiction is not stepping up,” said Sen. Mark R. Warner (D-Va.), the committee’s vice chairman.
The senators and panelists agreed, however, that better reporting and information-sharing would not fix everything. Johnson said the sanctions imposed on Russia by Obama were insufficient and would need to be followed with further measures by the Trump administration. Several senators also urged the administration to articulate a policy for deterring cyberattacks, as it was unlikely that defensive measures alone would deter Russia or other actors .
“We can patch software systems to the end of time, and we’re not going to defeat these people,” Sen. Angus King (I-Maine) said. “. . . This problem is not being treated with the urgency it deserves.”