In January, the Department of Homeland Security designated voting machines, voter databases, and polling places as parts of critical infrastructure, in the same sort of vein as drinking water or the power grid. But despite election security supposedly being a priority for the US government, eight months after that DHS announcement, state election officials have still not received any security clearances to review classified information on Russian efforts to interfere with the 2016 US election, according to officials and documents.
The news highlights the snail's pace at which some important information on cybersecurity may be shared, and the frustration regional officials feel in trying to figure out if any of their own systems were compromised by state-sponsored hackers.
"In order for defenders to best tailor their defenses to known threats, it's crucial that they know more than just broad outlines of the threat environment," Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, told Motherboard in a Twitter direct message. "Even if attackers broke in and simply rummaged around, that would be very useful and significant to know."
In June, Vermont's Secretary of State and chief election officer Jim Condos wrote a letter to Senators Richard Burr and Mark Warner. Burr and Warner are the chairman and vice chairman of the Senate Select Intelligence Committee respectively, which is conducting a bipartisan inquiry into Russian interference in the 2016 US elections.
"We have struggled with a lack of information from DHS ever since these cyber threats emerged last summer," Condos wrote, adding that they have only heard about breaches through media reports, and only received a "trickle" of unclassified information. The letter was previously published by Morning Consult.
"It is imperative that chief station election officials across the US receive security clearances as quickly as possible in order to receive timely and specific threat information in order to protect our state systems," Condos added.
Then just last month, the National Association of Secretaries of State (NASS) wrote its own letter, asking for an expedited method for election officials to gain security clearances.
"Unfortunately, despite assurances from DHS representatives that this issue is being worked on internally, no Secretary of State has been granted such a clearance, nor has any process for requesting such clearance been communicated with NASS members," the letter obtained by Motherboard reads.
At the time of writing, the situation appears to remain the same: no security clearances have been granted.
A spokesperson for Senator Warner told Motherboard in an email that, "Senator Warner is extremely concerned about the possibility of cyberattacks directed against U.S. election systems, and has emphasized the need to ensure their security. He is concerned that some senior election officials in each state do not have security clearances that would ensure that they receive the proper notification of cyber threats to their state's election systems."
During a recent public hearing, the DHS' acting Director of Cyber Division of the department's Office of Intelligence and Analysis said that Russian hackers targeted 21 states. However, according to the Warner spokesperson, "in many cases, the state election officials, whether the state directors or the secretaries of state, may not even have been notified."
In a statement to Motherboard, the DHS said that department does not publicly disclose cybersecurity information shared with partners, and when it does become aware of a potential victim, DHS notifies the owner or operator of the system. In some cases that may not be the Secretary of State's office.
"However, we recognize that state and local officials should be kept informed about cybersecurity risks to election infrastructure and are working to refine our processes for sharing this information. Going forward, we plan to work with Secretaries of State and senior election officials to determine how best to share this information while protecting the integrity of investigations and the confidentiality of system owners," the spokesperson wrote, and added that DHS has "begun the process" of granting security clearances.
NASS had made clear this is an urgent matter.
"The public has entrusted state and local election officials with securing our election systems. Moving ahead in preparation for upcoming election cycles, we need improved communication and timely information from DHS to ensure the best defenses are in place to protect our systems," the letter from NASS concludes.
Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at email@example.com, or email firstname.lastname@example.org