October 30, 2018

Fewer than half of US states have undergone federal election security reviews ahead of midterms

WATCH: Attacking the vote: how American votes can be 'hacked'

With only a week left before the 2018 midterm elections, fewer than half of U.S. states have submitted to a Department of Homeland Security assessment of their vulnerabilities to vote hacking.

Under the department's National Protection and Programs Directorate, the agency branch that coordinates cyber protection of U.S. infrastructure, a team of DHS officials are prepared to examine statewide election systems. They can check for cybersecurity vulnerabilities and run in-person exercises like phishing tests to ensure election officials are prepared to guard against attempts to hack their email accounts.

The Department of Homeland Security has already provided or is scheduled to provide the service, which is free for states that request it, to only 21 states, a department spokesman told ABC News, concerning election experts who fear some states may not be aware of potential vulnerabilities.

“The first thing that every state should be doing, and frankly not just the state but the counties to the extent that they can, is to do a threat analysis to understand what the vulnerabilities in their systems are,” said Larry Norden, of the Brennan Center for Justice’s Democracy Program. “Our election infrastructure is very complex, and it’s not always obvious where they are.”

Concerns over vote hacking have never been higher following Russia’s broad campaign to influence the 2016 election, which included attempts to infiltrate more than a dozen voter registration systems, but elections are managed by state and local officials, and DHS can only offer help to states.

Gregory Bull/AP
Department of Homeland Security Secretary Kirstjen Nielsen, left, speaks with Border Patrol agents near a newly fortified border wall structure, Oct. 26, 2018, in Calexico, Calif.
(MORE: How hackable are American voting machines? It depends who you ask)

In public appearances and talks with election officials, Secretary Kirstjen Nielsen has made it clear that her department is ready to assist but acknowledged that efforts vary widely state by state.

“Some are hiring third parties, some are working with us,” she told a Washington Post cybersecurity summit earlier this month. “There are some states that are utilizing the National Guard. There’s a variety of ways in which you can bring your capability and capacity up to speed. Each state is doing it a little bit differently.”

State National Guards have cybersecurity capabilities and have run cyber training exercises in the past to develop them.

The department spokesperson declined to say which states have and have not undergone the assessments. ABC News asked election officials in all 50 states whether they have participated, and 19 states -- Arizona, Colorado, Connecticut, Delaware, Iowa, Illinois, Indiana, Maryland, Massachusetts, Minnesota, Montana, Nebraska, North Carolina, Pennsylvania, Rhode Island, South Carolina, Utah, Washington and Wisconsin -- confirmed that they had.

A New York official said the state has completed paperwork and is awaiting an assessment. Several others declined to comment.

States have been reluctant to share information about their specific cybersecurity practices, citing fears of giving too much information to potential hackers, but states that have partnered with DHS have almost unanimously voiced satisfaction with the services.

The DHS team sent to Wisconsin was “very thorough” and stayed in the state for two weeks, said Reid Magney, a spokesman for the Wisconsin Elections Commission. “We’re very satisfied with their services.”

Joe Raedle/Getty Images
Voting booths are setup at the Yuengling center on the campus of University of South Florida as workers prepare to open the doors to early voters, Oct. 22, 2018, in Tampa, Fla.
(MORE: A tech investor brought cell phone voting to West Virginia, igniting debate about access and security)

But an official from Michigan, which did not undergo a DHS assessment, said the state has done “similar work with outside vendors and the Michigan Department of Technology, Management and Budget, which has its own cybersecurity resources that serve state agencies.”

An election official from Maine, which did not undergo a DHS assessment, said the state's voter-registration database is the only Internet-accessible part of its election system and is "heavily password protected, backed up, and monitored for suspicious activity" by state IT staff.

And Arkansas passed on DHS’s offer because election officials feel they’re already well prepared.

“We just did not do some of the same things some of the other people are doing,” said Chris Powell, press secretary for Arkansas’s secretary of state. “None of the machines or tabulators or any of that is ever connected to the Internet at any time, so we’re not worried about cyber-attacks on that or anything like that.”

Election-security watchdogs and cybersecurity experts have voiced concerns about multiple potential vulnerabilities to American elections—from electronic voting machines, to the programming of those machines, to voter-registration databases managed by state officials, county officials, or private vendors.

Assessments, DHS’s most robust form of assistance, “would include identifying how the network is configured, what are the various nodes, what are the various ways in which it could be attacked,” said John Cohen, an ABC News consultant and former deputy undersecretary for intelligence and analysis at DHS.

It’s not necessarily concerning that states have not taken up DHS on its full range of help, said the Brennan Center’s Larry Norden. But states’ reluctance to provide details makes it difficult to assess how prepared U.S. election officials are for potential hacking.

“DHS is not the only source for doing good risk assessments, but they are one, and they’re free,” Norden said. “Hopefully if they are using outside vendors or other IT experts, they’re getting good people to do that.”

This piece has been updated for clarity, removing a reference to Louisiana, which is state election officials said is scheduled to receive a lower-level DHS vulnerability scan, not the full DHS vulnerability assessment.