FBI Director James Comey has warned that Russia will try once again to influence U.S. elections, possibly as early as next year. To prepare, the federal government has declared elections to be a part of the nation's critical infrastructure that demands special attention.
But the federal government's focus has state and local election officials, who are very protective of how they do things now, extremely nervous.
They're mainly concerned that the federal government will tell them how to run their elections — even down to where polling sites should be located — in the name of security.
Denise Merrill, Connecticut's secretary of state and president of the National Association of Secretaries of State, said this could jeopardize the best protection the nation already has against outside manipulation of elections.
"Because our system is highly decentralized there's no way to disrupt the voting process in any large-scale meaningful way through cyber attacks because there's no national system to attack," she said Tuesday at a hearing before the U.S. Election Assistance Commission on the impact of the critical infrastructure designation.
Merrill noted that while two states — Arizona and Illinois — had their voter registration systems infiltrated last year by Russian hackers, no records were deleted or changed. And she said no actual votes were affected, despite signs that Russia had scanned election systems in at least 20 states.
"The voting process itself was not hacked, manipulated or rigged in any way," said Merrill.
Classified information, technical services
Neil Jenkins, director of the Department of Homeland Security (DHS) Enterprise Performance Management Office, agreed that having thousands of local election offices, each with their own systems, makes hacking votes nearly impossible. But he said states are increasingly putting election data online, things like voter registration lists and preliminary vote counts, increasing the risk that an election can, at the very least, be disrupted.
He said the Department of Homeland Security's job is to help local officials secure elections, not to dictate what they should do.
"The way we work with critical infrastructure is not through regulation. It's through voluntary partnerships. Sharing of information, listening to the community, determining what they want, and then working with them to provide that information," said Jenkins.
He said election officials will now have more access to classified information about potential threats. And that DHS can provide technical services, such as sending in penetration teams to try to break into a local voting system to see if it's secure.
Election officials say many of them have been doing this kind of testing for years, although they welcome the additional help. They say they could also use more money to help them secure elections, but Jenkins made clear that the critical infrastructure designation does not come with additional funds.
One reason state and local election officials are so wary about working with DHS is that they're not confident the agency understands how elections work. Jenkins admitted that he initially thought the problem with Russian hacking last year involved internet voting — which barely exists. He said he was quickly dispelled of that belief by election officials.
But since then, election officials have seen other disturbing signs. They say they received little advance notice that former DHS Secretary Jeh Johnson was about to make the formal critical infrastructure designation in January. And several states reported that their election systems have been scanned by someone using a DHS IP address, even though they had not authorized such activity.
Jenkins said these scans were "authorized normal activity coming from DHS users" and were unrelated to Russian hacking. He described it as normal traffic involving either professional or personal use of state sites by DHS employees, such as someone checking their own voter registration record.
"One of the things that we have worked hard with in our public-private partnership is to gain that level of trust," Jenkins said. "And the questions that we have received have shown us that we need to learn how to engage with state and local election officials and we have done that." He said DHS will set up groups of election officials and vendors in the coming weeks to work on the critical infrastructure designation.
EAC chairman Matthew Masterson says his agency has been helping state and local election offices already by providing cyber secruity training and checklists they can use to make sure their elections are secure. Masterson says while most election offices are already doing a good job, security can always be improved, especially as new systems are adopted, such as online voter registration systems. He said it's important for the public to trust that the system works.
When EAC Commissioner Christy McCormick asked election officials what they think is the greatest risk they face, the answer was not Russian hackers.
"I think the largest risk to be honest, is the risk of public perception and confidence," said Ricky Hatch, who runs elections in Weber County, Utah. Hatch said he was mostly concerned about the impact of candidates and others talking so much about elections being hacked, when the chances are so low.
"We need to not only make sure that our elections are secure, but we need to make sure the public understands that they're secure," said Hatch.
Of course, U.S. intelligence officials say Russia also tried to undermine confidence in U.S. elections last year by waging a disinformation campaign on social media questioning the validity of the vote.