WASHINGTON -- Government efforts to protect state and local elections from Russian cyberattacks in 2016 didn't go far enough, leaders of the Senate Intelligence Committee said Tuesday as the panel released recommendations to safeguard against foreign meddling in the 2018 primary season that's already underway.
Federal warnings last time did not provide enough information or in some cases go to the right people in state and local governments, the committee's leaders said, though they reiterated that there was no evidence votes were changed.
Russian agents targeted election systems in 21 states ahead of the 2016 general election, the Homeland Security Department has said, and top U.S. intelligence officials have said they've seen indications Russian agents are preparing a new round of election interference this year.
The committee's recommendations include urging states to make sure voting machines have paper audit trails and aren't capable of being connected to the Internet. Senators also are pushing for better communication among the various U.S. intelligence agencies and federal, state and local governments about cyber threats and vulnerabilities in computer systems.
The panel also urged President Donald Trump's administration to make clear it would not tolerate any attacks on systems used to run elections.
"The U.S. government should clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly," the committee's chairman, Sen. Richard Burr, R-N.C., and the committee's top Democrat, Sen. Mark Warner of Virginia, said in a statement.
That finding amounts to a tacit criticism of both Trump and President Barack Obama for failing to act aggressively enough -- in advance of the 2016 election as well as after Trump took office, when U.S. intelligence agencies determined Russia had interfered in the presidential election and, more recently, that Moscow is targeting the upcoming November elections.
Burr separately called for funding as soon as this week's omnibus spending package to harden election systems.
The committee's recommendations preview an election security report expected to be released in full in the coming weeks. It is the first of four reports the panel plans to write in its wide-ranging investigation into Russian meddling.
Burr and Warner released the recommendations ahead of a hearing today examining attempted hacks on state election systems in 2016 and the federal and state response. Former Homeland Security Secretary Jeh Johnson and current Homeland Security Secretary Kirstjen Nielsen will testify at the hearing.
The proposals, in large part, echo those made by cybersecurity experts and address concerns raised by state and local officials. Even with Republican and Democratic support, it's unclear if the recommendations will translate into legislation. Burr said his panel doesn't have jurisdiction over the issues, so another committee would have to write any bills in Congress.
"While our investigation is still ongoing, one conclusion is clear: The Russians were relentless in attempting to meddle in the 2016 elections, and they will continue their efforts to undermine public confidence in Western democracies and in the legitimacy of our elections," said Sen. Susan Collins, R-Maine, another member of the committee.
Burr said the committee's investigation revealed that the Russian cyber effort exposed "some of the key gaps" in the security of the nation's election infrastructure. He said the committee wants to maintain state control of elections, but the federal government should be doing more to help.
"Clearly we've got to get some standards in place that assure every state that at the end of the day they can certify their vote totals," he said.
RISK-LIMITING AUDITS
The senators are also urging state and local election officials to take advantage of resources provided by the Homeland Security Department, such as comprehensive risk assessments and remote cyberscanning of their networks, to spot vulnerabilities.
Overall, experts say far too little has been done to shore up those vulnerabilities in 10,000 U.S. voting jurisdictions that mostly run on obsolete and imperfectly secured technology.
As of last month, just 14 states had requested risk assessments and 30 had asked for remote cyberscans of their networks, according to Homeland Security officials. But even that was straining resources, since many of those risk assessments have not been completed.
Illinois, which held the second-in-the-nation primary on Tuesday, requested the assessment in late January, but it's not scheduled to be completed until after the primary.
The senators are also recommending that states consider implementing "more widespread, statistically sound audits of election results." Currently, 32 states and the District of Columbia require postelection audits, with three others conducting such audits under some circumstances.
But cybersecurity experts say the best approach would be for states to require risk-limiting audits, a type of audit that uses statistical methods and is considered a more rigorous process. So far, three states -- Colorado, Rhode Island and Virginia -- have passed legislation to require them.
Other states, including Georgia, are weighing legislation this year that would implement risk-limiting audits.
It's unclear when the committee's full report on election security will be released, but it is expected to include recommendations for elections officials around the country and also proposals for legislation to help ward off the hacking.
There's no evidence that any hack in the November 2016 election affected election results, but the attempts concerned state election officials who sought answers about how their systems had been potentially compromised. The Homeland Security Department took nearly a year to inform the affected states of hacking attempts or suspicious cyberactivity, blaming it in part on a lack of security clearances. Lawmakers in both parties have pressed the department on why it took so long.
Warner has said he thinks the process to prevent any compromise of election systems needs to be more robust, especially since Trump has not addressed the matter as an urgent problem.
"Every one of Mr. Trump's appointees in law enforcement and national security acknowledge what an ongoing threat Russia is," Warner said Tuesday. "It's pretty amazing to me we've had the director of the FBI, the director of national intelligence and the head of the [National Security Agency] say in public testimony within the last month that they've received no direction from the White House to make election security a priority."
The Senate intelligence panel has put off making any assessments about whether Trump's 2016 campaign in any way coordinated with Russia. Though that is one part of the panel's investigation, Burr and Warner have decided to focus first on less contentious issues.
The three remaining reports will focus on Russian interference in U.S. social media, verification of an intelligence community assessment that said Russians meddled in the election and the issue of whether Trump's campaign and Russia colluded.
Information for this article was contributed by Mary Clare Jalonick, Christina A. Cassidy and Chad Day of The Associated Press; by Nicholas Fandos and Matthew Rosenberg of The New York Times; and by Steven T. Dennis and Nafeesa Syeed of Bloomberg News.
A Section on 03/21/2018