Less than a week from the 2018 Midterm election, only 21 U.S. states have submitted to a Department of Homeland Security (DHS) vote hacking vulnerability assessment.
The DHS has a team of officials prepared to examine statewide election systems and run in-person exercises such as phishing tests to ensure election officials are prepared to defend against cyberattack. The services are offered free of charge through the department's National Protection and Programs Directorate that coordinates cyber protection of U.S. infrastructure.
While the DHS declined to say which states have and haven’t completed assessments, ABC News contacted election officials in all 50 states to learn whether or not they had participated and only: Arizona, Colorado, Connecticut, Delaware, Iowa, Illinois, Indiana, Maryland, Massachusetts, Minnesota, Montana, Nebraska, North Carolina, Pennsylvania, Rhode Island, South Carolina, Utah, Washington and Wisconsin, confirmed that they had, while several others declined to comment.
A Louisiana election official told the news agency the state is currently undergoing a DHS assessment and a New York official said the state has completed paperwork and is awaiting an assessment.
A Maine election official, whose state did not undergo a DHS assessment, told ABC the state's voter-registration database is the only Internet-accessible part of its election system and is "heavily password protected, backed up, and monitored for suspicious activity" by state IT staff.
Arkansas election officials passed on the DHS’s offer because they felt they were already well prepared and Michigan, which also has not undergone a DHS assessment said the state has already done “similar work with outside vendors and the Michigan Department of Technology, Management and Budget, which has its own cybersecurity resources that serve state agencies.”
Marten Mickos, CEO of HackerOne, told SC Media it is imperative that society set strict security standards on voting systems and that old machines are updated or entirely taken out of commission.
“Voting systems have not been subjected to basic security best practices such as third-party source code review, vulnerability disclosure, and any level of transparency that a critical system should undergo before they are depended on by our democracy,” Mickos said. “As a result of this, voting machines are actually at a higher risk than many other critical systems.”