Barbara Kalbfleisch /

How the Election Assistance Commission Came Not to Care So Much About Election Security

Safeguarding voting systems was the top priority of local officials across the country. Some of them say the federal agency specifically charged with helping them was missing in action.

In a rush of preparation for this year’s midterm elections, scores of state and local governments have been working to safeguard their election systems from being hacked or otherwise compromised.

At the same time, according to interviews with more than a dozen national, state and local election officials, the federal commission responsible for providing assistance to them has either been missing in action or working to thwart their efforts.

The Election Assistance Commission has ceded its leadership role in providing security training, state and local officials say, forcing them to rely on the help of the U.S. Department of Homeland Security, which lacks the same level of experience in the issues confronting the country’s voting systems.

One of the EAC’s commissioners has dismissed the threat of foreign governments undermining American elections in private meetings with state election officials, and often personally appealed to individual officials not to waste their time on the idea that election systems might be vulnerable to outside meddling.

The election officials assert that the EAC’s executive director, Brian Newby, has blocked the travel of key staffers at the EAC who specialize in cybersecurity, preventing them from attending what training sessions have taken place.

While local officials credit the EAC for the speed with which it has distributed federal money set aside for election updates, they say it has shown little enthusiasm for beefing up election security.

One of the state officials interviewed by ProPublica said that in the run-up to the 2018 vote, election security was “the only conversation there is,” but that the EAC had chosen not to be a major player. “They are completely absent in this space,” said an election official who — like others — spoke to ProPublica on condition of anonymity, citing the bitterly partisan nature of the upcoming election.

Those interviewed — a mix of Democrats and Republicans ranging from the county to national levels of their parties — said that while DHS had been trying its best to fill the vacuum, the agency’s controversial role in the Trump administration’s aggressive immigration initiatives had left some state and local officials wary of working with it — or even being seen as working with the agency.

“The EAC is appropriately positioned as a nonpartisan federal entity to demonstrate leadership on this issue,” Amber McReynolds, the former elections director in Denver and current executive director of Vote At Home, which advocates for vote by mail options. McReynolds said that cyber security is the top issue facing elections officials, and that the EAC “has missed a tremendous opportunity to advance their mission to support state and local election officials in the administration of our elections.”

An EAC spokesperson did not respond to ProPublica’s inquiries concerning the complaints of elections officials, including the claim by some officials that an EAC commissioner, Christy McCormick, was effectively thwarting election security efforts. The spokesperson also did not respond to the claim that its executive director prevented staffers from traveling to visit local election officials. Neither McCormick nor the executive director, Newby, responded to repeated requests for comment.

The EAC was established in 2002 after the calamitous 2000 election, which brought the quiet and ministerial world of election administration to the forefront of America’s concerns. It was designed to provide federal coordination and assistance — financial and otherwise — to an election system that is decentralized by design.

Unlike many countries, there is no federal authority that runs American elections. Rather, except for a narrow set of laws setting dates and preventing discrimination, states, counties and towns are free to run elections their own way. Local election officials and secretaries of state zealously guard their independence.

The EAC was designed as an independent agency in the hopes that local officials would its accept help and advice, in order to prevent or the kind of disaster brought by the 2000 presidential election — and to deal with such crises should they ever occur again. The EAC over the years has distributed millions of federal dollars to states to purchase new voting equipment. It has also acted as a clearinghouse for information on election administration best practices. By law, it has a clear mandate: To “promote the effective administration of Federal elections.”

The EAC is meant to be overseen by four commissioners — two Republicans and two Democrats. It has never had a full set, but in early 2018 there were three: Republicans Matt Masterson and Christy McCormick, and Democrat Thomas Hicks — all appointed by Barack Obama after being recommended by congressional leadership. The commission’s staff is overseen by an executive director, a position held by Newby since 2016. He formerly headed elections in Johnson County, Kansas — a position to which he was appointed by Kansas Secretary of State Kris Kobach.

Today, only Hicks and McCormick remain as commissioners. Masterson, chair of the EAC, had his term abruptly ended by House Speaker Paul Ryan earlier this year — Paul’s office said Masterson’s term had expired and the office wanted to go in a “different direction.” Masterson quickly joined DHS, where he now runs election cyber security initiatives.

Since concerns about Russian meddling in the 2016 election first surfaced, McCormick, a former Department of Justice attorney, has derided the notion. She said publicly in January 2017 she believes the claim of Russian cyber interference was “deceptive propaganda perpetrated on the American public” by the outgoing Obama administration. She has never disavowed this, and election administrators report they have heard her repeat her skepticism as recently as October 2017. She has done this despite the formal findings of Russian mischief detailed by the country’s top intelligence agencies.

McCormick also appears to have ignored opportunities to learn more about the intelligence underlying charges of Russian intervention. While she’s been invited to multiple classified briefings with DHS, some of those present at the meetings can only remember her presence at a single one, which was held early this fall.

Some election administrators say McCormick’s open skepticism has had consequences for the credibility of the agency. “When she speaks, she speaks for the EAC,” said one local election administrator.

In July, McCormick participated on a panel about election security before the Senate Rules Committee. In his opening statement Sen. Ron Wyden, D-Oregon, took her to task, saying, “I can’t for the life of me figure out why the No. 2 official at the Election Assistance Commission is dismissing the analysis of the administration’s intelligence experts.” McCormick did not address his concerns during the hearing.

In the months since, ProPublica has asked repeatedly if McCormick’s views on the subject have changed and she has repeatedly refused to answer.

But half a dozen local officials say McCormick has targeted Republican officials in various states to press her point that Russian intervention should not be a subject of concern. Often, this occurs in Heritage Foundation meetings arranged for Republican secretaries of state during larger elections conferences, the officials said. They said she also makes her appeals personally to individual state officials.

Those officials say an episode in late 2016 was a telling precursor to her conduct since. Emails released to ProPublica as part of a public records request show McCormick expressing her views clearly.

“It is my opinion that the entire thing is complete BS,” McCormick wrote to her fellow EAC commissioners and the director of an election association on Dec. 30, 2016. “It sickens me that this administration appears to be creating false intelligence narratives to bolster whatever their agenda is.”

McCormick then forwarded the email and others to Brian Kemp, Georgia’s Republican Secretary of State, and the man in charge of the state’s election operation.

“I am appalled at what I see happening,” she wrote.

An hour later, Kemp replied, “Unreal, indeed.”

Kemp today is the Republican candidate for governor in Georgia, though he is still in charge of elections in the state. His campaign has not returned a request for comment.

Candace Broce, a spokesperson for the Georgia Secretary of State’s office, would not answer questions about whether Kemp has ever doubted U.S. intelligence on Russian intervention. Broce said Kemp’s response to McCormick was not about U.S. intelligence, but instead about “bad reporting” by the media.

Wyden, who has been a vocal proponent of bills meant to improve election cybersecurity, said the emails left him convinced McCormick should no longer be on the commission.

“Vice Chair McCormick’s ignorant views further call into question her fitness as the number two election security official in the country,” Wyden said. “These new emails make clear that Vice Chair McCormick was actively discouraging secretaries of state from taking seriously the threats to our elections, and it appears from his reply that Brian Kemp was fully on board. With security advice like this, it’s no surprise that Georgia has done virtually nothing to improve the horrendous security of its elections.”

For his part, Hicks, the chairman of the EAC, has acknowledged efforts by the Russian government to undermine U.S. elections. But he told ProPublica he is convinced state and local governments have been getting the appropriate help from the EAC.

The local elections officials interviewed by ProPublica says the claim strains credulity.

There is little sign, they say, the EAC has been aggressive on the issue of cybersecurity. The commission has not put out a list of trustworthy resources for local elections officials around cybersecurity. The Council of State Governments created and distributed such a list in the absence of EAC action. Meanwhile, much of the information related to election security on the EAC’s own website is made up of sparse checklists or glossaries of terms, most made in October 2017. Not much of it seems to be used. Election administrators were widely unaware of a video that the EAC put out to assure voters that the election was secure.

And while EAC spokesperson Brenda Soder said in a statement that the EAC had developed a training program for cybersecurity it had deployed a dozen times across the country, this program was developed under Masterson and left with him. It is now run in coordination with his office at DHS. Soder did not respond when asked when the EAC last ran this program.

The officials interviewed by ProPublica faulted Hicks in addition to McCormick. He has done little, they say, to establish himself as a resource to state officials on cybersecurity as Masterson did.

Newby has also attracted ire, mostly for what some regard as overtly partisan moves. Earlier this year, for example, Newby instructed the EAC communications department to stop using AP Style — a common standard used by many newsrooms, including ProPublica because it was too “liberal.” In 2016, over internal objections, Newby also attempted to unilaterally approve measures that would allow states to demand documentary proof of citizenship in order to register to vote. The move drew wide criticism from election officials, who said it was “blindly partisan” and unnecessary to secure elections.

After the foreign interference seen in the 2016 election, the outgoing Obama Administration named elections as critical infrastructure — a designation offered to systems like emergency services, banking and transportation.

The EAC — the only federal entity tasked with the administration of elections—soon won praise for quickly assembling the Government Coordinating Council, a group created to encourage collaboration between federal and state governments and relevant associations.

But three members of the GCC told ProPublica they could not recall any specific actions the EAC had taken in recent months. While Hicks is an active participant in calls and at meetings, he often defers decision-making to others, and no one could recall McCormick saying anything at all in her last several GCC interactions. GCC members report that the EAC has even stood in the way of GCC distributing quality information to the states.

In early 2018, as the EAC prepared to give out $380 million allocated by the Congress for election upgrades, states participating in the GCC requested a guide for how to responsibly deal with cybersecurity vendors — what questions they should ask, and how to appropriately vet vendors they might pay with the money they were slated to receive. The GCC set to work and, guided largely by DHS, the recommendations began to take shape.

After weeks of silence on the proposed recommendations, the EAC suddenly demanded extensive changes. In a phone call that erupted into shouting, EAC officials expressed anger that DHS and other GCC members had stepped on EAC territory by making recommendations to states about the funding. Ultimately, the EAC signed the recommendations with few meaningful changes, though the skirmish delayed the release of the letter.

This article was originally published in ProPublica. It has been republished under the Creative Commons license.