WASHINGTON _ They knew Russian operatives might try to tamper with the nation's electronic voting systems. Many people inside the U.S. government and the Obama White House also knew.
In the summer of 2016, a cluster of volunteers on a federally supervised cybersecurity team crafting 2018 election guidelines felt compelled to do something sooner. Chatting online, they scrambled to draw up ways for state and local officials to patch the most obvious cyber vulnerabilities before Election Day 2016.
Their five-page list of recommendations focused on two gaping holes in the U.S. election system. It warned that internet voting by at least some citizens in 32 states was not secure and should be avoided. And, critically, it advised how to guard voting and ballot-counting machines that the experts knew could be penetrated even when disconnected from the internet.
But the list was stopped in its tracks. A year later, even as U.S. intelligence agencies warn that Russian operatives have their eyes on 2018 and beyond, America's more than 7,000 election jurisdictions nationwide still do not have access to those guidelines for shielding the voting process.
The recommendations were derailed amid an awkward, often unspoken power struggle between, on one end, federal agencies, which have more resources to combat cyberthreats, and on the other, states and localities, which hold absolute constitutional authority over elections.
The states vigorously defend their territory, though they can be naive about cyber risks. Many have insisted their systems are secure.
For their part, federal officials have hesitated to encroach on that turf with the election just around the corner.
Both sides showed a "lack of seriousness" about voting security issues that spells trouble for protecting the nation's jumble of election machinery against increasingly sophisticated threats, warned Neal McBurnett, a Boulder, Colo., consultant who helped develop the guidelines.
State and federal authorities aren't moving fast enough "in coming up with ways to harden our targets and look at the problem with clear eyes," he said.
Cybersecurity experts often blame state and local officials for the lack of action.
That includes leaders of the National Association of Secretaries of State, or NASS, which has concerns about undermining public confidence in voting systems. The leaders have insisted computer-driven equipment is secure when it's not hooked to the internet _ which is wrong. And most NASS members represent states that permit internet voting, mainly by military and overseas voters _ another vulnerability.
As for the feds, among the most vital things they can do is share intelligence about cyber threats and provide national cybersecurity expertise that no state can be expected to produce. That's where the U.S. government appears to have failed in 2016.
As the working group met last summer, the FBI had already begun sending out "flash alerts" to election officials nationwide about attempted penetrations of statewide electronic voter registration databases. Homeland Security officials gave similar warnings. In Illinois, they and FBI agents examined the illegal download of records from 200,000 voters.
Attempted intrusions were discovered in Arizona and at least 19 other states.
Federal officials linked the attempted Arizona hack to Russia, and cyber experts publicly blamed the Kremlin for a major hack of the Democratic National Committee that exposed, with the help of transparency site WikiLeaks, embarrassing internal emails.
The hacks of voter registration databases had demonstrated that voting jurisdictions, many operating with equipment more than a decade old, had few defenses against these cyber perils. The tiny Election Assistance Commission (EAC), which plays a key role in delivering federal funding and election guidance to state and local agencies, and Homeland Security had responded to those hacks by issuing new guidelines for protecting registration data, as well as systems for reporting vote totals on election night.
But they did little to safeguard the voting equipment itself.
In the online cybersecurity working group, several experts prepared guidelines for a formal committee led by the EAC and the National Institute of Standards and Technology (NIST), which provides cyber expertise to federal agencies.
On Aug. 7, 2016, David Wagner, a University of California, Berkeley computer science professor who had a lead role on the working group, wrote in an email: "I'd like to push to see if we can get out something very soon, to provide as a resource for election officials preparing for elections this November. That means we need to move quickly."
Email chains and other records show that, with NIST fully in the loop, the group hurried to prepare the guidelines with the assumption they would be circulated before the election.
But three weeks later, on Aug. 30, NIST pulled the plug. No distribution would be formally considered in 2016 because it was too close to the election, NIST official Andrew Regenscheid told Susan Greenhalgh, a watchdog at the nonprofit Verified Voting who shepherded completion of the recommendations in the working group. Greenhalgh, who said she was stunned, confirmed the decision a couple of days later in a phone call with the head of NIST's voting unit.
"I told them I thought they were making a big mistake," Greenhalgh said.
From that moment until Election Day, Russia completed what one computer security expert privately described as a "cyber Pearl Harbor."
Meanwhile, many states and counties nationwide opted to allow federal reviews of their cyber hookups in the fall of 2016. They revealed widespread vulnerabilities. In South Carolina alone, National Guard cyber specialists found at least "high" risks in all 46 counties evaluated, 20 of which had issues identified as critical, according to public records obtained by University of South Carolina computer scientist Duncan Buell and Frank Heindl, a Charleston activist.
