DHS official: Look beyond November on voting-system security
Connecting state and local government leaders
The real emphasis, according to Assistant Secretary of Cybersecurity and Communications Andy Ozment, should be on building in cybersecurity "from the get-go" on the next generation of systems.
With the 2016 elections just seven weeks away, state and local governments continue to work with the Department of Homeland Security to scan for vulnerabilities in voting and voter registration systems. DHS's Andy Ozment, however, contends that the real emphasis should be elsewhere.
"That’s a conversation that we’re having with state and local governments," said Ozment, DHS's assistant secretary of cybersecurity and communications, at a Sept. 20 event. "It’s an important conversation, but it’s not the conversation that should be the focus of our time right now."
Politically motivated cyberattacks on Democratic Party organizations, thought to be the work of Russian organizations, have raised concerns that the November elections could be hacked. And many election systems have been found to be far from secure. DHS Secretary Jeh Johnson said in August that the administration might classify election systems as critical infrastructure worthy of federal protection.
Ozment, who took part in a Washington, D.C., panel discussion hosted by the nonprofit organization Center Forward, said there was no timeline for a final decision on the critical infrastructure designation. He also voiced confidence in the system’s overall resiliency as Election Day approaches and urged a longer term view.
"We have an incredibly distributed election system," Ozment said. "We have thousands of state and local governments who are responsible for voting in their jurisdiction. That makes it a robust system." He added that few actual voting systems were connected to the internet, while acknowledging that voter registration systems and databases might have more online exposure.
"We should absolutely be focused on cybersecurity for that system," he said, but it's more important "to take the focus that we’ve got and -- particularly as we upgrade these systems over the next four years -- make sure that we build cybersecurity in from the get-go."
In the meantime, Ozment said, DHS is "making sure state and local governments are aware of all the resources we have to offer to help them." Those resources, he said, range from best practices guidance to "vulnerability scans across state government networks. We’ll do this for free; we’ll give them a report about every vulnerability we see."
Some of those services are available through the Multi-State Information Sharing and Analysis Center -- an independent organization set up to help state, local, tribal and territorial governments on cybersecurity matters without directly engaging DHS. Others, Ozment said, are being provided by various DHS components, though he stressed that none of them were mandatory.
While there have been some calls (and concerns) for cybersecurity responsibilities to be more centralized, Ozment said DHS aims to be more like a firefighter for cyber -- scrambling to help when an incident occurs, while working to educate and empower others to prevent problems in the first place.
"Every aspect of government has to be dealing with cybersecurity," he said. "There’s no way to say this one agency in charge."
NEXT STORY: Cybersecurity gains awareness, but not funding