Questions, concerns continue to swirl around election security
Connecting state and local government leaders
The Department of Homeland Security is not seeking control of election-related critical infrastructure, but state and local election officials remain wary.
At an April 4 Election Assistance Commission public hearing, a senior Department of Homeland Security official sought to stress one thing: The designation of election systems as critical infrastructure doesn’t cut into states' autonomy.
Concerns over DHS control have simmered since then-Secretary Jeh Johnson first suggested the critical infrastructure designation last summer. Yet Neil Jenkins, DHS' director of the Enterprise Performance Management Office, said at the EAC hearing that his agency sees the National Association of Secretaries of State (NASS) Election Cybersecurity Task Force as the main point of contact for deciding when DHS system-scanning tools are needed.
Jenkins also said he sees the EAC as a critical point of contact for local officials who may be interested in utilizing DHS scanning and security products.
Robert Hanson, DHS' director of the prioritization and modeling at Office of Cyber and Infrastructure Analysis, added that many state and local governments already have turned to DHS for such support. In the lead up to 2016 elections, 33 states and 36 counties used DHS tools to determine potential vulnerabilities and get mitigation advice. Hanson declined to share the specific list of customers and services with the EAC commissioners, saying that information was classified.
State and local officials, however, reiterated their concerns on the critical infrastructure designation. “While we are still strongly opposed, we are coming to the table reluctantly because the wheels are already in motion,” said Connecticut Secretary of State Denise Merrill, who also serves as president of NASS.
Merrill referenced two intrusions into state registration systems in Georgia and Indiana prior to last fall’s elections. However, no vote tallying systems were specifically targeted in either instance.
“Voting by internet-based systems is not a reality in the United States,” Merrill said. “The 2016 cycle demonstrated that we are not really cyber at all except for our voter registration databases.”
The ability to hack election results is quite limited, DHS's Hanson agreed, due to the diversity of methods states and counties use to count votes.
Yet moving forward, he said, there could be an ability to hack electronic poll books, which could deny legitimate voters the ability to vote. And the adoption of new voting technologies could introduce additional risk.
As machines purchased under the 2002 Help America Vote Act continue to be phased out of service, Hanson warned that new security flaws could be introduced if the replacement systems aren't properly vetted. He said DHS is working to address that risk in three stages.
The first is settling on an agreed-upon characterization of election systems. DHS officials are not subject-matter experts when it comes to elections, he said. “We need to determine what are the election systems and why do we care about them,” said Hanson.
Second, DHS plans to apply its risk assessments through structured processes and methodologies that can be used to consistently examine the elections space.
Last, Hanson said, emerging risks will need to be addressed through more qualitative discussions. Products such as electronic poll books are not widely adopted yet, he noted, and can't easily be factored into standardized assessments.
NASS, meanwhile, will continue to ask President Donald Trump’s administration to rescind the critical infrastructure designation for election systems, based on a February vote by its members.