Election security ramps up for 2020
Connecting state and local government leaders
The Cybersecurity and Infrastructure Security Agency is building a more permanent institutional capacity to tackle election security.
Pushing back on a media report that the Department of Homeland Security has scaled back personnel and resources from its combatting foreign election interference, Christopher Krebs, -- director of Cybersecurity and Infrastructure Security Agency, the DHS cybersecurity unit charged with securing elections -- hosted a conference call with reporters to discuss two CISA task forces coordinating the department's response to foreign influence in U.S.
Krebs didn't deny that personnel levels for the task forces were reduced. He characterized the task forces as temporary vehicles to address an emerging threat while CISA worked to hire staff and build more permanent institutional capacity to tackle election security and counter foreign influence.
On Feb. 13, Krebs testified before the House Homeland Security Committee that DHS was "clear-eyed that the threat to democratic institutions remain" and that the agency would be expanding its engagement with local election officials in the next two years after establishing working relationships with all 50 state governments.
"The area that I think we need to invest the most in the nation is ensuring auditability across infrastructure," Krebs said at the hearing of the House Homeland Security Committee. "If you don't know what's happening and you can't check back at what's happening in the system -- you don't have security."
While 34 states and the District of Columbia have some laws mandating post-election audits, according to the National Conference of State Legislatures, Congress has been unable to agree on how hard or soft to make such language in legislation.
Krebs and Election Assistance Commission (EAC) Chair Thomas Hicks endorsed the need for greater auditability, though both deferred to states on the question of whether it should be done digitally or by hand.
In particular, states and Republicans have pushed back on bills, including the H.R. 1 legislation currently before the House, that seek to tie eligibility for federal election security grant funding to mandates for paper ballots and risk-limiting or hand-counted post-election audits, which require some form of paper trail.
While most Democrats support mandates around paper ballots and hand-counted or risk-limiting audits, there are indications that if resistance from congressional Republicans and states continue, those demands could soften if it means sending more dollars to states and localities for election infrastructure upgrades.
Most election security experts endorse the two measures because they say that if a machine is hacked and vote totals are altered, the hacker would also be able to change the electronic image of the results that are used as a baseline for auditors to compare vote counts.
Krebs testified that over the past two years, CISA has conducted individual vulnerability assessments and penetration tests for the election infrastructure of at least 26 states and localities and found significant overlap for some of the most easily recognizable vulnerabilities.
"The interesting thing that we found was that of all those assessments, the findings were generally similar: unpatched systems, misconfigured systems, lack of multi-factor authentication," said Krebs.
Those findings were used to create guidance for states to use in spending $380 million in leftover Help America Vote Act funding allocated in 2018. Cooperation between the federal government and states is "light years" ahead of where it was in 2016, Krebs said, but "there's certainly more to do."
"The federal government -- especially Congress -- must understand the resource constraints of local election officials and partner with them to address vulnerabilities to election infrastructure though grants and services," committee Chairman Rep. Bennie Thompson (D-Miss.) said in his opening statement.
Hicks said early results from analyzing federal financial reports of the $380 million sent to states last year show that 58 percent was spent on "shoring up cybersecurity" while 33 percent went to replacing machines. Hicks emphasized those numbers are not final and could change as the commission analyzes more data.
New voluntary guidelines for purchasing voting machines are expected to be approved by EAC later this year, but they must go through public comment first. Several lawmakers expressed concern that such guidance will not be available to states in time to affect purchasing decisions for the 2020 elections.
CISA received a $111 million boost over the administration's request for fiscal year 2019 an increase that Krebs said includes year-over-year funding for fiscal 2019 for election security operations.
Krebs has been telling staffers that the 2020 elections are a big priority. Shortly after the shutdown, the agency held a staff meeting to discuss priorities for the next year, according to a source with knowledge of the matter. Krebs reportedly laid out five strategic priorities that the agency would be focusing on for the upcoming year, with election security being one of them. Ramping election security efforts back up was also one of the first priorities for the agency coming out of the shutdown, as FCW reported last month.
This article is a combination of two reports that first appeared on FCW, a sibling site to GCN.