What’s next for cybersecurity, election info sharing?

Vithun Khamsong via Getty Images

Featured eBooks
Chasing New Industry
NASCIO Special Report 2024
Changes in State and Local Government Workforces
Insights & Reports
How data management supports State & Local Government modernization.
Presented By TD SYNNEX
Download Now
Reliable Emergency Response During Natural Disasters
Presented By Mark43
Download Now
Chris Teale By Chris Teale,
Managing Editor, Route Fifty

By Chris Teale

|

Federal funding has been slashed by $10 million for two information sharing centers, which both have tens of thousands of members. A more fragmented and expensive future could follow as states and others go it alone.

Information sharing on cybersecurity and election threats may become a whole lot harder after the Department of Homeland Security ended some federal funding for two partnerships used by thousands of state and local governments.

A spokesperson for the Cybersecurity and Infrastructure Security Agency confirmed it terminated a $10 million partnership with the Center for Internet Security for the Multi-State Information Sharing and Analysis Center, and the Election Infrastructure Information Sharing and Analysis Center. That figure is less than half of the funding CISA provides, the spokesperson noted.

The spokesperson said MS-ISAC and EI-ISAC, which allow state, local, tribal and territorial governments to share threat information and best practices while providing tools and other services for free or at a reduced cost, “no longer effectuates department priorities."

Among the activities that would be cut are stakeholder engagement, cyber threat intelligence and cyber incident response, which the spokesperson said are already offered by CISA to SLTT governments.

"This action will save taxpayers approximately $10 million a year, focus CISA’s work on mission critical areas, and eliminate redundancies,” the spokesperson said. “The agency is committed to good stewardship of taxpayer dollars.”

It is still unclear what the cutbacks, which DHS first announced last week, mean for the future of MS-ISAC, while EI-ISAC’s website notes that the Center for Internet Security “no longer supports” it. A CIS spokesperson declined to comment via email, except to say that “many of the questions we are receiving are the same ones we are asking.”

Related articles

‘The $42B question’: What’s next for federal broadband funding?

Lessons learned from whole-of-state cybersecurity efforts

Federal tech grant recipients sweat future amid ongoing uncertainty

Carlos Kizzee, senior vice president for strategy and plans at MS-ISAC, told Route Fifty in a brief interview that he remains “proud” of its 18,000 members and their “passion” for helping others. The “strength and power of its members” as they collaborate is key, he said.

“It’s almost impossible to put a price tag on the value that generates,” Kizzee said on the sidelines of the Billington State and Local Cybersecurity Summit in Washington, D.C. this week.

It is also unclear what the groups’ apparent demise could mean for the future of information sharing on cybersecurity and elections. Tim Harper, a senior policy analyst for elections and democracy at the Center for Democracy and Technology, said the decision will “sacrifice national security for pennies on the dollar.” The consequences could be enormous, and not just be financial but also undercut interstate and intergovernmental relationships that have taken years to build.

Being protected against those multiplying threats, then, requires all hands on deck — not just from CISA and other federal agencies, but also through information-sharing consortia like MS-ISAC. Rita Reynolds, chief information officer at the National Association of Counties, said governments do not just rely on one entity for all their cyber assistance. Current services “augment each other,” she said.

“What we always say to the counties and even in our organization, is that you need multiple layers of defense,” Reynolds said. “It's the multiple layers of defense that make us successful. Even in the counties, we may have one or two or three tools where there's overlap, but that's not a bad thing. … If everything were exactly the same, then there would have to be questions about, why are we paying for exactly the same service? But that's not the case.”

The shuttering or reduction in scale of these two information centers will leave a big hole, experts warned.

“Until last week, the Center’s sole purpose has been to protect our elections against cyber threats,” Carolina Lopez, executive director of the Partnership for Large Election Jurisdictions, said in an email. “Elections were more secure in 2018, 2020, 2022 and 2024 because of the resources, training and knowledge provided by the EI-ISAC and its dedicated public servants.”

Governments could feel the biggest impact of the ISAC funding cuts in their own budgets, especially as they offer shared services to members either for free or at a vastly reduced cost. In a letter last month, Washington Secretary of State Steve Hobbs warned that without federal support, securing local networks would cost the state “three times as much” as it does now. He said that funding uncertainty “jeopardizes vital cybersecurity resources that help election officials nationwide combat cyber threats, including ransomware and foreign interference.”

From a cybersecurity perspective, not having access to MS-ISAC’s services could impact whether local governments are able to fulfil their requirements for cyber insurance. Premiums are already high and still rising, and not having an organization as a backstop could hurt.

“Cyber insurance is a hot button, and for now it's needed at the county level,” Reynolds said. “The requirements are ever increasing, and understandably so: there definitely should be a baseline of cyber defenses. The reality is that some of what [governments] were relying on from MS-ISAC, now they have to look elsewhere, and they may not be able to implement so it could affect cyber insurance renewals and premiums.”

Harper said while federal leadership may present the funding cut as a cost-saving measure, in the end, residents will still be on the hook.

“Taxpayers are still going to foot the bill for expensive private sector alternatives or risk leaving elections exposed,” he said. “It's not cost cutting, it's just cost shifting, and local taxpayers will end up paying the price. I don't think the argument that this is a cost savings measure really measures up. I would also emphasize that slashing election security to save a few million dollars right now could cost taxpayers hundreds of millions when the next cybersecurity attack hits.”

Both information-sharing centers have been crucial in building trust between the various levels of government, something that they have traditionally struggled with, even on crucial subjects like cybersecurity and elections. Reynolds said it “took them a long time” to build trust so that state and local governments would share information, and Harper said there would be a “trust deficit” that would somehow need to be rebuilt with the centers’ demise.

“When CISA was established and election infrastructure was declared to be a critical infrastructure sub-sector in 2017, trust between state and local election officials and CISA was nonexistent,” Harper said. “There was a huge bias against the idea of federal intervention in what was considered to be state and local authority to run elections, and it was really through a very concerted effort to build trust.”

Now, the onus might be on states and national-level organizations to bolster existing offerings, like through state fusion centers or security operations centers, which bring together various state, local and federal resources under one roof. Reynolds said NACo is already exploring how it can boost its own cyber offerings, including tabletop exercises, webinars and other training, and is looking at existing partnerships with academia and the private sector to see if they can scale up.

Meanwhile, Arizona Secretary of State Adrian Fontes is reportedly already working on an alternative to EI-ISAC to help state and local elections offices. And other national groups are looking to pick up the slack.

A spokesperson for the National Association of Secretaries of State said its members “have built robust security teams within their offices and work with multiple entities on election security and resilience including private sector companies, other state government officials, universities, and more. States will continue to defend against cyber and physical threats to their election systems.”

Working across state borders will be tricky, Harper said, as the two ISACs were set up to do just that and there is no true equivalent that exists right now.

“Identifying what institutions that can help with an information sharing initiative like this is crucial,” he said. “That doesn't exist right now and would need to be built from scratch.”

NEXT STORY: Progressives seek health privacy protections in California, but Newsom could balk

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.