States still seek answers on election tech

The Department of Homeland Security's January designation of election infrastructure as national critical infrastructure has state officials looking for answers -- in writing.

"It's a broad new role for the federal government," said Connecticut Secretary of State Denise Merrill in a Feb. 17 election cybersecurity panel at the National Association of Secretaries of State winter meeting.

"We have concerns about where it could go," she said, adding that NASS has asked for written guidance on exactly what DHS will do under the designation. She said she's been asking DHS for a written explanation laying out the agency's new role since the beginning of January, when then-DHS Secretary Jeh Johnson made the designation official.

Merrill said NASS currently is forming a task force to establish priorities and share information. She said the first meeting is slated for Feb. 18 in Washington.

The panel discussion centered on the critical infrastructure designation and included Neil Jenkins, chief policy of policy and planning at DHS. Jenkins received some pointed questions from the audience of state secretaries about the action, including why DHS decided to jump into the cybersecurity of state-run election processes when it did.

The designation has struck a raw nerve with some states.

When Johnson made the announcement in January, Georgia Secretary of State Brian Kemp called it a "blatant overreach" by the federal government and vowed to "continue to fight to keep election systems under the control of state government where it belongs."

He also later claimed DHS was "rattling doorknobs" on the state's firewall, prompting a letter from the House Committee on Oversight and Government Reform asking the agency for explanations.

That mistrust continued in questions lobbed from the audience at the DHS officer.

One audience member noted that the hacktivist group Anonymous threated the State of New Hampshire's election systems in the previous election cycle, yet noted DHS didn't act then. Another questioned the timing of the DHS announcement in the waning days of the Obama administration.

Jenkins responded to the question about New Hampshire by saying that the relatively minor impact Anonymous could have paled in comparison to the implications of Russian's efforts to penetrate state systems. "We tailor our reaction to risk," he said.

The designation's timing, Jenkins explained, came after the national election was over and the focus shifted to the security of the next election.

The 2016 campaign's cybersecurity issues came on fast and strong at the end of the election season. They accelerated after breaches of voting registration data in Arizona and Illinois were discovered ahead of the November election. The FBI determined that both hacks were from foreign sources, with the Arizona hack coming from Russia. That news, said Jenkins, sent state officials scrambling to ensure security of their systems, and left little time to focus on future strategies.

In his presentation, Jenkins said DHS is looking to start a wider dialogue ahead of the next election in hopes of sparking use of its cybersecurity scanning capabilities and expertise. He also wants to start conversations among state groups to share information on security and an overall dialogue on the issue. He also welcomed the planned NASS task force as a valuable place to communicate with states about the issue.

The designation, said Jenkins, can now help facilitate security and processes for the next election. "The last thing we want to do for 2018 is to dive back in during August and September," he said. "We want to make information sharing routine to use in planning, budgeting and procurement cycles."

The onslaught of news coverage and public attention, Merrill and other state secretaries said, drew a lot of resources and time to address and explain.

However, the rapid progression of the hacks and their attribution to Russia didn't allow time for a more thoughtful discussion between DHS and state election officials to develop, as they have with other critical infrastructure industries, according to Jenkins.

An experienced financial services infrastructure expert agreed.

"The roll-out caught you by surprise," said Heather Hogsett, vice president of technology and risk management BITS, at the Financial Services Roundtable. "There was no initial conversation" to help with the adjustment."

Financial services have long been designated critical infrastructure, she said. Financial services companies, she said, have learned how to work with DHS in sharing and receiving threat information, though sector coordination councils, and Information Sharing and Analysis Centers. No such support infrastructure exists for state election systems.

Jenkins said he was not surprised at the sometimes negative reaction and mistrust of the designation. "It's not the first time we've had this issue" with critical infrastructure providers, he said.

The goal, he explained, is to build trust and open a dialogue. "It's not about more regulation and oversight."

States, however, remain wary.

There are many unanswered questions about the practical impact of the designation, said Merrill. "Election transparency" is paramount, she said, and sharing data with DHS on possible intrusions could open up sensitive data to the federal government.

Merrill said her state IT department is using the same "cyber cleanse" technology as DHS and added that most of the good" cybersecurity information she got during the election came from the same department.

She wondered why she should use DHS' cybersecurity services, when her state is already getting basically the same information from their own operations.