Congress focuses on money and staffing in election security

The Election Assistance Commission and the Cybersecurity and Infrastructure Security Agency were sharply questioned in hearings this week by lawmakers about human resource decisions. The EAC has just a small handful of employees dedicated to testing and certification of voting machines, and the acting director of testing and certification stepped down earlier this month. While the agency quickly hired a new director and has worked to bring on more personnel, there's concern that EAC staff could be under-resourced heading into the 2020 election cycle and beyond.

The agency had nearly 50 full-time employees and a budget of $17 million budget in 2009. Today they have a headcount in the low twenties and a budget of $10 million despite an expanded role in election cybersecurity. Chair Christy McCormick and other commissioners were questioned over a host of perceived staffing and management failures at a May 21 House Administration committee hearing.

"We need more staff. Our staff is strained the breaking point and this point and we need depth," McCormick said. "We have in some cases one person with no backup holding down jobs that need backup in case something happens, so we're asking for money so that we can hire more staff to meet the demands."

Meanwhile, a May 17 Daily Beast article revealed that CISA Deputy Director Matthew Travis had emailed employees asking for volunteers to "deploy" to the Mexican border to support the Trump administration's immigration priorities. The request comes at the same time that Krebs and CISA leadership are seeking to bolster hiring efforts for hundreds of additional cybersecurity and election security personnel. Acting DHS Secretary Kevin McAleenan told the House Homeland Security Committee May 22 that he believes the deployments will not impact other mission priorities at DHS.

At a separate hearing that same day, Christopher Krebs, Director of CISA, was pressed by House Oversight Chair Elijah Cummings (D-Md.) to explain how the request and subsequent deployments have affected his agency's operations. Krebs said that all DHS component agencies were asked by department leadership to pitch their employees on voluntary deployments to the border. Thus far, 10 CISA employees have deployed to the border, while another 10 are "available" to deploy.

Following the hearing, Krebs told FCW that of the 10 sent to the border, the bulk were from the Federal Protective Services and only one or two focus on cybersecurity issues. He could not forecast whether more "patriotic" cyber employees would decide to volunteer following the request from CISA leadership, but said the support needed at the border was more applicable to employees with legal and logistical support backgrounds, not cybersecurity.

"We're going to take risk-based approaches to all personnel deployments and volunteers. We'll look at it on a case-by-case basis," said Krebs.

This week, the FEC approved a new advisory opinion that clears the way for campaigns to accept free or discounted cybersecurity assistance from a Harvard non-profit, Defending Digital Campaigns. The group will be able to offer a suite of services to federal campaigns that includes cybersecurity incident response and monitoring, "boot camp"-style trainings and certification, on-site trainings and assistance, an advice hotline and cybersecurity related software and hardware.

The FEC opinion notes that DDC's non-profit and bipartisan nature (it's led by former Democratic and Republican campaign managers) were important factors that led to the commission's decision, something Chair Ellen Weintraub reiterated during her testimony to the House Oversight Committee.

"They're bipartisan, national security and tech savvy, and they can help protect campaigns from foreign and domestic cyber and information campaigns," said Weintraub. "It's a big step for the FEC to allow a group like this to assist campaigns. We allowed it because of the grave dangers campaigns face from hackers."

Weintraub said she is also introducing a proposal at the FEC, drawing from legislation filed by Sen. Ron Wyden (D-Ore.), that would let national political parties use segregated accounts set aside for headquarters buildings to buy secure devices and cybersecurity products for federal campaigns as well as national and state parties.