Election system threats not as severe as 2016, says DHS official

Election system security issues are still critical, but 2018 election infrastructure threats aren't as 'robust' as in 2016, a top Homeland Security official told Congress.

Russian online disinformation and network scanning activities continue ahead of the upcoming U.S. midterm elections in November. Christopher Krebs, under secretary for the National Protection and Programs Directorate at DHS told House lawmakers that Russia, as well as other bad actors, will continue to probe state election systems for vulnerabilities.

"The 2018 mid-terms remain a potential target for Russian actors, but the intelligence community has yet to see any evidence of a robust campaign aimed at tampering with our election system infrastructure along the lines of 2016 or influencing the outcomes of the House and Senate races," Krebs said at a July 11 hearing of the House Homeland Security Committee.

DHS is working on some level with all 50 states on election infrastructure security both directly and via the Election Infrastructure Subsector Government Coordinating Council and the Election Infrastructure Information Sharing and Analysis Center. The EI-ISAC, Krebs said, now has over 1,000 members, from state and local election entities.

Rep. Kathleen Rice (D-N.Y.) grilled Krebs on how he would brief the president on the threat to election systems given the president's skepticism of Russian interference in the 2016 election.

Ranking member Rep. Bennie Thompson (D-Miss.) complained the White House was making NPPD's job more difficult.

"You are responsible for securing federal networks a time when the White House national security advisor has decided to eliminate the National Security Council's cybersecurity coordinator," he said. "You're responsible for securing critical infrastructure networks, while the White House would rather save jobs in China than heed the advice of the intelligence community on supply chain vulnerabilities."

Krebs demurred on those questions, saying he was not responsible for overall policy, but focused on the specifics of protecting critical infrastructure.

Krebs and Nellie Gorbea, secretary of state of Rhode Island, told the committee that overall relationships between DHS and state election officials continues to warm, in spite of an initially rocky start after the Russian interference in the 2016 elections.

Information sharing and state requests for DHS "have smoothed considerably," Gorbea said. DHS has made an effort to understand the way state election operations work.

After Rhode Island requested a risk vulnerability assessment from DHS, the agency's "regional director, program person and security person" showed up at her office to introduce themselves, which built trust, she said.

Despite the increasing trust, Gorbea said that states and DHS still face challenges in how security threats and possible breaches are handled. As the relationship evolves, she said, DHS and state election officials have to strike a difficult balance.

"Their world is 'secure everything. Tell as few people as possible,'" she said. "We deal in open government and transparency."

Senators look to legislation

The same day the Senate Rules Committee held a hearing including testimony from members looking to advance legislation on election security.

"We want to put some processes in place to make sure that we’ve not forgotten the lessons from 2016," Sen. James Lankford (R-Okla.) said. "There are some basic things that could be done while still allowing the states to control their election structures and have flexibility on the type of election machines that they want to have."

Lankford is working with Sen. Amy Klobuchar (D-Minn.) to refine the Senate Elections Act -- a bill they first introduced in December 2017 to streamline cybersecurity information sharing between federal and state election agencies, provide security clearances to state election officials and provide resources for states to upgrade their election equipment. The two have held meetings with the Elections Assistance Commission and DHS officials, and in April met with a bipartisan group of secretaries of state who shared their advice on the legislation.

At the same hearing, Sen. Ron Wyden (D-Ore.) discussed his elections bill, the Protecting American Votes and Elections Act of 2018, which was introduced in June.

"My legislation focuses on two common-sense measures that are backed by the overwhelming number of cybersecurity experts in our country: paper ballots and risk-limiting audits," Wyden said. "I wrote the big voting machine companies asking basic questions about cybersecurity ... but the companies refused to answer how or even if they are protecting their systems and the votes of the American people."

As of July 11, every state except Nevada has requested Help America Vote Act  funds from the EAC that were made available in March as part of the omnibus spending package.  EAC Commissioner Christy McCormick explained how some states are using their funding to improve their election security posture.

South Dakota is using the $3 million that it received to upgrade voting equipment including ballot marking devices and tabulators.  The state is also making "crucial cybersecurity upgrades" to its state voter registration file and election night reporting website.

In New York, officials plan to use its $19.48 million to implement a state and local cybersecurity risk assessment program to identify vulnerabilities, monitor ongoing security operations and respond to incidents.

The West Virginia Secretary of State’s office created a plan for cyber and physical security assessments with its $3.6 million that will increase election system protection, bolster detection capabilities and prepare for corrective actions.

At the same time that the EAC is distributing the HAVA funds, it is also working with the National Institute of Standards and Technology on version 2.0 of the Voluntary Voting System Guidelines.

"As U.S. election infrastructure has evolved, so have its security concerns which today range from unauthorized attempts to access the voter registration systems of multiples states to errors or malicious software attacks," NIST's Information Technology Laboratory Director Charles Romine said. "The guidelines address these evolving concerns including support for advanced auditing methods and support for two-factor authentication so security protections built by industry over the last decade are built into the voting system."

Portions of this article originally appeared in FCW's sibling publication GCN.