Election system threats not as severe as 2016, says DHS official

Election system security issues are still critical, but 2018 election infrastructure threats aren't as "robust" as in 2016, a top official told Congress.

election security (Shutterstock.com)
 

Election system security issues are still critical, but 2018 election infrastructure threats aren't as 'robust' as in 2016, a top Homeland Security official told Congress.

Russian online disinformation and network scanning activities continue ahead of the upcoming U.S. midterm elections in November. Christopher Krebs, under secretary for the National Protection and Programs Directorate at DHS told House lawmakers that Russia, as well as other bad actors, will continue to probe state election systems for vulnerabilities.

"The 2018 mid-terms remain a potential target for Russian actors, but the intelligence community has yet to see any evidence of a robust campaign aimed at tampering with our election system infrastructure along the lines of 2016 or influencing the outcomes of the House and Senate races," Krebs said at a July 11 hearing of the House Homeland Security Committee.

DHS is working on some level with all 50 states on election infrastructure security both directly and via the Election Infrastructure Subsector Government Coordinating Council and the Election Infrastructure Information Sharing and Analysis Center. The EI-ISAC, Krebs said, now has over 1,000 members, from state and local election entities.

Rep. Kathleen Rice (D-N.Y.) grilled Krebs on how he would brief the president on the threat to election systems given the president's skepticism of Russian interference in the 2016 election.

Ranking member Rep. Bennie Thompson (D-Miss.) complained the White House was making NPPD's job more difficult.

"You are responsible for securing federal networks a time when the White House national security advisor has decided to eliminate the National Security Council's cybersecurity coordinator," he said. "You're responsible for securing critical infrastructure networks, while the White House would rather save jobs in China than heed the advice of the intelligence community on supply chain vulnerabilities."

Krebs demurred on those questions, saying he was not responsible for overall policy, but focused on the specifics of protecting critical infrastructure.

Krebs and Nellie Gorbea, secretary of state of Rhode Island, told the committee that overall relationships between DHS and state election officials continues to warm, in spite of an initially rocky start after the Russian interference in the 2016 elections.

Information sharing and state requests for DHS "have smoothed considerably," Gorbea said. DHS has made an effort to understand the way state election operations work.

After Rhode Island requested a risk vulnerability assessment from DHS, the agency's "regional director, program person and security person" showed up at her office to introduce themselves, which built trust, she said.

Despite the increasing trust, Gorbea said that states and DHS still face challenges in how security threats and possible breaches are handled. As the relationship evolves, she said, DHS and state election officials have to strike a difficult balance.

"Their world is 'secure everything. Tell as few people as possible,'" she said. "We deal in open government and transparency."

Senators look to legislation

The same day the Senate Rules Committee held a hearing including testimony from members looking to advance legislation on election security.

"We want to put some processes in place to make sure that we’ve not forgotten the lessons from 2016," Sen. James Lankford (R-Okla.) said. "There are some basic things that could be done while still allowing the states to control their election structures and have flexibility on the type of election machines that they want to have."

Lankford is working with Sen. Amy Klobuchar (D-Minn.) to refine the Senate Elections Act -- a bill they first introduced in December 2017 to streamline cybersecurity information sharing between federal and state election agencies, provide security clearances to state election officials and provide resources for states to upgrade their election equipment. The two have held meetings with the Elections Assistance Commission and DHS officials, and in April met with a bipartisan group of secretaries of state who shared their advice on the legislation.

At the same hearing, Sen. Ron Wyden (D-Ore.) discussed his elections bill, the Protecting American Votes and Elections Act of 2018, which was introduced in June.

"My legislation focuses on two common-sense measures that are backed by the overwhelming number of cybersecurity experts in our country: paper ballots and risk-limiting audits," Wyden said. "I wrote the big voting machine companies asking basic questions about cybersecurity ... but the companies refused to answer how or even if they are protecting their systems and the votes of the American people."

As of July 11, every state except Nevada has requested Help America Vote Act  funds from the EAC that were made available in March as part of the omnibus spending package.  EAC Commissioner Christy McCormick explained how some states are using their funding to improve their election security posture.

South Dakota is using the $3 million that it received to upgrade voting equipment including ballot marking devices and tabulators.  The state is also making "crucial cybersecurity upgrades" to its state voter registration file and election night reporting website.

In New York, officials plan to use its $19.48 million to implement a state and local cybersecurity risk assessment program to identify vulnerabilities, monitor ongoing security operations and respond to incidents.

The West Virginia Secretary of State’s office created a plan for cyber and physical security assessments with its $3.6 million that will increase election system protection, bolster detection capabilities and prepare for corrective actions.

At the same time that the EAC is distributing the HAVA funds, it is also working with the National Institute of Standards and Technology on version 2.0 of the Voluntary Voting System Guidelines.

"As U.S. election infrastructure has evolved, so have its security concerns which today range from unauthorized attempts to access the voter registration systems of multiples states to errors or malicious software attacks," NIST's Information Technology Laboratory Director Charles Romine said. "The guidelines address these evolving concerns including support for advanced auditing methods and support for two-factor authentication so security protections built by industry over the last decade are built into the voting system."

Portions of this article originally appeared in FCW's sibling publication GCN.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.