CISA leans into facilitator role in election security plan

CISA chief Chris Krebs

Officials from the Cybersecurity and Infrastructure Security Agency often describe their role in election security as helping to coordinate and advise the larger ecosystem of election stakeholders.

In a newly released strategic plan, the agency lays out its strategy for protecting the 2020 elections by largely leaning into that facilitator role, breaking down its coordination activities across four lines of effort: elections infrastructure, campaigns and political infrastructure, the American electorate and warning and response.

To help protect digital and physical elections infrastructure, such as voting machines, election software systems and polling places, CISA views its role as largely complementary to that of states and localities, vendors and others on the front lines of election administration. Thus, getting those organizations to adopt better security practices through outreach and offers of federal resources are its prime tools.

The plan notes that CISA has "identified incident response and reporting as a capability gap" in its engagement with state and local governments, something a government watchdog report released just last week determined was an issue during the 2018 mid-term elections. With local officials unsure of who to contact when faced with different cybersecurity incidents, one tactic for closing that gap is a series of emergency response guide posters for polling places, election offices and storage facilities that offer step-by-step instructions on who to contact when variables such as weather, a violent incident, fire or cybersecurity events cause a disruption during an election.

The agency has also deployed physical and cybersecurity advisors to different regions across the country who act as the primary point of contact between the federal government and election stakeholders, offering vulnerability assessments, penetration testing, phishing tests and incident response services upon request. Some members of Congress want CISA to go even further and have introduced legislation that would have the agency designate cybersecurity coordinators for all 50 states.

Alabama Secretary of State John Merrill told FCW that while he wasn't opposed to the legislation, he believes CISA and other federal agencies are already listening to states.

"What we know is that our friends at DHS, at FBI, CIA, [Office of the Director of National Intelligence] have all been very receptive to suggestions that we have made over the last three years, and they have adjusted their programs, adjusted their responses … to be helpful to us whenever we've introduced something to them," Merrill said in a January interview when asked about the bill.

Bodies like the Multi-State Information Sharing and Analysis Center and Election Information Sharing and Analysis Center are also viewed as key arteries for quickly disseminating threat intelligence from the federal government to states and localities.

This week, CISA Director Chris Krebs told Congress he was committed to providing the Center for Internet Security -- which helps manage both centers and has a contract with Department of Homeland Security -- with the funding it needs going into the 2020 elections.

The agency's game plan for political campaigns is similar, offering services, testing and training to individual campaigns, joint briefings to campaigns on the latest threats and meeting with party organs like the Democratic and Republican National Committees.

While CISA primarily focuses on protecting the physical and technical infrastructure used to run elections, it stood up a task force focused on countering foreign influence operations during the 2018 election cycle. However, that group was limited to mostly studying the issue, and agency leadership routinely deferred questions about operational activities to the FBI, which leads federal efforts on countering foreign influence.

Whereas a years' long and multi-pronged covert campaign by Russia dominated the 2016 election, intelligence officials and disinformation experts have warned that 2020 could be a more crowded affair, with countries like China, Iran, North Korea, Turkey and others waging their own campaigns online.

The same day CISA's strategy was released, Facebook, Instagram and Twitter announced they had shut down a series of inauthentic accounts spreading content targeted at U.S. politicians and media outlets. These accounts impersonated legitimate journalists, commented on posts from members of Congress, posted videos of interviews discussing American politics and shared or amplified authentic accounts commenting on issues like President Donald Trump's impeachment trial, the Trump 2020 presidential campaign and Saudi Arabia's role in the Yemen war.

FireEye, a cybersecurity threat intelligence firm that reviewed the accounts at Facebook's request, gave a low-confidence assessment that the campaign was organized in support of Iranian political interests. Neither FireEye nor Facebook have directly attributed the activity to the Iranian government.

Lee Foster, FireEye's senior manager for information operations analysis, characterized the new activity as part of a larger online influence campaign the company first identified in May 2019, which saw accounts impersonating candidates running for the U.S. House of Representatives in 2018. Still, he told FCW that "U.S. domestic politics is electoral politics" and whether you consider the campaign to be targeting the upcoming 2020 elections depends on where you draw that line.

"For some people election interference would have to meet the threshold of Iran actively trying to bolster … or discredit a candidate for them to say this is election interference," said Foster. "But again, they're seizing on controversial, sensitive, domestic U.S. political issues that by their very nature … are associated with electoral politics."

Foster also said it's not immediately clear from open source data what specific goals or target audience the campaign was attempting to influence, beyond generally promoting Iranian interests.

A report released this week by the Atlantic Council found that "Iranian influence capabilities have gone largely unstudied" in the United States until 2018 and are likely to become more prevalent following the killing of Iranian Quds General Qassem Soleimani. From what is known, they tend to differ from Russian operations in that the goal is not to create chaos or confusion but rather to tell a distorted version of "Iran's story" and further its geopolitical interests across different mediums.

The Atlantic Council report calls for DHS to create a new intergovernmental entity under CISA to publicize foreign influence operations and for intelligence agencies to attribute them back to foreign governments where possible.

CISA's strategic plan is less ambitious, mostly outlining a continuation of previous research and educational efforts, like its "War on Pineapple" flyer for how to understand influence operations online. In previous cycles, the agency has worked to prop up states and localities as the authoritative source of election night information for voters. Officials plan to repeat those efforts in 2020 while also acting as a switchboard to route concerns about disinformation campaigns targeting specific election jurisdictions.