CISA "not well-positioned" to execute nationwide election security strategy in 2020

A reorganization at the Department of Homeland Security's cyber agency has inhibited the development of larger strategic planning efforts to protect the 2020 elections, a new watchdog report found.

Election security has been a major focus for CISA since 2017, and agency leadership identified the issue as one of the agency's five top priorities coming out of the government shutdown in January 2019. However, according to a new Government Accountability Office report, larger reorganization effort as a result of new legislation that transformed the then-National Protection and Programs Directorate into CISA has slowed agency efforts to finish strategic and operational plans related to the 2020 elections.

Those plans are meant to identify organizational functions, processes, and resources for protecting election infrastructure, sharing intelligence and identifying threats. The agency told auditors that two other lines effort focused on operational plans to provide security assistance for political campaigns and a public awareness campaign on foreign influence operations are "unlikely" to be developed.

Agency officials also cited limited staffing resources to explain the delays and members of Congress have openly questioned in the past whether CISA has the budget and resources it needs to carry out its expanding mission in election security and other areas.

"The lack of finalized plans can affect CISA's achievement of higher-level objectives that take time to accomplish, such as building stakeholder capacity and public awareness," auditors wrote. "Until CISA finalizes its strategic and operations plans for supporting elections in 2020 and ensures that the operations plan fully addresses all of the aspects of its strategic plan, CISA will not be well-positioned to execute a nationwide strategy for securing election infrastructure prior to the start of 2020 election activities."

The audit also details findings from two internal assessments – one by CISA, the other by a contractor – which found a number of issues and concerns related to incident response efforts during the 2018 elections. Those issues include an inability to tailor services to the specific needs of different local election jurisdictions, not always providing actionable recommendations in threat briefings, not producing unclassified versions of their briefings for election officials to share with IT staff, a limited number of capabilities to offer on election day and a lack of clarity about what the agency could do in the event that an election jurisdiction is compromised and state and local resources are already exhausted.

CISA has traditionally received high marks for its post-2016 election security efforts from state and local organizations, members of Congress and security experts. Many state and local officials have praised the improved communication and assistance from the agency following a 2017 designation by of elections as critical infrastructure that left many states feeling protective and suspicious about a potential federal takeover. The GAO audit reflects that increased confidence, with election officials from seven of the eight states interviewed by auditors said they were "very satisfied" with CISA's help, with many praising the agency's technical expertise and willingness to offer resources and services.

According to figures provided in the report, CISA has provided 40 states and 161 local election jurisdictions with continuous scanning services of internet-accessible systems, 26 states and 20 localities with network security assessments, four states and 44 localities with remote testing of external systems and run phishing tests for 10 states and 5 localities. It's also worked to install Albert sensors that monitor for malicious traffic targeting election systems in all 50 states.

The agency spent much of its time between the 2016 and 2018 elections building up relationships and trust with state-level officials, and has told reporters it is now focused on doing the same with the approximately 8,000-10,000 local jurisdictions who face threats from ransomware, foreign hackers probing their voting or election systems and other actors.

The GAO recommended that the CISA Director should move swiftly to finalize its plans for 2020, address all lines four lines of effort as originally planned and document how it plans to address challenges identified in prior assessments.

In an attached response, a DHS official concurred with all three recommendations and said the agency will finalize its #Protect2020 Strategic Plan and 2020 Election Security Operations Plan in mid-February and release them shortly thereafter.

"DHS remains committed to ensuring the election stakeholder community has the necessary information to adequately assess risks and protect, detect and recover from those risks," Wrote Jim Crumpacker, the department's congressional and Inspector General liaison.