CISA "not well-positioned" to execute nationwide election security strategy in 2020

Resource constraints and a reorganization have prevented CISA from rolling out its election security plans for 2020, but states still give the agency high marks.

threat detection
 

A reorganization at the Department of Homeland Security's cyber agency has inhibited the development of larger strategic planning efforts to protect the 2020 elections, a new watchdog report found.

Election security has been a major focus for CISA since 2017, and agency leadership identified the issue as one of the agency's five top priorities coming out of the government shutdown in January 2019. However, according to a new Government Accountability Office report, larger reorganization effort as a result of new legislation that transformed the then-National Protection and Programs Directorate into CISA has slowed agency efforts to finish strategic and operational plans related to the 2020 elections.

Those plans are meant to identify organizational functions, processes, and resources for protecting election infrastructure, sharing intelligence and identifying threats. The agency told auditors that two other lines effort focused on operational plans to provide security assistance for political campaigns and a public awareness campaign on foreign influence operations are "unlikely" to be developed.

Agency officials also cited limited staffing resources to explain the delays and members of Congress have openly questioned in the past whether CISA has the budget and resources it needs to carry out its expanding mission in election security and other areas.

"The lack of finalized plans can affect CISA's achievement of higher-level objectives that take time to accomplish, such as building stakeholder capacity and public awareness," auditors wrote. "Until CISA finalizes its strategic and operations plans for supporting elections in 2020 and ensures that the operations plan fully addresses all of the aspects of its strategic plan, CISA will not be well-positioned to execute a nationwide strategy for securing election infrastructure prior to the start of 2020 election activities."

The audit also details findings from two internal assessments – one by CISA, the other by a contractor – which found a number of issues and concerns related to incident response efforts during the 2018 elections. Those issues include an inability to tailor services to the specific needs of different local election jurisdictions, not always providing actionable recommendations in threat briefings, not producing unclassified versions of their briefings for election officials to share with IT staff, a limited number of capabilities to offer on election day and a lack of clarity about what the agency could do in the event that an election jurisdiction is compromised and state and local resources are already exhausted.

CISA has traditionally received high marks for its post-2016 election security efforts from state and local organizations, members of Congress and security experts. Many state and local officials have praised the improved communication and assistance from the agency following a 2017 designation by of elections as critical infrastructure that left many states feeling protective and suspicious about a potential federal takeover. The GAO audit reflects that increased confidence, with election officials from seven of the eight states interviewed by auditors said they were "very satisfied" with CISA's help, with many praising the agency's technical expertise and willingness to offer resources and services.

According to figures provided in the report, CISA has provided 40 states and 161 local election jurisdictions with continuous scanning services of internet-accessible systems, 26 states and 20 localities with network security assessments, four states and 44 localities with remote testing of external systems and run phishing tests for 10 states and 5 localities. It's also worked to install Albert sensors that monitor for malicious traffic targeting election systems in all 50 states.

The agency spent much of its time between the 2016 and 2018 elections building up relationships and trust with state-level officials, and has told reporters it is now focused on doing the same with the approximately 8,000-10,000 local jurisdictions who face threats from ransomware, foreign hackers probing their voting or election systems and other actors.

The GAO recommended that the CISA Director should move swiftly to finalize its plans for 2020, address all lines four lines of effort as originally planned and document how it plans to address challenges identified in prior assessments.

In an attached response, a DHS official concurred with all three recommendations and said the agency will finalize its #Protect2020 Strategic Plan and 2020 Election Security Operations Plan in mid-February and release them shortly thereafter.

"DHS remains committed to ensuring the election stakeholder community has the necessary information to adequately assess risks and protect, detect and recover from those risks," Wrote Jim Crumpacker, the department's congressional and Inspector General liaison.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.