With the clock ticking, a House committee looks to election security

Democrats on the House Homeland Security Committee will spend the rest of the year pushing election stakeholders to continue boosting security around election and voting systems, examining how the widespread shift to telework in the wake of COVID has impacted federal cybersecurity and shoring up network monitoring efforts at CISA, according to a top staffer.

Moira Bergin, staff director of the Cybersecurity and Infrastructure Protection Subcommittee said that Committee Chair Rep. Bennie Thompson (D-Miss.) is looking to maximize oversight activities with the congressional calendar dwindling and an upcoming election. Bergin spoke at an Aug. 18 virtual event hosted by Palo Alto Networks.

Key areas for Thompson include combating disinformation, fostering better cooperation between state and local election officials, pressing the U.S. Postal Service to support voting by mail, as well as pushing for security measures for in-person voting.

"We want to make sure that people are implementing security patches for their voter registration database, their e-pollbooks and their election equipment themselves," Bergin said.

The committee will urge the Cybersecurity and Infrastructure Security Agency to issue stronger guidance to states in the coming months around election security and offer cybersecurity scanning services and conduct more outreach to the thousands of cities and counties that they haven't worked with yet.

Another related goal includes continuing to promote standalone legislation that aims to funnel billions of federal grant dollars to state and local governments to modernize their outdated, insecure legacy systems.

"They've had a lot of success working with states on cyber scanning and implementing cyber solutions, but they've had less success working with local governments and counties," Bergin said. "We want to see them push some services down to those more local levels where there might be some more vulnerabilities that aren't being resolved."

CDM faltering on network monitoring

The committee also wants to examine how the shift to telework agencies in response to the pandemic has impacted federal cybersecurity, particularly when it comes to network monitoring, contractors and hiring policies for cybersecurity feds.

A Government Accountability Office report released this week assessed how federal agencies were implementing network monitoring tools through the Continuous Diagnostics and Mitigation program. One of the primary goals of CDM is to ensure agencies know about every user and device on their networks, but some agencies -- including those that were supposed to be farther along in the process -- have struggled to implement program requirements, leading to inaccurate counts of connected hardware and software.

Poor quality data sent from agencies to the CDM dashboard also resulted in inaccurate security scores from AWARE, a new risk scoring algorithm rolled out by the program last year. Program manager Kevin Cox has frequently said that AWARE will continue to change and apply more detailed scrutiny down to the individual system level as agencies mature their network monitoring capabilities.

"Until agencies fully and effectively implement CDM program capabilities, including the foundational capability of managing hardware on their networks, agency and federal dashboards will not accurately reflect agencies' security posture," the report concluded.

In an attached response, officials at the Department of Homeland Security concurred with all six of the recommendations issued by GAO and vowed to address the gaps at each identified agency.

"DHS remains committed to improving agencies' awareness of hardware on their networks and mitigating challenges identified with implementing the CDM program," wrote Jim Crumpacker, the department's liaison to GAO wrote.

Bergin said there have been several instances in the past few years where CISA has had to reprioritize its CDM deployments in the face of an immediate cybersecurity incident, such as when the Department of Health and Human Services was hit with a Denial of Service attack during the coronavirus pandemic in March. Similar redeployments took place in 2017 and 2018 when CISA temporarily stopped doing federal agency vulnerability assessments to handle a surge of requests from election jurisdictions in the lead up to the mid-term elections.

While those shifts made sense, Bergin argued more can be done to ensure that future emergencies don't lead to a complete halt in CISA's regular work.

"Robbing Peter to pay Paul works in a pinch, but it's not a policy you want to continue and crises will continue to happen," Bergin said. "We need to think about ways to equip CISA to surge resources in areas of high need without pressing pause on ongoing security problems."