[Image via wikimedia]
One interesting sidebar of recent discussions about elections and cybersecurity has been the question of what role the U.S. Department of Homeland Security (DHS) should play. While DHS has a clear interest in the topic – and, arguably, the qualifications to assist – there is some concern that a stepped-up federal presence could interfere with state and local control of elections.
Last Friday, DHS Secretary Jeh Johnson released a statement detailing all the ways in which the agency is prepared to assist – but emphasizes that such assistance would only be provided on a voluntary basis:
In recent months we have seen cyber intrusions involving political institutions and personal communications. We have also seen some efforts at cyber intrusions of voter registration data maintained in state election systems. We have confidence in the overall integrity of our electoral systems. It is diverse, subject to local control, and has many checks and balance built in.
Nevertheless, we must face the reality that cyber intrusions and attacks in this country are increasingly sophisticated, from a range of increasingly capable actors that include nation-states, cyber hacktivists, and criminals. In this environment, we must be vigilant.
The Department of Homeland Security stands ready to assist state and local election officials in protecting their systems. In our cybersecurity mission, this is the nature of what we do – offer and provide assistance upon request. We do this for private businesses and other entities across the spectrum of the private and public sectors. This includes the most cybersecurity sophisticated businesses in Corporate America.
It is important to emphasize what DHS assistance does not entail. DHS assistance is strictly voluntary and does not entail regulation, binding directives, and is not offered to supersede state and local control over the process. The DHS role is limited to support only.
DHS offers the following services to state and election officials to assist in their cybersecurity:
- Cyber hygiene scans on Internet-facing systems. These scans are conducted remotely, after which we can provide state and local officials with a report identifying vulnerabilities and mitigation recommendations to improve the cybersecurity of systems connected to the Internet, such as online voter registration systems, election night reporting systems, and other Internet-connected election management systems.
- Risk and vulnerability assessments. These assessments are more thorough and done on-site by DHS cybersecurity experts. They typically require 2-3 weeks and include a wide range of vulnerability testing services, focused on both internal and external systems.
- The National Cybersecurity and Communications Integration Center, or “NCCIC.” The NCCIC is DHS’s 24×7 cyber incident response center. We encourage state and local election officials to report suspected malicious cyber activity to the NCCIC. On request, the NCCIC can provide on-site assistance in identifying and remediating a cyber incident.
- Information sharing. DHS will continue to share relevant information on cyber incidents through multiple means. The NCCIC works with the Multi-State Information Sharing and Analysis Center (MS-ISAC) to provide threat and vulnerability information to state and local officials. All states are members of the MS-ISAC. DHS requests that election officials connect with their state CIO to benefit from this partnership and rapidly receive information they can use to protect their systems. State election officials may also receive incident information directly from the NCCIC.
- Sharing of best practices. DHS intends to publish best practices for securing voter registration databases and addressing potential threats to election systems from ransomware. These best practices documents will be publicly available by September 16, 2016.
- Field-based cybersecurity advisors and protective security advisors. DHS has personnel available in the field to provide actionable information and connect election officials to a range of tools and resources available to improve the cybersecurity preparedness of election systems and the physical site security of voting machine storage and polling places. These advisors are also available to assist with planning and incident management assistance for both cyber and physical incidents.
In recent weeks a number of states have reached out to us with questions or for assistance. We strongly encourage more state and local election officials to do so.
I’ll be curious to see how many more states decide to take DHS up on this offer; one major challenge, of course, is that Election Day is about seven weeks away and many (if not most) election offices are already at full go, meaning that bandwidth for even this kind of assistance is limited. I’ll also be watching to see if federal-state friction continues to play a role, given recent concerns by Secretaries of State from both sides of the aisle expressing doubts about calls for the federal government to declare election systems as “critical infrastructure.”
While it may be too late for many states to take full advantage of this offer before Election Day, I hope that the conversation can continue afterwards. More specifically, I hope that DHS’ offer to assist outlasts this fall’s election – and that state and localities will be willing, eventually if not immediately, to explore using this voluntary program to help harden their systems and make them more secure. Cybersecurity may be a “hot” issue in the media now, but it’s a vital issue for the field going forward.
Stay tuned …