At EAC Hearing, DHS Stresses That “Critical Infrastructure” Designation Won’t Hinder States

[Image via govtech]

Yesterday, the U.S. Election Assistance Commission held a public hearing examining the designation of elections as “critical infrastructure” by the Department for Homeland Security. At that meeting, DHS tried to emphasize that the designation won’t limit states’ control over the election process – but states remain skeptical. GCN has more:

At an April 4 Election Assistance Commission public hearing, a senior Department of Homeland Security official sought to stress one thing: The designation of election systems as critical infrastructure doesn’t cut into states’ autonomy.

Concerns over DHS control have simmered since then-Secretary Jeh Johnson first suggested the critical infrastructure designation last summer. Yet Neil Jenkins, DHS’ director of the Enterprise Performance Management Office, said at the EAC hearing that his agency sees the National Association of Secretaries of State (NASS) Election Cybersecurity Task Force as the main point of contact for deciding when DHS system-scanning tools are needed.

Jenkins also said he sees the EAC as a critical point of contact for local officials who may be interested in utilizing DHS scanning and security products.

Indeed, DHS notes that many states and localities have already asked the agency for assistance:

Robert Hanson, DHS’ director of the prioritization and modeling at Office of Cyber and Infrastructure Analysis, added that many state and local governments already have turned to DHS for such support. In the lead up to 2016 elections, 33 states and 36 counties used DHS tools to determine potential vulnerabilities and get mitigation advice.  Hanson declined to share the specific list of customers and services with the EAC commissioners, saying that information was classified.

State officials continue to be concerned about the designation, however, arguing that it is unnecessary:

State and local officials, however, reiterated their concerns on the critical infrastructure designation. “While we are still strongly opposed, we are coming to the table reluctantly because the wheels are already in motion,” said Connecticut Secretary of State Denise Merrill, who also serves as president of NASS.

Merrill referenced two intrusions into state registration systems in Georgia and Indiana prior to last fall’s elections. However, no vote tallying systems were specifically targeted in either instance.

“Voting by internet-based systems is not a reality in the United States,” Merrill said.  “The 2016 cycle demonstrated that we are not really cyber at all except for our voter registration databases.”

DHS indicated that its work would focus in part on those voter registration databases:

The ability to hack election results is quite limited, DHS’s Hanson agreed, due to the diversity of methods states and counties use to count votes.

Yet moving forward, he said, there could be an ability to hack electronic poll books, which could deny legitimate voters the ability to vote.  And the adoption of new voting technologies could introduce additional risk.

DHS also plans to focus on the security of newer voting systems:

The first is settling on an agreed-upon characterization of election systems. DHS officials are not subject-matter experts when it comes to elections, he said. “We need to determine what are the election systems and why do we care about them,” said Hanson.

Second, DHS plans to apply its risk assessments through structured processes and methodologies that can be used to consistently examine the elections space.

Last, Hanson said, emerging risks will need to be addressed through more qualitative discussions.  Products such as electronic poll books are not widely adopted yet, he noted, and can’t easily be factored into standardized assessments.

On one hand, it is encouraging to see that DHS is planning to rely on state officials and the EAC for guidance in implementing the critical infrastructure designation, in an effort to alleviate some of the concerns about what it means for an expanded federal role in elections. But those concerns still clearly exist – and the lack of clarity has seemingly done nothing to reduce the focus on reversing the designation rather than put it into place.

Expect this battle to continue for the foreseeable future – and for the fallout to affect state-federal relations in this space even longer. For now, stay tuned …

Be the first to comment on "At EAC Hearing, DHS Stresses That “Critical Infrastructure” Designation Won’t Hinder States"

Leave a comment

Your email address will not be published.