[Image via meritalk]

Efforts to assist state election officials with identifying and responding to cybersecurity threats will get a boost soon as the Department of Homeland Security plans to offer security clearances that will allow officials to see more detail about past, present and future attacks. The Wall Street Journal has more:

The Department of Homeland Security is clearing the way for state election officials to apply for security clearances so they can review classified information about cyberthreats to their election systems, federal and state authorities said in interviews this week.

The move comes after many state officials criticized the federal agency for, in their view, failing to provide certain information about suspected attempts to hack voter-registration systems during the 2016 presidential election. DHS formally designated election systems “critical infrastructure” in January, which federal officials said would help the agency prioritize election-security efforts.

Still, state officials of both parties continue to say they have lacked clarity on whether sensitive cybersecurity information could be shared, including whether election equipment used by vendors or localities in their state were the target of an attack.

“Cyberthreats launched from nation states into county clerks’ offices nationwide is not a fair fight, and we cannot continue to be reactionary due to lack of information,” said West Virginia Secretary of State Mac Warner in a statement. “I am pleased that DHS has agreed to sponsor security clearances for the states’ chief election officials toward this goal,” added Mr. Warner, a Republican.

The clearances won’t be for all classified information, but the hope is that state officials will get enough detail to assist their own cybersecurity defense efforts:

The clearances are for the purpose of sharing classified cyberthreat information related to election systems with each state’s top election official, a DHS official said. The clearances would be at the “secret” level, which is midlevel and doesn’t include the nation’s most sensitive secrets. DHS already offers a similar arrangement to certain private-sector industries deemed “critical infrastructure,” the official said.

The move to offer clearances is in response to revelations at recent Congressional hearings that state election officials may never have been apprised of potential attacks on their systems because of definitions of who “owns” the data:

“Even though we know those 21 states were attempted to be hacked into,” Sen. Mark Warner (D., Va.) said at the hearing where [DHS official Jeanette] Manfra testified, “in many cases the state election officials, whether the state directors or the secretaries of state, may not even have been notified.”

 “I find that stunning,” added Mr. Warner, the top Democrat on the Senate Intelligence Committee.

DHS would notify “the owner or operator” of a computer system hit by a cyberattack, DHS spokesman Scott McConnell said in a statement to The Wall Street Journal. A chief state election official might not meet DHS’s definition of “owner,” even if that system might be used in their state, Ms. Manfra told the Senate committee.

“It may not be the [state’s] Secretary of State or the state election director who owns that particular system,” she said. “So, in some cases it could be a locality or a vendor.”

That issue prompted many state election officials to ask whether DHS could share more information, and they requested security clearances in a July 20 letter to former Homeland Security Secretary John Kelly from the National Association of Secretaries of State.

“We are working with Secretaries of State and senior election officials to determine how best to share this information while protecting the integrity of investigations and the confidentiality of system owners,” Mr. McConnell said on Wednesday…

“I think we’re at a point now where we’re starting to break down some of the previous issues” regarding communication, Robert Kolasky, an acting deputy undersecretary at DHS, told the Journal after the Indianapolis meeting in early July.

This is a huge (and welcome) step forward for efforts to protect the nation’s election systems from outside interference … but as several people have pointed out online, the circle of trust needs to expanded to include local election officials as well, especially in those cases where the state has minimal involvement in local election operations. Still, it’s good to see DHS taking steps to provide election officials with access to the data they need to protect their systems – especially when that data would otherwise be considered secret.

The fight to secure and defend the nation’s election systems continues … stay tuned!

Posted in Uncategorized and tagged