Given the too-late realization that Russia interfered in the 2016 presidential election through massive disinformation campaigns and -- as the Mueller report most recently documented with a few new twists -- actual efforts to hack into state elections systems, it’s no surprise that election security under the rubric of “Protect 2020” was a key theme running throughout the Cybersecurity and Infrastructure Security Agency’s (CISA) second annual Cybersecurity Summit.
Even so, CISA Director Christopher Krebs kicked off the summit by cautioning against the kind of fearful language and overwrought concerns currently surrounding the topic of election security. “We've got to be more straightforward, more measured, more reasonable in how we talk about things. Election security is a great example. Are there true, absolute, fundamental risks in the infrastructure? Yes, but we have to take the hysteria out of the conversation because ultimately what we do is we drive broader voter confidence down,” he said.
A more balanced and less heated approach to election security does not mean, however, that the country can ignore the hard work that’s needed to ensure that the 2020 elections are safe from malicious actors and cyber threats. “I want to fast-forward to November next year and what will most likely be the most dynamic presidential race and campaign in our lifetimes, at least mine. What are you going to do to protect 2020, what is your company going to do? What is your organization going to do? How are you going to work at the local level to support your local precinct? Are you going to understand what the requirements are when you show up to vote?”
One emerging concern when it comes to the 2020 election is the role that ransomware could play in locking up local election systems, particularly given the recent ransomware attacks that crippled 23 municipalities in Texas. Based on threat modeling, in a year from now during the run-up to the 2020 election, “ransomware could be deployed against a voter registration database” and other election elements that “could wreak disruption to the process,” Krebs said. The balancing act CISA faces is to “not only work with our partners to secure those databases, but also understand that we're not going to catch every arrow that comes at it.”
Election security money available
Later, in a panel discussion with Senator Mark Warner (D-VA), Krebs said election officials need help, they need money, but he’s confident that “things are headed in the right direction” when it comes to the stalemate in the Senate over passing election security legislation, some versions of which give state and local election officials more money to protect their election systems.
(Later, in talking to CSO, Senator Warner hinted that he didn’t share Director Krebs’ optimism that such legislation would pass. Later that day, Senator Mitch McConnell (R-KY), the chief obstacle to the legislation, caved under pressure and agreed to a new election security measure that would give states $250 million to help them improve election security. That’s not enough, Warner responded. “I worry people are missing the point on this. Additional election security funding is a necessary but not sufficient part of securing our elections. Until Leader McConnell allows bipartisan election security legislation to proceed, our elections will remain vulnerable.” he said in a tweet.)
The US was caught off guard in terms of the election-related attacks by Russia during the 2016 election but based on the assessments of local, state and federal officials in charge of rectifying election system weaknesses, the infrastructure is in a much stronger position today to ward off similar future attacks. The improvement is in part due to a tranche of new election security funds appropriated last year under the Help America Vote Act (HAVA).
In Texas, for example, the HAVA dollars went toward assessing the level of election security as well as cybersecurity and physical security at the local election offices in all the state’s counties, Keith Ingram election director for the State of Texas, said during an election security panel discussion at the Summit. What they discovered after these assessments “are exactly what you’d expect…that administrative privileges are too broadly distributed, that there aren't sufficient written policies and that sort of thing.”
Using the HAVA money, “we've hired a couple of cyber navigators, cybersecurity trainers, whatever you want to call them, to handle the counties through the process of working through remediation,” he said. “So, we feel like we've made great progress in Texas. We've got quite a lot of work to do with regard to remediation before the general election of 2020, but we anticipate having spent most of the federal dollars by the time of the general election.”
Better communication about election security
One noticeable difference between election security in 2016 and today is that now officials are talking to one another across all levels of government. “It’s important to reflect on how far we've come since 2016,” Ingram said. “In the summer of 2016, the Federal Bureau of Investigation had information that they wanted to share with election offices and they wanted us to share information with them. The fact is we didn't know each other at all. There was no real ability to communicate, except in an ad hoc and unsatisfactory fashion.”
“Back in 2016, we literally we didn't know the right people to call in the states,” Matthew Masterson, Cybersecurity Advisor at CISA said. “DHS was calling the state CIO when in fact we needed to contact the secretary of state's office. Now we not only have the correctly people to call, but they're sharing information back to us. The amount of information that state and local officials shared throughout 2018 was immense.”
One helpful development is that since 2016, the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) was formed and rapidly grew to 2,000 members, the fastest growing of any ISAC ever. Now, “we have productive relationships with our federal partners” and there is a “sense of mutual trust that didn’t exist before,” Ingram said.
“It's building that partnership right down to the grass roots because we're only as effective as our weakest point,” Paul Pate, secretary of state for Iowa and chair of the election sector coordinating council, said. “I'm taking advantage and utilizing all the services that are available through the ES-ISAC and our other federal partners.”
One problem that Pate has faced in Iowa that is true of virtually every state in the country is the sheer number of jurisdictions that must be looped into election security efforts. “We need to make sure that all our county election officials have some of the same tools and resources as other local jurisdictions. That's a challenge for us because we have 99 counties, so 99 jurisdictions to work with on elections in cyber. And some of the jurisdictions are very small. They may only have three staff in their entire office and none of them are IT people,” he said.
“That's always been the issue,” Dan Palmer, US election assistance commissioner, said. “How do we make sure our smalls counties and our medium sized counties, are up to speed and everybody's operating in a uniform format.”
Election vendors also play a key role in helping election officials manage security threats, Chris Wlaschin, CISO of top election security vendor ES&S said. “I feel like our primary duty is to make sure that large and small election jurisdictions know what the cyber threats are, know what to look for when it comes to attempted intrusions or people trying to break into county and election systems and then know what to do about it.”
CISA will play a key role moving security forward for election officials, according to Masterson. “What we know is there are best practices, there's information being pushed out at a massive rate, at a rate that election officials have not seen before,” he said. “Our focus really is on not just getting that information out there, but identifying best practices and partners that are engaging directly with those state and local communities.”