Can CISA deliver nationwide election security?
- By Derek B. Johnson
- Feb 07, 2020
Although election security has been a priority of the Department of Homeland Security for some time, a reorganization of the offices devoted to cybersecurity has inhibited the development of larger strategic planning efforts to protect the 2020 elections.
According to a new Government Accountability Office report, the transformation of National Protection and Programs Directorate into the Cybersecurity and Infrastructure Security Agency slowed agency efforts to finish strategic and operational plans to identify organizational functions, processes and resources for protecting election infrastructure, sharing intelligence and identifying threats. Additionally, CISA officials told auditors that two other efforts focused on plans to provide security assistance for political campaigns and a public awareness campaign on foreign influence operations are "unlikely" to be developed.
Agency officials cited limited staffing resources to explain the delays, and members of Congress have openly questioned in the past whether CISA has the budget and resources it needs to carry out its expanding mission in election security and other areas.
The audit also details findings from two internal assessments – one by CISA, the other by a contractor – which found a number of issues related to incident response efforts during the 2018 elections. Those issues included an inability to tailor services to the specific needs of local election jurisdictions, not always providing actionable recommendations in threat briefings, not producing unclassified versions of their briefings for election officials to share with IT staff, a limited number of capabilities to offer on election day and a lack of clarity about what the agency could do in the event that an election jurisdiction is compromised and state and local resources are already exhausted.
CISA has traditionally received high marks for its post-2016 election security efforts from state and local organizations, members of Congress and security experts. Many state and local officials have praised the improved communication and assistance from the agency following the 2017 designation of elections as critical infrastructure that left many states feeling protective and suspicious about a potential federal takeover. The GAO audit reflects that increased confidence, with election officials from seven of the eight states interviewed by auditors saying they were "very satisfied" with CISA's help, with many praising the agency's technical expertise and willingness to offer resources and services.
According to figures provided in the report, CISA has provided 40 states and 161 local election jurisdictions with continuous scanning services of internet-accessible systems, 26 states and 20 localities with network security assessments, four states and 44 localities with remote testing of external systems and run phishing tests for 10 states and 5 localities. It's also worked to install Albert sensors that monitor for malicious traffic targeting election systems in all 50 states.
The agency spent much of its time between the 2016 and 2018 elections building up relationships and trust with state-level officials and has told reporters it is now focused on doing the same with the approximately 8,000-10,000 local jurisdictions that face threats from ransomware and foreign hackers probing their voting or election systems.
The GAO recommended that the CISA director should move swiftly to finalize its plans for 2020, address all lines of effort as originally planned and document how it plans to address challenges identified in prior assessments.
In an attached response, a DHS official concurred with all three recommendations and said the agency will finalize its #Protect2020 Strategic Plan and 2020 Election Security Operations Plan in mid-February and release them shortly thereafter.
"DHS remains committed to ensuring the election stakeholder community has the necessary information to adequately assess risks and protect, detect and recover from those risks," Wrote Jim Crumpacker, the department's congressional and inspector general liaison.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.