Forty-four states took part in an unprecedented election-security exercise last week that offered a crucial opportunity for electoral officials to interact with federal agencies with some of the most vaunted cyber capabilities in the government.
This elaborate a security exercise simply didn’t happen in 2016: before the Russian government’s sweeping intervention in the U.S. election, it was hard to imagine the need for local and state officials to drill with the National Security Agency and U.S. Cyber Command. But with 2016 fresh in their minds, those officials have warmed to the idea.
“The biggest obstacle that we had in 2016 was communication, and so I think a lot of those barriers have been torn down and states are more willing to hear from the federal government,” Election Assistance Commission Commissioner Thomas Hicks told CyberScoop.
“[O]ne of the most valuable parts” of the drill, Hicks added, was that it drove home for state officials that the threat information that DHS passes them often comes from the intelligence community. That elite cyber expertise was present as state and local officials walked through scenarios including denial-of-service attacks on board of election websites and spearphishing campaigns.
In a statement to CyberScoop on the exercise, the NSA said it “provides valuable information that helps the FBI and DHS build comprehensive pictures of the threats to inform and educate state election officials that will ultimately help them to defend against malicious cyber activity.”
Matthew Masterson, a senior cybersecurity adviser at DHS, which hosted the exercise, said that “there has never been an exercise of this scope and scale” in his ten-plus years working on elections.
U.S. officials have warned of the threat of renewed Russian interference in the midterms, and that urgency permeated the exercise.
The exercise allowed participants to grapple with the multi-dimensional nature of sophisticated cyber and information operations. Social-media manipulation targeting candidates and disruptions to voter registration IT systems were considered in tandem, for example. Local officials, in particular, are realizing that they need to update their incident response plans to account for not just the technical aspects of repelling a cyberattack, but also to have a communications strategy to assure voters of the integrity of an election, Masterson said.
“If we were just to exercise one risk or one threat scenario, it’s not as effective as being able to combine that social media aspect with possible cyber intrusions,” he told CyberScoop.
John W. Conklin, director of public information at New York State’s Board of Elections, said the DHS-led drill served as good complement to election-security exercises that New York held in June. “We reviewed what would be an optimal incident response, do states have written plans, what is in those plans, what agencies would be involved in an incident response, what resources are available to state and local election officials,” Conklin wrote in an email to CyberScoop.
Countdown to November
Last week’s drill will be the last national-level exercise on election security held before the midterms, according to Masterson. The key, then, will be for states to translate what they learned into better preparedness for the midterm vote.
“There was a clear demand signal from the state and local election officials about the need for timely and actionable information-sharing,” Masterson told CyberScoop. “Those federal partners at the table clearly walked away knowing that they needed to be prepared to continue to push down information to the systems owners and operators to protect their systems.”
In the wake of the exercise, Hicks said EAC’s role will be to continue to provide resources – financial or otherwise – to bolster the cybersecurity of state election systems. That could be advice on managing voting equipment and securely reporting election-night results, he added.
Asked if states are prepared from a cybersecurity standpoint for the midterm elections, Hicks said: “I think that they are preparing as well as they can.”
The $380 million that Congress allotted states in March is widely recognized as not enough to replace all of the less-secure paperless voting machines used across several states.
Hicks said that funding, which the EAC is distributing, has “definitely helped” states shore up some of their systems, “but a lot of [those resources are] going to be devoted towards 2020 just because of the timeframe that we’re in.”
Meanwhile, DHS plans to hold this type of large-scale, election-security exercise annually, Masterson said.
“Our democracy remains a target, but at the same time these are exercises [that] we can and should be doing just to help us manage risk to elections in general,” he added.