The cybersecurity wing of the Department of Homeland Security must “urgently finalize” its plans to protect the 2020 presidential election, a government watchdog agency said in a new report released Thursday.
The Cybersecurity and Infrastructure Security Agency (CISA) provides state and local election officials with federal assistance, education and information sharing about how to safeguard U.S. voting infrastructure from possible interference. Despite three years of work meant to improve security, CISA still is “not well-positioned to execute a nationwide strategy for securing election infrastructure prior to the start of the 2020 election cycle,” according to a Government Accountability Office (GAO) report published Thursday.
Most notably, CISA has not created clear plans to respond to a possible Election Day security incident in which state and local response capabilities were exhausted, according to the GAO report. The audit also determined that CISA had failed to address challenges it experienced in 2018, including an inability of security personnel to access social media websites from situational awareness rooms, a weak point in countering possible disinformation efforts.
“While CISA identified challenges related to its prior efforts, it has not developed plans to address them,” GAO noted in its 47-page report.
In a statement, CISA said it has spent three years building partnerships and conducting tests to help prepare for the 2020 election season.
“Our work is not done, we continue to build and grow every day, but we understand the threat and the need to take action to keep our systems safe, and we are ready for 2020,” an agency spokesperson said.
State election officials who have worked with CISA said they were “generally satisfied” with the agency’s support, and representatives from five states told watch dogs their relationship with CISA had “improved markedly” since 2017.
Meanwhile, CISA has conducted continuous scanning of web-connected systems in 40 states, and 161 local election jurisdictions, out of thousands, as of November 2019, GAO found. The agency has assessed potential network security vulnerabilities in 26 states, and 20 local election areas. Officials also have conducted remote testing of externally accessible systems for potential vulnerabilities in 4 states, and 44 local election systems.
GAO recommended that CISA finalize its “strategic plan and supporting operations plan” for upcoming elections and document how the agency will address challenges identified previously identified in prior election efforts. That plan had been scheduled for January but delayed, GAO acknowledged, by a staff shakeup in which Jeanette Manfra, the assistant director for cybersecurity, departed CISA in favor of a position at Google.
The report is another highlight in the struggle between state and federal officials on how to align their election security efforts. CyberScoop has previously reported that a Nov. 8 phone call between state and federal officials became combative over an updated process for notifying state officials and the public of foreign attempts to interfere in U.S. elections.
The fragmented nature of U.S. election infrastructure has made life difficult for officials focused on security. CISA also does not have the legal authority to compel state and local election officials to work with the federal government on these issues, as CISA Director Christopher Krebs has said during previous public appearances. Yet the agency has tested whether jurisdictions are susceptible to malicious emails in 10 states, and a mere five localities.
GAO published its findings amid ongoing uncertainty over the result of the Democratic caucus in Iowa, where state Democrats had relied on a faulty app to report the results of voting counts.
While there was no evidence that hackers had interfered with the app, or the election, officials’ apparent failure to test the program, and the ensuing chaos, was just the kind of scenario that election security experts have warned could occur. When researchers from the app security firm Veracode reviewed the program, at the request of ProPublica, they found vulnerabilities that could have resulted in the interception or manipulation of sensitive information.