Federal, state and local officials who oversee election infrastructure and security are optimistic about their ability to share information that’s needed to protect elections from malicious actors.
At a Thursday panel hosted by the Center for Internet Security, individuals representing the Department of Homeland Security, state secretaries of state, and state election directors discussed the progress they’ve made on election security coordination since 2016.
“The Department of Homeland security and the U.S. government are so involved in election security because starting in 2016, we really did assess that the threat of something happening to our elections was relatively high,” said Bob Kolasky, DHS’s acting undersecretary of the National Protection and Programs Directorate. “That does not mean that the risk to our elections systems has to be high.”
When the U.S. intelligence community concluded in January 2017 that Russia meddled in the 2016 election, DHS designated election systems as part of the country’s critical infrastructure. Kolasky acknowledged that the designation was controversial at the beginning, but argued there has since been significant progress in improving information sharing across levels of government.
“I am pleased from a Department of Homeland Security perspective on the progress the collective elections infrastructure and election operations community has made on reducing the risks to our elections,” he said.
Connie Lawson, Indiana’s secretary of state and president of the National Association of Secretaries of State (NASS), agreed that states and other jurisdictions need to be involved with DHS’s efforts, but reiterated the skepticism that state and local officials had about the critical infrastructure designation.
“We were reluctant because we didn’t understand what it meant and what could DHS do for us if they couldn’t already do if that designation had not been made,” Lawson said. “We’re getting along as well as we can in any forced marriage … Even though we didn’t originally agree with the designation of critical infrastructure, we need to be at the table. And we as election officials need to teach DHS how they can help us and how they can communicate.”
Amy Cohen, executive director of the National Association of State Election Directors, said that the designation has facilitated communication among the many parties involved in running elections.
“Since the critical infrastructure designation, we have more resources to this kind of planning, to do this kind of preparation, to get this kind of important information out,” Cohen said.
Panelists noted that states have increasingly leveraged the Multi-State Information Sharing and Analysis Center (MS-ISAC) — which is run by CIS — to share information about potential threats to election systems.
“Having the ISAC working is going to help us get that information to the right people as quickly as possible. It’s also going to allow us to prioritize technical information collectors including intrusion detection,” Kolasky said.
Kolasky added that DHS is starting to bring vendors of election technology into the information sharing environment. DHS is heading separate working groups with election officials (a Government Coordinating Council) and private sector election industry representatives (a Sector Coordinating Council) to coordinate efforts.
The panel was brought together to also discuss a handbook that CIS published in February to serve as a comprehensive guide for how election officials should approach the security of the infrastructure they oversee.
Mike Garcia, the handbook’s primary author, said that while there has been a lot of broad discussion on how to address election security, the guide bridges the gap for both the technical and non-technical people in the field.
Garcia said CIS is also creating a self-assessment tool to let election officials see how well they’re following the guide’s list of 88 best practices. He said that would be especially helpful for election offices that outsource much of their IT infrastructure to private contractors.
“We’ve seen that there are many especially smaller election jurisdictions that rely extremely heavily on contracted resources — software, hardware, sure, but also for IT support services,” Garcia said. “Essentially the way to think about that is taking the 88 best practices and turning them into contract clauses.”