The federal government’s election security efforts over the past few years have drawn manpower from across various agencies. Matt Masterson sits at the center of these efforts. In March this year, Masterson joined the Department of Homeland Security as a senior cybersecurity adviser on election security with the National Protection and Programs Directorate (NPPD).
Masterson has been helping the department engage with state and local election offices in order to make sure they are adequately handling 2018’s security challenges. Before DHS, Masterson had been serving on the Election Assistance Commission (EAC) since 2014, where he was the most recent chairman. The agencies are working closely together to make sure election officials have the resources they need.
The relationship between the federal and lower levels of government when it comes to election security has evolved over the past few years and private sector companies are also getting involved in the national push. Masterson discusses what it all means for the state of election security.
CyberScoop: The designation early last year of election systems as critical infrastructure seems to be pretty central to a lot of the coordination over election security that we’ve seen recently. What would you say has been the biggest improvement in election security efforts then?
I think the biggest improvement is the level of coordination across the federal government and then down to the state and local governments that run elections and own and operate the systems. What we’ve seen since January 2017 is an incredible level of engagement from all 50 states and literally thousands of local election officials getting information, sharing information, engaging us in services, all to improve the resilience of the elections process. As you know, when the designation was originally made, the states, I think, were appropriately skeptical about what value DHS can bring to this space and what our role would be. And I think what we’ve seen since that time is engagement from them and the opportunity for us to provide that support and information sharing and, them taking advantage of it to help protect their systems and build resilience.
CS: What do you think the role should the private sector play in contributing to this effort?
MM: Generally speaking, the private sector is vital to the operation of elections. They’re a critical partner to us with our Sector Coordinating Council. We work directly with all the major election vendors as well as actually some other private companies. So having those partnerships, the ability for DHS to exchange information with them, and them to support their customers using the information and services that we provide, I think is absolutely critical. I think they deserve a lot of credit for valuing the importance of elections in our site and for supporting those state and local officials, certainly down at the local level when you’re talking about 10,000 a election jurisdictions across this country. That kind of DDOS protection or website management is critical because local election officials don’t necessarily have those resources.
But I also think it flags another important issue here in that is the need to continue to resource state and local officials. Those companies are doing a service to our country in what they’re doing. But we need ongoing support in the form of both money and resources that state and local officials can rely on long-term to continue to secure their systems and build resilience, such that it’s not necessary for companies to step up in that way, but instead that we recognize elections as critical to the nation’s operation and we invest in them appropriately.
CS: One way that they’ve been getting those resources $380 million grant from the EAC. What other mechanisms are there?
MM: This is an area where I’ve seen perhaps some of the biggest change in my more than a decade in elections, and that is there’s more resources available now in a variety of forms. Obviously, we here at DHS offer a number of resources including the information sharing and analysis center, the deployment of Albert sensors, cyber-hygiene scans, phishing assessments, risk and vulnerability assessments, physical assessments — all those services that previously weren’t available or at least weren’t known by election officials. And now not only are they being offered those services, but they’re being prioritized to receive them, which I think is really important. Outside of that, we’ve seen academia step up — efforts like the Belfer Center’s Defending Digital Democracy work, where they not only created best-practices guides, but created tabletop exercises that a majority of the states participated in. It was really an important lift from an academic institution to help support those state and local officials.
And I can tell you they received a great deal of value in that. There’s work by the Center for Internet Security and the election security handbook. That’s a resource that was not available, a level of expertise that previously election officials didn’t have — that they could take a guide that has 88 best practices and controls in it, take it to their it official and walk through what’s applicable, what’s not applicable, and what more can we be doing? And I’ve actually seen that guide used not just to evaluate the current state of things in any given jurisdiction, but also used to go talk to a county commissioner or state legislature and say, “Here’s what we’re doing. Here’s what more we could be doing with additional funding.” So it’s been a really valuable tool, and that’s from a nonprofit entity. So we’ve seen others, like the Center for Democracy and Technology, offering training and checklists to state and local officials. These are all resources that didn’t exist prior to 2016 and show not just a whole-of-government approach but also a whole-of-nation response to what we saw. And I think it’s really encouraging.
CS: What do you think are the biggest misconceptions about the state of election security?
MM: I think the biggest misconception is that nothing’s been done since 2016 and that the state and local officials aren’t taking it seriously. I’ve traveled across the country, meeting with and working with state local election officials, and my experience is that they’re taking this incredibly seriously, that they’re doing everything they can, using these new resources, newly available funds and whatnot to help improve the resilience of the process. Our elections are more secure today than they were before 2016, and they’re going to be more secure heading into 2020 than they are today because of the relationships we built, because of the resources that are available and because of the level of engagement and professionalism of the state and local election officials that own and operate these systems.