The Department of Homeland Security is on standby to alert state officials about any malicious cyber-activity during Tuesday’s primary elections, but the states themselves will likely know first if something is amiss, Matthew Masterson, a senior cybersecurity adviser at DHS, told CyberScoop.
With voters going to the polls in eight states, Tuesday’s primaries are a chance for DHS to test the communication protocols it has sought to ingrain in election personnel across the country. State officials, who generally have the best views of their networks, will flag potentially malicious activity for DHS, which can in turn alert other states, according to Masterson.
“If we see or have information to suggest something is going on, we have the ability to immediately share it with the states,” he said in an interview. Ahead of the midterm elections, DHS has looked to “ramp up” its cyberthreat reports to state officials to get them information that is easily understood and not overly technical, Masterson added.
In advance of the 2016 U.S. presidential election, Russian hackers probed IT networks in 21 states, according to DHS. However, Jeanette Manfra, the department’s top cybersecurity official, told lawmakers in April that the department had yet to detect Russian cyber-activity on state systems ahead of the 2018 midterms.
Masterson, who headed the Election Assistance Commission for three years before joining DHS this spring, said that assessment hasn’t changed.
“I am not aware of any specific attacks … against election infrastructure from the Russian government or any nation-state actor,” Masterson said. DHS nonetheless expects election systems, which the department designated as critical infrastructure in 2017, to continue to be a target for hackers, he added.
States must clamp down on known vulns
The states holding primaries on Tuesday – Alabama, California, Iowa, Mississippi, Montana, New Jersey, New Mexico, and South Dakota – have different levels of maturity in cybersecurity. California, for one, is generally seen as ahead of the curve, as the Golden State has for more than a decade required a paper trail so that vote tallies can be audited.
To prepare for the 2018 midterms, the California secretary of state’s office did “an agency-wide security audit, replaced obsolete devices, enhanced security of our servers, and upgraded firewalls and applied security patches,” Sam Mahood, a spokesperson for the secretary, said in a statement.
In another example of state preparations, Montana officials have implemented two-factor authentication on their systems and trained clerks on the types of cyberthreats to look for, Dana Corson, the state’s elections director, told CyberScoop.
DHS’s top infrastructure security official, Chris Krebs, was planning to be in Iowa on Tuesday to visit the state’s cyberthreat operations center and polling stations. Masterson, who was there recently to oversee cybersecurity training for local officials, said the Hawkeye State was on top of the issue, pointing to a recent phishing training for election auditors put on by the state’s CIO office.
Nonetheless, federal efforts to secure voting infrastructure have come under scrutiny from lawmakers and analysts who say the $380 million allotted to the cause by a spending bill in March is not enough to replace paperless voting machines. And Democratic Sen. Claire McCaskill of Missouri has expressed concern that DHS-supported preparations for the midterms will not be enough to secure voting infrastructure.
At a Senate hearing in April, McCaskill pressed Krebs on the number of states that have received cyber-vulnerability assessments from the department. Of the 17 states that have requested those assessments, about nine had completed them, Krebs said.
In the interview with CyberScoop, Masterson declined to say which states had received vulnerability assessments, adding that the figure was not indicative of whether states were taking the issue seriously.
Asked where the biggest room for improvement was in state-election cybersecurity, Masterson singled out incident response plans and defending against known vulnerabilities.
States need to ensure that the offices of the governor and secretary of state have synchronized plans for responding to a cyber incident, he said. And as hackers are wont to target the lowest-hanging fruit — software and hardware that is unpatched — Masterson advised states to clamp down on these potential openings to their systems.
“In most cases, those who would like to do harm to the process, are going to try to exploit [those vulnerabilities],” he said.