Written byChris Bing
With just about a month left before the polls open in New Jersey and Virginia for gubernatorial elections, the Department of Homeland Security is racing to vet state officials who have applied for the ability to receive classified briefings and other information related to potential cyber-intrusions into election systems, people familiar with the matter tell CyberScoop.
In August, the DHS began reaching out to chief election officials in every state to begin the process of obtaining clearances. While the nominees for these clearances are usually the secretary of state or similar high-ranking office-holders, some supporting staff have also sought clearances.
The processing for each of these applications varies by person and as a result, there’s no average wait time. Over the last several months, however, DHS has been able to issue “interim” clearances when necessary within 30 days of an application, officials told CyberScoop. Final clearance approvals are taking much longer, the officials said.
People familiar with the matter say there are officials in Virginia and New Jersey who are still waiting for a decision just 31 days before Election Day.
New Jersey Chief Technology Officer Dave Weinstein said that state leaders in New Jersey are able to adequately receive information about hacking operations because many already own clearances, but he also noted that there were individuals outside of upper management who had requested clearances ahead of the Nov. 7 election but had yet to be approved.
“It can be a lengthy process and so it’s not surprising that this is taking a while for some people,” Weinstein said. “Regardless, I think we’re equipped to take in this information if it’s provided to us by the federal government.”
Typically, a state will have either the secretary of state or the head of its elections board to act as its “chief election official” to guide efforts during each campaign cycle.
In the past, prior to the 2016 cycle, most secretaries of state did not own a clearance. But recent events, including Russian interference in the last U.S. election, have prompted a need for state officials to be aware of global cyberthreats and other information operations that are continuously identified and recorded by the U.S. intelligence community.
James Comey, the former FBI director, previously said he expected Russia, and perhaps other adversarial nations, to attempt to interfere in future U.S. elections, including those in 2017 and 2018.
On Sept. 22, nearly a year after the 2016 election, DHS formally notified 21 states that they were targeted by Russian hackers during the prior campaign cycle. The notification marked the first time the government had specifically named each state, although the total figure of 20 or 21 states had been publicly known for some time. In most cases, the described activity amounted to little more than a vulnerability scan or some other type of preliminary probing effort. There’s no publicly available evidence to suggest that hackers were able to significantly alter voting results in 2016.
As part of these recent disclosures, DHS spoke with state election officials to provide them with some evidence of this malicious cyber-activity. In response, several secretary of state offices criticized the information provided by DHS, claiming it did not provide sufficient evidence that Russia had in fact targeted local election systems. Since Sept. 22, DHS has sought to clarify its reports.