DHS wants to ensure election systems are secure against Russian hackers before the 2018 election.
The Homeland Security Department plans to meet with a task force of state election officials in the next few months in an effort to iron out disagreements over DHS’ designation of election systems as critical infrastructure, a department official said Wednesday.
That designation, made weeks after the 2016 presidential election was roiled by Russian-government backed data breaches, sparked an angry backlash from state election leaders who considered it a federal power grab.
The National Association of Secretaries of State passed a resolution condemning the move in February.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The association also, however, formed a task force of 27 secretaries of state—the state official responsible for managing state and local elections—focused on election cybersecurity and sharing information about cyber threats.
DHS plans to meet with representatives from that task force in the next couple months and is hoping for a friendlier reception, Neil Jenkins, director of DHS’ Enterprise Performance Management Office, said.
Since the secretaries’ resolution, DHS has responded to a slate of questions from the secretaries of state and has spent more time laying out the designation’s advantages, Jenkins told reporters on the sidelines of a meeting of the National Institute of Standards and Technology’s Information Security Privacy Advisory Board.
“They’re taking this from a very deliberative approach and we’re taking this from a very deliberative approach,” he said. “We want to work with them and listen to them.”
Ironing out those differences is vital because DHS hopes to have a full critical infrastructure subsector for election systems up and running by early 2018 in time for the midterm elections, Jenkins said.
There was speculation during the early days of the Trump administration that the new administration might reverse the Obama-era designation, but that’s off the table, Jenkins said.
DHS Secretary John Kelly "made a public statement to Congress that we see this as the right thing and we’re going to continue with it,” he said. “As of right now, there’s no talk of rolling it back.”
DHS also is reaching out to vendors of election systems such as voting machines, vote-tallying machines and voter databases, which there wasn’t time to do in the lead up to the 2016 election, Jenkins said.
Over all, vendors have been more open to those meetings than state and local officials, Jenkins told reporters, urged on by the security benefits of receiving additional federal help, such as security clearances for some industry officials to view classified threat information.
One main element of the critical infrastructure designation is a coordinating council, organized by the critical infrastructure sector itself in order to share cyber threat information and conduct planning with DHS.
It’s likely election system vendors will stand up a separate coordinating council from state and local election officials, Jenkins said.
The designation also allows DHS to task a handful of employees to focus full time on election security concerns, he said.
“Just like they’re busy getting focused on other things, we often get pulled in different directions,” Jenkins said. “If we don’t stand up an office and tell a couple of people, ‘your job is to engage with election officials,’ then we might not engage with them robustly until an election, until something popped up.”
DHS has long interacted with state and local election officials on a superficial level as part of its government facilities critical infrastructure sector, Jenkins said, but officials were less familiar with the complexity of election operations before 2016 breaches at the Democratic National Committee and Democratic Congressional Campaign Committee and at state-level systems in Illinois and Arizona forced them to take a closer look.
What they found was more complexity than they ever expected, he said. In addition to voting infrastructure that varies from jurisdiction to jurisdiction, there’s often a complex relationship at the state level where secretaries of state are sometimes firewalled and set up on different networks than other elected officials.
That means it’s often difficult to share information and expertise through a single point.
The greatest dangers don’t come from voting machines themselves, which are not supposed to be connected to the internet, but from centralized vote tabulation systems, voter databases and other web-connected infrastructure, he said.
Despite that complexity, election officials, by and large, have taken security seriously, he said. But they’re up against an outsized adversary.
“I don’t want to make it sound like election officials don’t know what they’re doing,” he said. “They did a good job with their defenses. When you have an actor at a nation-state capability level like the Russians, you want to make sure you’re doing everything right because they will find a way to get into your systems.”