Congress Should Consider Election Security Standards, Obama DHS Officials Say

Congress should seriously consider requiring states to allow the federal government to audit their election systems for cyber vulnerabilities, former President Barack Obama’s Homeland Security Secretary told Democratic lawmakers Thursday.

Or, Congress might also consider legislating “certain federal minimum standards for the cybersecurity of our democracy,” former Secretary Jeh Johnson told members of a Democratic task force on election security.

Federal lawmakers might also offer states grants to upgrade election systems and cyber protections but make those grants contingent on allowing either Homeland Security or an authorized third party to assess the security of the state’s current election systems, the department’s former undersecretary Suzanne Spaulding said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The Democratic election security task force, which House Minority Leader Nancy Pelosi formed in June, has no formal power. Democrats launched the task force after Republican leaders declined to create a special committee to investigate Russian digital meddling in the 2016 election campaign, which included hacking and releasing Democratic party emails and scanning and probing state election systems.

That election meddling jumpstarted a conflict between federal cybersecurity officials and state election leaders.

Federal officials want to make it easier for the national government to vet state and local election systems for vulnerabilities and to share information about cyber threats, while state officials were concerned about a federal power grab.

The conflict first burst into public view shortly after the election when Johnson’s department labeled election systems critical infrastructure—an official designation that makes it easier for Homeland Security to provide aid and signals to foreign adversaries that any digital or physical attack against the sector risks serious countermeasures.

Johnson first considered making the critical infrastructure designation in mid-2016 when he first heard reports of Russian hackers targeting state voter databases, he told lawmakers Thursday.

After some state officials pushed back, Johnson said, he delayed the designation out of concern it might disincentive states from seeking federal help with election cybersecurity.

“In the run up to the election, this was going to be a hot button issue,” he said. “There’d be a lot of misperception and the shorter-term goal had to be to getting the states to come in to seek our cybersecurity assistance…So I put the designation on the back burner until after the election.”

Ultimately, 33 states accepted federal help assessing their systems’ cybersecurity during the 2016 cycle.

Johnson rejected states’ concerns about a federal power grab, calling it a “misperception” and stressing that, currently, the federal government can only provide assistance if it’s requested.  

Johnson and Spaulding also pushed back on states’ complaints that Homeland Security only formally notified the roughly 21 states that were scanned and probed by Russian hackers this month.

The department spoke with numerous state officials about the attacks last year—either directly or through a cyber threat information sharing organization—but did not publicly announce those conversations because the department prizes confidentiality, Spaulding said.

“The secretary had calls, I had calls, with multiple secretaries of state across the country and there was some frustration that we wouldn’t reveal in [those calls] the states that had come to us or that we had information on and it was to protect the trusted relationship with those individuals,” Spaulding said.

Investigators have not found any evidence that Russian hackers successfully penetrated state or local voting systems.

In addition to the possibility of Russian hackers changing vote totals in future elections, Johnson said, he’s concerned they might manipulate state and local voter rolls so that legitimate voters are turned away from polling places.

Johnson did not directly answer a question from Rep. Zoe Lofgren, D-Calif., however, about whether same-day voter registration would allay those concerns. Currently, 15 states and Washington D.C. allow citizens to register to vote on election day.

Johnson and Spaulding also both suggested that Congress require the intelligence community to release a report on the state of election cybersecurity in advance of each federal election. That mandate would remove concerns about the possible political motivations if a president requested such a report, they said.

The intelligence community and Homeland Security Department released a statement about Russian election hacking efforts in October 2016, about one month before the election. President Obama has acknowledged, however, that he avoided personally addressing the topic before the election out of concern it would appear he was trying to sway public opinion in favor of his preferred candidate, Democratic nominee Hillary Clinton.