Sharing Election Threat Info with States Won’t be One-Size-Fits-All, DHS Says

This Sept. 22, 2016 photo shows employees of the Fulton County Election Preparation Center in Atlanta test electronic voting machines.

This Sept. 22, 2016 photo shows employees of the Fulton County Election Preparation Center in Atlanta test electronic voting machines. Alex Sanz/AP

Cyber threat information sharing strategies will vary state by state based on state preferences, a DHS official says.

When the Homeland Security Department alerted state governments about Russian attempts to probe their election systems in 2016, it followed an ad hoc, one-size-fits-all process, mostly reaching out through existing cybersecurity relationships with governors’ offices.

As a result, the officials running those elections—which are often politically firewalled from governors—were sometimes left in the dark.

As the clock counts down to national elections in 2018 and 2020, Homeland Security is taking the opposite approach, asking top election officials in all 50 states how they’d like to communicate about relevant information security information, said Robert Kolasky, acting deputy undersecretary for Homeland Security’s cyber and infrastructure protection division.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The department is prepared to take numerous different routes for that communication depending on what works best for states, Kolasky told a National Academies panel on the future of voting Wednesday.

“At this point, there’s no ‘one way,’” he said, “and if DHS were to suggest one way, we’d be guilty of all the things everyone asked us not to do.”

Kolasky represented Homeland Security at the first meeting of the Government Coordinating Council for the Election Infrastructure Subsector over the weekend.

That group, which was spawned in the wake of Russia’s attempted election hacking, will help facilitate cyber threat information sharing between the federal government and state and local election officials, Kolasky said.

Similar groups exist for other critical infrastructure sectors such as energy and chemical plants, transportation hubs and financial services firms.

A separate group comprised of private-sector representatives, called a sector coordinating council, will meet before the end of 2017, Kolasky said. That group is likely to include the companies that build voting machines and election software, Kolasky said.

Homeland Security already met with the three major voting machine vendors while setting up the Government Coordinating Council meeting, he said, and they “start[ed] having a conversation” about supply chain cybersecurity risks, procurement safeguards and other topics.

Cyber analysts have cited consolidation in the voting machine industry and the industry’s complex, international supply chains as major digital dangers for future elections.

The number of major voting machine vendors has dropped from 20-ish to about three during the past decade as a result of mergers and purchases. That means hackers who want to compromise an election have significantly fewer systems to study for vulnerabilities.

Complex supply chains raise the likelihood that insecure, counterfeit or un-vetted software could make its way into voting machines—either because of negligence or because it was planted by an adversary.

Most voting machine supply chains include China, a U.S. cyber adversary, experts have said.

Both the government and sector coordinating councils were established by a late Obama administration decision to classify election systems as critical infrastructure—a Homeland Security designation that also applies to financial firms, hospitals and other vital sectors.

State election officials protested that decision, saying it was a federal power grab and that the federal government had demonstrated only limited knowledge of state-level election processes.

State officials have not backed off that position but have also signaled recently that they’re willing to work with Homeland Security moving forward.

During this weekend’s meeting, the government council’s charter was approved unanimously, even by members who still officially oppose the critical infrastructure designation, Kolasky said.

“There are still some folks who think the critical infrastructure designation was not the right policy decision to make,” he said, “but even those folks seem willing to work with the federal government so long as DHS recognizes it’s [working] in support [of states].”