The Homeland Security Department and states' information sharing efforts about Russian cyber meddling got off to a rocky start but they're working on it.
When Connie Lawson became president of the association of top state election officials in July, she inherited a boiling conflict between states and the federal government stemming from Russia’s digital efforts to undermine the 2016 election.
In the wake of that election, the Homeland Security Department extended critical infrastructure protections to state and local voting systems, a move the federal government said simply made it easier for states to request security assistance when they were under attack but that states saw as a federal power grab.
Former Homeland Security officials call that a misperception of the designation.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
After two months as president of the National Association of Secretaries of State, Lawson remains critical of many Homeland Security Department decisions during the past year. Her organization especially condemned the nearly year-long delay before Homeland Security formally shared evidence with 21 states this month that Russian hackers had probed—but not penetrated—their voting systems.
Lawson also stressed in an interview with Nextgov, however, that Homeland Security has learned from its mistakes and is now listening closely to states’ concerns.
Lawson spoke with Nextgov about state and federal cooperation efforts on election cybersecurity and election cyber protections in Indiana.
The interview has been edited for length and clarity.
Nextgov: Do you plan to accept Homeland Security’s help vetting the security of Indiana’s voting systems before the 2018 elections?
Lawson: We did not accept any help from DHS in 2016. We felt like we had our protocols in place and that we were fairly certain that we were just as secure without DHS as we would be with DHS. I don’t know exactly what we’ll do in 2018.
Indiana has volunteered to be a pilot state with the election sector information sharing center that we’re setting up. There are seven states that have agreed to be pilots and Indiana is one of them. So, we will get a network monitor for our election system and that election sector [information sharing and analysis center] really is DHS as well, so I guess, in that regard, we are accepting their help.
Nextgov: That ISAC was set up because of the critical infrastructure designation, right?
Lawson: That’s right.
Nextgov: What sort of information do you hope to get about cyber threats from the new ISAC?
Lawson: That’s to be seen. The folks at DHS are really working to improve the relationship with election officials across the country, not only with states but with local officials as well.
Nextgov: NASS denounced the critical infrastructure designation when it came out, but now you’re cooperating. Have you changed your mind or is it just about ‘this is where we are now?’
Lawson: Well, it’s where we are now. We passed a bipartisan resolution [that opposed the designation] in February. But, keep in mind, the reason the resolution was passed was because we were very unhappy with the way [the designation] came about. We didn’t have any input in it. We were never given anything in writing about what the parameters of that critical infrastructure designation meant.
So, that’s absolutely why we came out against it and I believe the association did the right thing. In the meantime, because the designation is standing, we also felt like we needed to have a seat at the table. So, we have agreed to be members of the coordinating council that DHS is setting up to talk about the parameters and what that critical infrastructure designation means.
Nextgov: NASS was also very critical of the long delay in sharing information with the roughly 21 states that were probed by Russian hackers.
Lawson: When I testified before the Senate Intelligence Committee [at a closed hearing] in July, that very same day Homeland Security mentioned the 21 states and nobody knew about it. So, it’s communication. I think DHS does understand now how that is not helpful at all for them to make a statement without having put the election officials on notice about what they’re going to say and what they believe has happened. I think they understand now and I think we’re going to be moving forward.
Nextgov: Homeland Security alerted Wisconsin officials recently [Sept. 22] that Russians probed the state’s voting systems, but they later backtracked [Sept. 26] and said that was a mistake. Does that reduce your confidence in the department’s information? [Editor’s note: After this interview, California election officials also disputed Homeland Security’s assertion that Russian hackers probed that state’s voting systems].
Lawson: Well, sure, it would, but I was not aware of that. Especially because it’s hard to correct information once it’s out there. I can certainly understand why [Wisconsin officials] would not be happy about that.
Nextgov: Indiana was not among the 21 states that Homeland Security notified about Russian probing.
Lawson: You’re right, Indiana was not among the 21 states that was scanned or targeted [by Russian hackers]. But, honestly, we’re scanned or targeted every day [by other actors]. As I’m sure you know, nearly everybody’s network will get scanned at some point. But what you have to ask is: Did they get in? So that was good news even for the 21 states that were part of that.
Nextgov: How much of your time have you spent on this issue since you became NASS president?
Lawson: I would say hours every day. It has absolutely monopolized my time because of the different task forces I’m on, because of the conversations we have on staff, because of the information that comes out from different sources. It seems like we’re always putting out fires.
Nextgov: Have you advised other states about whether to accept Homeland Security help in 2018 or not?
Lawson: No, we haven’t yet. But the coordinating council is meeting for the first time in October and we’ll certainly keep the entire association informed about what we learn.
Nextgov: Acting Homeland Security Secretary Elaine Duke said recently that the department erred by informing states about Russian probing early on but not always reaching out to top election officials.
Lawson: Secretaries of state and election officials did not understand why that would take place in that manner. We’re working with DHS so that the secretaries [of state] can get a national security clearance and they are helping us expedite that. That’s the first tier and then it’s possible, once the secretaries are cleared, they’ll be able to get some members of our staff cleared. We’re trying to rectify the situations that DHS felt they could not notify the chief election officials.
Nextgov: How much of states’ anger about the critical infrastructure designation and all that’s followed was based on that poor communication versus concerns about a federal takeover of states’ responsibilities?
Lawson: Running elections is a state’s constitutional responsibility. I think every secretary of state or election official believes that and would stand up for that right. However, that doesn’t mean that the federal government might not receive information that would help us run our elections.
Nextgov: Is there also a belief that states know more about protecting their voting systems, which are extremely diverse, than the federal government does?
Lawson: Well, that’s exactly right. If you’ve seen elections in one state, you’ve seen elections in one state. And that’s one of the protections we have in our country from our elections being tampered with. It was very obvious from the beginning that DHS did not understand election processes at all. However, we have worked to educate them, so I think it’s been a relationship that is improving. DHS has listened to the secretaries as to how the election process works. I think they’re starting to understand better what we do and why we were so upset about the way this critical infrastructure designation came out.
Nextgov: What sort of things are you doing in Indiana to improve the cybersecurity of the 2018 elections?
Lawson: We’re doing a lot of things. There are a lot of things I can’t discuss, but we’re going through every process we have here. We’re hearing from experts. We’re working with the [Election Assistance Commission] on getting new voting equipment. We’re making sure our standards are up to what they need to be. We felt good in 2016, but we don’t want to get too comfortable because that’s when something can happen. So, we are on guard every day.