Government cybersecurity is also improving, CISA Director Chris Krebs said, but legacy IT is holding agencies back.
The country’s election infrastructure is better protected than ever and federal computer networks have seen “demonstrable improvements” in their cybersecurity, according to the Homeland Security Department’s cyber chief.
The 2018 midterms marked “the most secure election held in the modern era in the U.S.,” Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency, told lawmakers on Wednesday. And while there will always be room for progress, “there’s no question” cybersecurity at federal agencies has improved in recent years, he said.
In an unusually hopeful testimony before the House Appropriations Homeland Security subpanel, Krebs highlighted the agency’s success in bring cybersecurity resources to state and local election groups scattered across the country.
In 2018, CISA installed intrusion detection software on more than 90 percent of the networks used by state and local offices to manage voting, according to Krebs. In 2016, only 32 percent of nationwide networks were using the tools, he said. The agency also conducted multiple election security exercises to test and bolster digital defenses ahead of the midterms.
With preparations for the 2020 race already underway, he said the agency will continue expanding the services available to those communities. Among the key focus areas will be patching bugs in election equipment, ensuring election auditability and building cyber risk profiles for individual jurisdictions.
In the run up to 2020, Krebs said, the ultimate goal is to figure out where vulnerabilities exist in state and local election infrastructure and how those groups can address them. He intends to use that information advise Congress and state lawmakers on how to allocate resources.
“That’s probably the biggest conversation ahead of us,” he said. “What is it going to take to get these systems where they need to be, and who’s going to pay for it.”
Additionally, CISA is placing a strong emphasis on rudimentary security measures like multifactor authentication, regular software patching and antiphishing campaigns, which Krebs said deliver a huge bang for their buck.
“While we continue to look for new technology and security opportunities, it’s really hitting the basics hard ... that’s going to be one of our focuses for protecting 2020,” he said.
Krebs noted the agency plans to use new funding provided by Congress to expand its in-house election expertise. Those additional personnel and capabilities could shift from elections to other areas as demands ebb and flow, creating a more robust all-around security posture, according to Krebs.
“We’re building depth,” he said. “Not just are we better for elections, we’re better for every other critical infrastructure sector.”
Though much of Krebs’ testimony focused on election security, he also highlighted a handful of improvements to federal agencies’ cyber posture.
It used to take agencies 219 days on average to patch known vulnerabilities in their networks and software, but today the wait dropped to about 20 days, which Krebs noted is faster than many private-sector firms. The agency’s intrusion prevention system also thwarted 13 malicious cyber campaigns, and the Continuous Diagnostics and Mitigation program continues to expand across government.
In the coming years, Krebs said the agency will focus on establishing and enforcing governmentwide cybersecurity standards and improving its ability to analyze network data. But as with election security, he said there are some couple basic area where federal agencies could reap huge returns on investment, particularly IT modernization.
“We’ve got to get out of this model where we’re just paying to patch and paying to keep the old stuff running,” he said. “We’ve got to modernize. We have the opportunity to shift from the security bolt-on mentality, where [we’re] adding security solutions on top, and instead we can design and configure and deploy IT securely.”
He said CISA is also devoting significant resources to understanding and managing risks in the government IT supply chain, which today is still a fairly opaque process.
“We are in the early days of figuring out what supply chain risk management looks like for the federal government, but we have tools now that we didn’t have last year,” he said.