Election Officials Want to Tell the Public 'Where the Good Guys Won' in Cyber Efforts

As election officials continue to face threats of violence and intimidation in the wake of the 2020 election, state officials say that more public transparency is needed around efforts to address cyber vulnerabilities in voting systems across the country. 

During a House Homeland Security Committee hearing on Wednesday about physical and cyber threats to election officials and infrastructure, secretaries of state told members of the committee that the Cybersecurity and Infrastructure Security Agency is calibrating its approach with state and local election officials to better tailor the information that it shares. But they also voiced a need for CISA and the Department of Homeland Security to be more proactive in releasing public information about their efforts to mitigate vulnerabilities in election systems.

Frank LaRose, Ohio’s secretary of state, told the committee that federal officials should do a better job of allowing states to share their public successes, either by moving to declassify relevant information as quickly as possible or lifting up success stories to counter more negative narratives surrounding election infrastructure vulnerabilities.

“When things go wrong the public generally will know about it quickly,” LaRose said. “But we haven’t always been able to share our successes, and the public should know when we had a day where the good guys won and the bad guys lost.” 

LaRose highlighted the first-in-the-nation vulnerability disclosure policy that he enacted in 2020 as a way to allow outside security researchers to identify and report flaws in Ohio’s election infrastructure. He said the policy has resulted in dozens of fixes to the state’s election systems, and that it gives researchers an opportunity to “get inside the systems and really take a deeper look at what’s going on in them.” 

LaRose said that he believed the number of states implementing similar vulnerability disclosure policies was “in the single digits,” but added that the number was growing and that other states should consider adopting a similar approach. 

Rep. Jake LaTurner, R-Kan., brought up CISA’s vulnerability disclosure platform—which allows federal civilian agencies to use a centralized system to gather and share information about potential software vulnerabilities—as a possible model that CISA could “engage in with states and localities.”

LaRose said that Ohio works with a private sector provider to spread the word about the state’s vulnerability disclosure policy, but added that “to do that through CISA would be a great tool as well.”

At least some lawmakers on the committee voiced concern that slow-walking public disclosures about election infrastructure vulnerabilities could sow further misinformation and conspiracies about the validity of the voting process.

“I do fear that responsible disclosure of and communication about cybersecurity vulnerabilities in election infrastructure is becoming more and more challenging,” said Rep. Jim Langevin, D-R.I., a committee member and the co-founder of the Congressional Cybersecurity Caucus. “Not all vulnerabilities of course will be equal in their severity or ease of exploitation, but their very existence could be manipulated to undermine public confidence in the integrity of election infrastructure, and by consequence, the outcome of an election itself.”

Maggie Toulouse Oliver, New Mexico’s secretary of state, credited DHS and CISA for doing a better job of sharing information and directives with state election officials, but called it a “delicate balance” in terms of responding to vulnerabilities and alerting the public about officials’ ongoing work. 

“We want to make sure that once we’ve identified a vulnerability, we have a plan to fix it and fix it quickly,” Oliver said. “A lot of that work is that balance. We do need to make the public aware, but also have those plans in place.”