While it has been four years since Russian operatives allegedly targeted U.S. election systems, foreign adversaries continue to aim to influence the election process. On June 4, 2020, a major search engine confirmed that foreign adversaries were still targeting campaign staff of both political parties before the 2020 Presidential election.
The Department of Homeland Security (DHS) has improved coordination efforts to secure the nation’s systems used for voting, the Office of Inspector General (OIG) has said in a new report. However, OIG found room for improvement and said DHS should take additional steps to protect the broader election infrastructure, which includes polling and voting locations and related storage facilities, among other things.
OIG believes computer-enabled election systems may still be subject to cyber intrusion. The risks to computer-enabled election systems vary by county and jurisdiction, depending upon the types of devices, network architectures, information technology (IT) governance measures, and other protective measures implemented.
Prompted by suspicious cyber activities on election systems in 2016, the DHS Secretary designated the election infrastructure as a subsector to one of the nation’s 16 existing critical sectors. On October 1, 2016, former DHS Secretary Jeh Johnson stated that malicious cyber actors had been scanning a large number of state election systems, which could be a preamble to attempted intrusions. In a few cases, DHS determined that malicious actors gained access to state voting-related systems, although the Department was not aware of any manipulation of data at that time.
The suspicious activities and potential attacks during the 2016 Presidential election were later attributed to Russian hackers targeting voter registration files and public election sites — mostly through scanning for vulnerabilities — in 21 states. In July 2018, the Department of Justice indicted 12 Russian nationals for allegedly hacking the election infrastructure and stealing personal information for about 500,000 voters.
Mitigating the physical threat
The Cybersecurity and Infrastructure Security Agency (CISA) has developed a set of plans and guidance aimed at securing election systems for the 2020 election cycle. But OIG found that the plans do not sufficiently mitigate other potential risks to physical security, terrorism threats, or targeted violence to the election infrastructure, nor do they identify dependencies on external stakeholders that impede mission performance. DHS senior leadership turnover and ongoing CISA reorganization have hindered CISA’s ability to enhance planning and effectively monitor its progress in securing the nation’s election infrastructure.
OIG found that CISA did not sufficiently address physical security, terrorism, and targeted violence in three of its recent election security related documents:
- #Protect2020 Strategic Plan, February 2020, focused on election system security in terms of “cyber” throughout the document. CISA uses the terms “election system” and “election infrastructure” interchangeably and only identifies physical security risk at the polling station in the “Last Mile” poster. Further, when CISA discusses the threat to state and local officials, poll workers, and election systems, it only cites threats from “foreign states and criminal organizations,” not from targeted violence, mass shootings, gun violence, or domestic extremist groups.
- CISA 2020 Election Security Operations Plan, February 2020, describes how state and local officials, volunteer poll workers, and election system vendors are responsible for administering safe and secure elections. CISA provides the resources and support necessary to ensure a comprehensive response to incidents affecting the integrity of elections. The plan details CISA’s nine critical information requirements for the 2020 general elections. However, more than half of CISA’s critical information requirements focus on cybersecurity incidents.
- Election Infrastructure Subsector-Specific Plan, 2020, was revised to assess and mitigate risk. While this guide describes what physical locations outlined in the 2017 designation encompasses, it does not sufficiently address physical security risks and counterterrorism threats. The guide only briefly discusses the need to prepare for disaster recovery and foreign influence threats. In contrast, CISA’s primary focus is to promote its cybersecurity services, risk management efforts, and audits as the key activities for the subsector.
With the 2020 elections at hand and increased potential for revised election processes due to the COVID-19 pandemic, OIG said it is critical that CISA institute a well-coordinated approach and provide the guidance and assistance necessary to secure the nation’s election infrastructure.
There seems to have been some breakdown in communication between DHS and CISA regarding considering risks like terrorism as threats to election security. DHS acknowledged the need for additional resources and submitted a funding request in its FY 2021 budget to address terrorism as part of its Homeland Security mission, including election security efforts. However, CISA did not include in its plans the priority actions cited in the framework, such as informing state and local officials about all potential threats to the election infrastructure. OIG was also critical of DHS planning, adding that the Department had not updated either the National Infrastructure Protection Plan or the Government Facilities Sector-Specific Plan to consider emerging threats to election security. The National Infrastructure Protection Plan is in the process of being updated, but this will not be complete until at least March 2021.
CISA has improved its election security efforts however and offers no-cost cyber and physical security assessments and services, and incident coordination to help state and local stakeholders secure their election infrastructure. According to CISA officials, CISA headquarters’ dedicated assessment teams provide the majority of the cybersecurity services. CISA officials added that the most commonly requested cybersecurity assessments by election stakeholders are Remote Penetration Testing and Risk and Vulnerability Assessments. Physical security services offered include visits, surveys and assessments.
CISA also performed 13 tabletop exercises between FY 2019 and FY 2020, as compared to just six conducted from May to August 2018. For example, in June 2019, CISA and numerous election infrastructure partners conducted the National Election Cyber Exercise. This tabletop was a large comprehensive exercise, which included CISA, representatives from 47 states, and many other election infrastructure partners. The exercise helped evaluate cyber incident management for all state, local, tribal, and territorial entities and federal participants, and increased participants’ awareness of a range of incident response issues.
As part of its review, OIG spoke with representatives of other federal agencies who discussed their work with CISA to secure the election infrastructure. One federal agency official stated, “I cannot think of a single thing in a classified briefing that I have not read from the media,” indicating he had received complaints from others about DHS’ intelligence briefings not being helpful.
OIG said insufficient resources have hindered CISA’s ability to provide timely assistance to state and local election officials. As of May 2020, CISA had 132 Cyber and Protective Security Advisors providing technical assistance and performing security assessments for all 16 critical infrastructure sectors.
The watchdog spoke with 12 Cybersecurity Advisors, 15 Protective Security Advisors, and 10 Regional Directors who disclosed that CISA’s current staffing level is not adequate to provide support to state and local election officials for securing the election infrastructure.
CISA officials acknowledged that staffing shortages have hindered the efforts to secure the nation’s critical infrastructures, including elections. As of August 2020 the component is actively recruiting to fill its vacant positions of 54 Cybersecurity and 15 Protective Security Advisors.
OIG’s report made three recommendations, to update the National Infrastructure Protection Plan, which is already in progress; to improve collaboration between CISA and the Office of Intelligence and Analysis, which DHS says will be implemented by the end of February 2021; and improve staffing levels.
The main takeaway from OIG’s report is that CISA is focusing on cybersecurity, which could be to the detriment of physical threats. While attacks on physical election infrastructure locations and assets are rare, they are not unheard of. For example, an individual drove a van into a voter registration tent manned by campaign volunteers in February 2020. While cybersecurity is obviously crucial, CISA must not ignore the emerging physical threats to the election, particularly in light of increased unrest around the country and the high value target to terrorists.