Election Commission Wants to Work with DHS on Election Cybersecurity

The Homeland Security Department made a unilateral move to raise its involvement in the cybersecurity of U.S. election infrastructure last year, but a commission that helps state and local election commissioners wants to turn DHS’ decision to its advantage.

The Election Assistance Commission’s plan is to query state and local election officials about what help from DHS would be most useful and to urge DHS to focus in those areas, Executive Director Brian Newby told commissioners Wednesday.  

One early takeaway from early meetings with DHS officials is that DHS should develop a more efficient way of sharing cyber threat information with state and local election officials so they’re not inundated with useless information, Newby said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

DHS and EAC are both committed to drastically ramping up security before the 2018 midterm elections, he said.

DHS labeled U.S. election systems as critical infrastructure weeks after the 2016 presidential election during which Russian government-linked hackers reportedly probed election systems in 39 states.

That probing was part of a larger influence campaign to create havoc around the election and to possibly sow doubts about its result. There’s no evidence Russians actually accessed or altered any state or local voting information.

State and local election officials criticized the designation as a federal power grab and the National Association of Secretaries of State passed a resolution condemning the move in February.

The tone at Wednesday’s Election Assistance Commission meeting, however, was more conciliatory. The EAC, which is staffed largely by former state and local election officials, is a federal commission formed after the 2000 election and charged with developing guidance aimed at making elections run more smoothly.

The commission also distributes federal funds to help states and localities retire outdated voting software systems and to maintain statewide voter registration databases.

The lesson of Russia’s election system probing—and of election system hacking demonstrations in recent months at the DEF CON cybersecurity conference and elsewhere—is that all technology is vulnerable and election officials should not be eased into a false sense of security, Cook County, Ill., director of elections Noah Praetz told EAC commissioners.

While there’s no way to fully secure election systems against digital meddling, Praetz urged state and local officials to focus on raising their election system defenses while increasing verification and resilience procedures.

The best resiliency procedure for any digital election system, he said, is a backup paper trail of votes that can be hand counted if necessary.

The best verification comes from regularly auditing those paper backups to make sure they match the digital count, he said.

DHS aided several states with basic cyber hygiene advice in the run up to the 2016 election, but states and localities must ultimately be responsible for their own security, he said.

“For any services that go beyond [cyber hygiene], the wait time was fairly significant,” he said. “And it makes me realize that, you know… we can't wait for Superman, right? A lot of this stuff we have to take on our own.”