Department of Homeland Security officials detailed ongoing efforts to secure state election systems Wednesday, telling the Senate Committee on Homeland Security and Governmental Affairs they are on track to assess states’ risk of a cyberattack over the next few months.
Speaking at the committee’s roundtable discussion on the agency’s reauthorization, Chris Krebs, acting undersecretary for the National Protection and Programs Directorate, said that DHS officials have completed five security risk assessments of state election systems and would be working to complete another 11 by mid-April, running up against primary season for state and congressional elections.
The assessments, offered to state election officials by request, include services like “scenario-based network penetration testing, web application testing, social engineering testing, wireless testing, configuration reviews of servers and databases and evaluation of an organization’s detection and response capabilities,” to determine the likelihood of a system breach.
“The dependency here is whether we get requested for risk and vulnerability assessments,” Krebs said. “There are states — South Carolina, for example — that have the capacity to conduct their own technical assessment of the security of their networks. We’re focusing and doing a lot of awareness on those states that need additional help.”
But Sen. Kamala Harris, D-Calif., pressed Krebs on the timeline, noting that states like Texas have March primaries.
“I would want to know that you are aware of the 16 states at least and what their dates are for their primary and that it would be your goal to have their assessment complete before their primaries actually occur,” she said. “It would seem to me to be a high priority for the Department of Homeland Security.”
In December, the backlog was estimated to be as long as nine months for states to receive the free service. Krebs said that critical infrastructure authority for elections allowed the agency to shift resources.
Krebs added that the resources are also used to protect the 16 other critical infrastructure sectors, as well as federal high value assets assessments, which explains the delay.
“What we’ve done is put at the top of the pile the state and local election officials right now,” he said. “With more I can do more, so we are looking at ways to increase training to bring additional personnel on, and also, there’s an equipment requirement.”
DHS is also processing security clearances for the state officials overseeing the cybersecurity of their elections to ensure they are able to access DHS cyber intelligence. Krebs said the agency is currently processing 37 clearances and will issue single-day clearances to cover any gaps.
“We are going to do a number of briefings over the next couple of weeks for state election officials,” he said.
But when Harris asked what percentage of election officials currently security clearances have them, Krebs estimated 30 percent of the 50 election officials were completed.
“But we have prioritized, again, this process of vetting and issuing the clearances and are continuing to do so in advance of the 2018 elections,” he said.
DHS officials designated election systems a critical infrastructure in the wake of Russian meddling in the 2016 election.