DHS on elections systems as critical infrastructure: ‘It was already the law’
A Homeland Security official gave some more insight into their efforts on designating election systems as critical infrastructure shortly after the 2016 presidential election, saying it helped the department streamline communication in the event of a incident.
Neil Jenkins, from DHS’s Office of Cybersecurity and Communications, gave the first detailed account Wednesday of the process leading up to the controversial decision, which was made by departing officials in the final days of the Obama administration and widely panned by state and local authorities.
DHS designated election systems in 30,000 jurisdictions as critical infrastructure to ensure there would be someone in regular communication with state and local election officials about cyber threats to national polls.
Jenkins told NIST’s Information Security and Privacy Advisory Board that in August and September, when officials first became aware of Russian efforts to interfere with the election, the “started trying to catalogue the services we could offer to state authorities,” to help them shore up network security and protect the systems that tabulated and reported results.
Prior to the November polling day, “We realized two things very quickly: Election officials were not interested in being designated at that time because they saw it being very disruptive … and … the capabilities we needed to provide them was not reliant on a critical infrastructure designation.”
But following the election, the urgency was taken out of the equation, and officials looked at the designation issue afresh, Jenkins told CyberScoop after his presentation.
Officials were concerned to institutionalize their relationship with those running elections at the state and local levels, because the constant barrage of cyberattacks on critical infrastructure meant it was hard for DHS to focus on any given target. Because elections officials themselves also have multiple responsibilities, they might not be focused on cybersecurity absent regular communication from DHS.
“From our perspective at DHS, just like they’re busy getting focused on other things, we often get pulled in other directions by an attack on this sector or that [government] department or agency. If we don’t stand up an office and tell a couple of people, ‘It’s your job to engage with election officials,’ then we might not engage with them [again] until the next election, until something pops up.”
By which time, of course, it would be too late.
“We can provide them with all these capabilities regardless of the designation, we can talk to them. But to have that regular engagement which will truly help them improve their cybersecurity [in the long run], we need to have … the people doing that work, engaging with the sector on a regular basis, to have these conversations, being there to answer their questions,” he said.
It was “the regular engagement we need to have with them,” which made the designation necessary in the eyes of DHS leadership.
“It was already the law,” he said, explaining that election systems fit very well under the statutory definition of critical infrastructure laid out in the USA PATRIOT Act — basically any business or industry which is essential to the nation’s security or economy.
The 16 sectors defined by DHS include banking, telecommunications, power and water utilities.
State and local governments were already a critical infrastructure sector, and making a sub-sector of local government was also needed to make sure the right conversations were going on in the states themselves.
DHS’s regular mode of contact with state and local governments was through the Multi-State Information Sharing and Analysis Council, or MS-ISAC, and through DHS’s office of state, local tribal and territorial affairs.
But the MS-ISAC connected to state CIOs and the DHS office connected mainly through the governors’ offices.
But DHS officials discovered over the summer that governors and secretaries of state — who oversee elections — are often firewalled off from each other, both literally and figuratively, with separate networks and separate offices.
“They don’t necessarily talk to each other, they’re not in each other’s chain of command,” Jenkins said.
“We wanted to make sure that election officials knew who their state CIOs were and were having regular conversations with them … leveraging the MS-ISAC was the way to make sure they were talking to each other.”
Jenkins dismissed talk that the critical infrastructure designation might be rolled back, as the incoming Trump administration first promised.
“[DHS] Secretary [Gen. John Kelly] made a public statement to Congress that we see this as the right thing and we’re going to continue with it,” he said. “As of right now, there’s no talk of rolling it back.”