DHS Faces 2020 Election Security Planning Challenges

While state election officials said they were generally satisfied with the support they were receiving from the Department of Homeland Security to secure election infrastructure, problems remain with planning efforts.

Election Security State Readiness
A technician works to prepare voting machines in Philadelphia prior to the 2016 election.
(AP/Matt Rourke)
Welcome to the latest edition of the Future of Security newsletter. Let’s get started:

State and local governments can improve confidence in the information posted on their website by encrypting them and shifting to .gov domains, reports Ben Miller, Government Technology’s* business editor. While anyone can obtain a website using .com, .net, or .org, from vendors like GoDaddy.com, acquiring a .gov website requires the buyer to submit evidence they are purchasing the domain name on behalf a state or local government entity, according to cybersecurity firm McAfee. 

Yet, in a survey of 13 states that will be battlegrounds in the 2020 elections, McAfee found that just 54 percent of counties had an encrypted front webpage, 17 percent had an official website ending in .gov and only 10 percent had a website that was both encrypted and .gov.

While scammers have targeted citizens pretending to be government websites, McAfee said it has seen “no evidence of malicious actors spoofing county websites to misinform voters.” Yet the barriers for staging a political misinformation campaign are low.

Election security remains a high priority, but is the Department of Homeland Security ready to address known challenges?  Last week, the Government Accountability Office released a report on the DHS’ election security efforts, and while state election officials said they were generally satisfied with the support they were receiving to secure election infrastructure, challenges remain with planning efforts.

DHS, through its Cybersecurity and Infrastructure Security Agency (CISA), has assisted state and local election officials in security election infrastructure. To guide state and local election officials, CISA was to finalize strategic and operational plans, but has run into problems completing its work. In the absence of those plans, the GAO stated that CISA is not well-positioned to execute a nationwide strategy prior to the start of this year’s election cycle. 

“CISA has not developed plans for how it will address challenges, such as concerns about incident response,” according to the GAO report. Those challenges include:

  • Inadequate tailoring of services, which could impact local election jurisdictions.
  • Not always providing actional recommendations.
  • The inability of CISA personnel supporting election security operations to access social media websites from situation awareness rooms, which hindered the collection and analysis of threat information.
  • Few capabilities that CISA field staff could quickly provide on Election Day, which could limit its response to an incident.
  • A lack of clarity regarding CISA’s incident response capabilities.
The report provides a detailed look at the types of physical and cyberthreats to the country’s election infrastructure throughout the election process. It also details the services DHS provides to state and local election officials, including information sharing and analysis through the Elections Infrastructure Information Sharing and Analysis Center.

According to the GAO, “State election officials with whom we spoke were generally satisfied with CISA’s support to secure their election infrastructure. Specifically, officials from seven of the eight states we contacted said that they were very satisfied with CISA’s election-related work, while officials from the eighth state said that they were somewhat satisfied.”

But CISA’s inability to complete its plans could hamper how it carries out certain goals: “The lack of finalized plans can affect CISA’s achievement of higher-level objectives that take time to accomplish, such as building stakeholder capacity and public awareness. Until CISA finalizes its strategic and operations plans for supporting elections in 2020 and ensures that the operations plan fully addresses all of the aspects of its strategic plan, CISA will not be well-positioned to execute a nationwide strategy for securing election infrastructure prior to the start of 2020 election activities.”

Some states are helping cities and counties better protect themselves as the number of cyberattacks increase. According to Stateline, a recent report by the National Governors Association and the National Association of State Chief Information Officers, found 65% of states report they provide some cybersecurity services to local governments; however, the scope varies widely.

Among the findings: 

  • Illinois created a program that helps local election officials improve their cybersecurity readiness and conduct risk assessments. It hired IT specialists to help local election offices beef up their security.
  • Iowa is using a federal grant to offer counties cybersecurity vulnerability scanning and to pay for hardware and anti-malware tools. It also is piloting cyberprojects with schools, cities and hospitals.
  • North Carolina developed a partnership with the state’s National Guard and emergency management division to help local governments, school systems and community colleges recover data compromised during a cyberattack and provide training to help prevent future incidents.
  • Pennsylvania partnered with the county commissioners’ statewide association to provide security awareness training and phishing exercises for all 150,000 county and state employees and contractors. Phishing victims unwittingly click on emailed links designed to get personal information, such as passwords.
But the problem with ransomware attacks continues to worsen. For a long time, the extent of the ransomware problem has been obscured by the fact that many companies and organizations privately pay the extortion fee without notifying authorities. 

However, in 2019, 205,280 organizations submitted files that had been hacked in a ransomware attack — a 41 percent increase from the year before, according to information provided to The New York Times by Emsisoft, a security firm that helps companies hit by ransomware.

The Times reported “the average payment to release files spiked to $84,116 in the last quarter of 2019, more than double what it was the previous quarter, according to data from Coveware, another security firm. In the last month of 2019, that jumped to $190,946, with several organizations facing ransom demands in the millions of dollars.”

The article points out that while cities appear to be heavily targeted by ransomware attackers, the figures are skewed because they are the only victims required to report their attacks. “In reality, public sector organizations represented only around 10 percent of all victims last year,” Coveware told The Times.

* Government Technology is a news organization of e.Republic, Governing’s parent organization.

Tod is the managing editor of Governing and the contributing editor of our sister publication, Government Technology. He was previously the editor of Public CIO, e.Republic’s award-winning publication for IT executives in the public sector, and is the author of several books on information management.