|The OIG found issues with how CISA provided assistance on election cybersecurity and found a complete lack of planning or assistance on physical safety, terrorism, and violence issues.|
The United States’ (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) released its second assessment in the last two years of the Cybersecurity and Infrastructure Security Agency’s (CISA) efforts to secure the U.S.’ election systems. The OIG lauded CISA’s progress in laying plans and taking precautions to secure U.S. election systems themselves but found room for CISA to improve its oversight and safeguarding the overall system. However, the OIG acknowledged the progress the agency has made since the February 2019 evaluation that was more critical of CISA’s efforts to date. But the OIG intimated that given the churn at the top of DHS over the last few years and the federal election system the U.S. has, CISA may be able to do only so much. In any event, the next few days may lead the OIG to rethink some of its assessment depending on how CISA performs.
The OIG summarized the scope of challenge before CISA:
- As of September 2020, according to the Cybersecurity and Infrastructure Security Agency (CISA), there were 7,997 election administration jurisdictions in the country. The sizes of these jurisdictions vary dramatically, with the smallest towns having only a few hundred registered voters, while the largest jurisdiction in the country has more than 4.7 million.
- The diversity in voting systems and software across the Nation presents considerable cybersecurity challenges. For example, there are 67 different types of voting machines manufactured by 7 different companies currently certified for use in any of the election administration jurisdictions across the United States. The election infrastructure’s reliance on technology for efficiency and convenience introduces even greater cybersecurity risks. Moreover, state and local jurisdictions may have different requirements for securing their systems, such as configuration settings, audit logging, intrusion detection capability, and patch management.
Nonetheless, beyond the effect of four different DHS heads since the beginning of the Trump Administration, the OIG pointed at CISA’s “protracted reorganization” since it was renamed and remade from its forerunner agency, the National Protection and Programs Directorate (NPPD). The OIG said CISA could not even produce an organizational chart, suggesting the possibility of dysfunction inside the agency. For example, the OIG noted:
For example, [Office of Intelligence and Analysis] officials told us in March 2020, the National Cybersecurity and Communications Integration Center (NCCIC) was recently re-organized. However, when we reached out to CISA officials for confirmation in April 2020, they dismissed this notion. According to CISA officials, the confusion may arise when some people refer to NCCIC according to its statutory authority while others refer to the organizational body (i.e., the Cybersecurity Division) that carries out the functions described in the statute.
The OIG flatly declared that until DHS and CISA get solid leadership and are properly organized, the assistance that can be provided to the election sector will be limited. As DHS is the sector-specific agency for a number of other sectors, this conclusion may also have repercussions in the following sectors:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Emergency Services Sector
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Transportation Systems Sector (shared with the Department of Transportation)
To wit, the OIG asserted
Amid the leadership vacancies and repeated turnover, within DHS, CISA has not sufficiently prioritized key activities or established effective performance measures to monitor its progress in accomplishing its mission and goals of securing the Nation’s election infrastructure. Without DHS senior leadership guidance as a foundation, CISA cannot work successfully with sector representatives to develop the plans and strategies needed to secure the election infrastructure.
The under and unaddressed risks the OIG identified are “physical security risks, terrorism threats, and targeted violence.” The OIG speculated (correctly, I think) that after the 2016 election CISA was very focused on cybersecurity even though its remit over this subsector of a critical infrastructure sector also includes physical security:
Further, when assisting state and local election officials, CISA has primarily focused on the cybersecurity of election systems instead of broader election infrastructure aspects including related storage facilities, polling places, and centralized vote tabulation locations used to support the election process. CISA’s focus on cybersecurity may be attributed to reported cybersecurity threats and misinformation campaigns from foreign nations during the 2016 and 2018 elections. While beneficial, CISA’s primary focus on cybersecurity has limited DHS’ ability to provide the strategic direction needed to secure the election infrastructure from broader types of potential risks.
Given the protests and counter-protests this year related to Black Lives Matter, which has bled into the Presidential election campaign, CISA’s failure to focus on physical security, terrorism and violence may have left the election system susceptible. The OIG contended:
While attacks on physical election infrastructure locations and assets are rare, CISA should consider both physical and cyber threats as part of a comprehensive understanding of the threat and incorporate them in its election security and resilience planning. For example, an individual drove a van into a voter registration tent manned by campaign volunteers in February 2020. CISA cannot effectively secure the election infrastructure or manage risk to the Nation’s critical infrastructure based on the 2013 National Infrastructure Protection Plan by focusing on cybersecurity alone. A clear roadmap, sufficiently addressing broader risks, is needed to better guide DHS efforts and help achieve its goals of securing the election infrastructure. Moreover, the OIG found the quality fo the information provided by CISA to state and local election officials of questionable value. This is not surprising given the recent audit that found DHS’ cyber information sharing program was not providing quality information to the private sector. Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful.
Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful. DHS is required to maintain situational awareness of threats, and improve the sharing of threat intelligence with stakeholders to better prepare and protect election infrastructure. However, according to selected CISA regional staff, the information was over-classified, not tailored to election stakeholders needs, and could be obtained elsewhere. According to our interviews with CISA’s regional staff 12 Cybersecurity Advisors, 15 Protective Security Advisors, and 10 Regional Directors, the following are opportunities to improve the quality of information shared with stakeholders:
- 8 (22 percent) of 37 CISA regional staff stated the information was overly classified.
- 8 (22 percent) of 37 CISA regional staff stated briefings were not tailored to stakeholders needs.
- 7 (19 percent) of 37 CISA regional staff stated the information could be obtained from public sources. In one example, by the time the cyber threat information was declassified for sharing with election stakeholders, they had already learned about it through the news media.
- 5 (14 percent) of 37 CISA regional staff stated that after attending briefings, election officials could not share the information with their information technology staff and county clerks to remediate vulnerabilities as they did not possess the proper clearances.
- 1 (3 percent) of 37 CISA regional staff stated some briefings were repetitive.
- 7 (19 percent) of 37 CISA regional staff stated Fusion Centers were too far away and not convenient.
Representatives of other Federal agencies also told us about their work with CISA to secure the election infrastructure. One Federal agency representative discussed receiving duplicative election infrastructure threat information from CISA and DHS’ I&A. Another Federal agency official stated, “I cannot think of a single thing in a classified briefing that I have not read from the media,” indicating he had received complaints from others about DHS’ intelligence briefings not being helpful.
Worse still, when a state or local election authority requested that CISA perform an assessment of their systems or processes, the agency was often tardy in doing so. For example, the OIG found:
- A Secretary of State initially requested a Phishing Campaign Assessment in October 2017. However, CISA did not begin the assessment until June 2018. CISA’s records show NCCIC did not complete the assessment until January 2019, more than a year after the request was made.
- Another State Board of Elections requested CISA perform a Risk and Vulnerability Assessment in July 2018. The assessment did not begin until July 2019. NCCIC ultimately completed the testing in September 2019, more than a year after the initial request.
Staffing was also an issue. The OIG’s survey of CISA regional staff resulted in 73% of those interviewed saying “CISA needed more Cybersecurity Advisors to help private sector entities and state, local, territorial, and tribal governments prepare for and protect themselves against cybersecurity threats.”
The OIG made these recommendations to CISA:
- Recommendation 1: Coordinate with the Office of the Secretary to revise the National Infrastructure Protection Plan and other planning documents to incorporate current and evolving risks as well as mitigation strategies needed to secure the Nation’s election infrastructure.
- Recommendation 2: Improve the collaboration between I&A and CISA, which can help to enhance the quality and reduce the redundancy of information DHS shares with Federal agencies and state and local election officials.
- Recommendation 3: Assign the staff resources needed to conduct timely cybersecurity and physical assessments to assist states and localities with securing the election infrastructure.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.