Is DHS Going to Take over the Cybersecurity of the Election System?

Concerns about the security voting system are plentiful this election season. There have already been several noteworthy cybersecurity incidents.

This summer, it was revealed that the private email accounts of over 100 officials and groups affiliated with the Democratic National Committee were hacked as Wikileaks published nearly 20,000 emails obtained as a result of the breach. In addition, hackers accessed a database for the Illinois Board of Elections, compromising up to 200,000 personal voter records, which included voter names, addresses, birthdates, and other information.

Arizona was also forced to take its voter registration system offline for nearly a week when the Federal Bureau of Investigation notified the Arizona Department of Administration that there was a credible cyber threat to the system. Coupled with suspicions that many of these breaches are caused by state actors, the fears of election manipulation are running rampant this year.

In response to these growing concerns, the Department of Homeland Security (DHS) has offered to provide more cybersecurity protections to help states secure their voting systems. DHS has offered to provide the following cybersecurity assistance:

  1. Cyber hygiene scans that are conducted remotely on Internet-connected systems;
  2. risk and vulnerability assessments done onsite by DHS cybersecurity experts;
  3. On-site assistance in identifying and remediating cyber incidents by the National Cybersecurity and Communications Integration Center (NCCIC), a 24/7 cyber incident responsecenter;
  4. Sharing of threat and vulnerability information;
  5. Sharing of best practices for securing voter registration databases and addressing potential threats to voting systems; and
  6. advice from field-based cybersecurity and protective security advisors. Thus far, nine states have requested DHS assistance in securing voter registration databases and assessing the security of their voting machines. However, at least one state has declined DHS’s offer of cybersecurity assistance in favor of relying its own security to protect its voting systems.

One measure that DHS has strongly considered, but decided to rule out this election season, is designating the United States election system as “critical infrastructure” to provide the system with greater protection.

DHS defines critical infrastructure as “sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation would have a debilitating effect on security, national economic security, national public health or safety.”

DHS has designated 16 sectors and industries as “critical infrastructure,” including chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care, information technology, nuclear, transportation, and water. Designating the election system as “critical infrastructure” would make it eligible for considerably greater resources from the federal government.

DHS is also working with the National Association of Secretaries of State (NASS) to establish an Election Infrastructure Cybersecurity Working Group to examine potential election infrastructure cybersecurity issues. NASS has appointed the Secretaries of State from California, Connecticut, Indiana and Georgia to serve on the Working Group.

Originally published in Inside Counsel on October 3, 2016.


Don’t have an account yet?