Amid DHS leadership shuffle, voting systems remain vulnerable

Continued resistance from state officials and some members of Congress is also an issue, says a former DHS chief.

Jeh Johnson
 

Even with the widespread attention and federal protections provided to election systems, state and federal officials alike have concerns that U.S. election systems remain vulnerable to digital meddling.

In the final days of the Obama administration, then-Department of Homeland Security Secretary Jeh Johnson formally designated state election assets as U.S. critical infrastructure in response to digital floods of misinformation, as well as Russian cyber espionage on an election software vendor and spear-phishing attempts against local election officials during the lead-up to the November 2016 presidential election.

The move allowed state governments to ask DHS for help on a voluntary basis in securing their election infrastructure, but was met with resistance from many state officials and some members of Congress.

Amid this resistance -- and the current shuffle in DHS leadership -- Johnson expressed fear on CBS's Face the Nation Aug. 6 that voting systems remain vulnerable to digital meddling.

"I'm concerned that we are almost as vulnerable, perhaps, now as we were six, nine months ago," he said.

"The cyber threat is going to get worse before it gets better in this country," he added. "Bad cyber actors are becoming more aggressive, more ingenuous and more tenacious... Nothing would surprise me at this point in terms of their capabilities."

Despite pushback and confusion from states over the critical infrastructure designation, Johnson said that 33 states sought cybersecurity assistance from DHS during the lead-up to the election.

"We identified a number of vulnerabilities in election infrastructure which were addressed," he said. "But that process needs to continue."

Election Assistance Commission Chairman Thomas Hicks told FCW that as far as improvements to security, the effect of the designation is "still a wait-and-see process."

"I believe the election itself is secure, but that doesn't mean we can't do more for that," he said, adding that doing more "is not going to be a quick fix."

Hicks noted that in the lead-up to the 2018 elections, it's not just the interference with the actual ballot-casting that states must protect against.

"One of the things that the critical infrastructure designation brought to light to is that securing these elections doesn't take place just on Election Day," he said.

Hicks said that securing an election also entails securing web-facing applications, polling places, election machines, as well as sites that report election night results.

Hicks added that some of the vulnerabilities are physical in nature, and states should make sure only authorized officials have access to the machines, both while in the polling places and while in storage.

Another challenge facing states is that many of the electronic voting machines are nearing the end of their lifecycles. Although states are currently on the hook for paying for the next generation of equipment, Hicks said the issue of whether the federal government will help foot the bill remains a question.

The recent reshuffling that placed Johnson's successor John Kelly, who supported maintaining the critical infrastructure designation, in the White House chief of staff role has left DHS without a permanent secretary.

Hicks said that since the precedent for the designation has been set by the next secretary's two predecessors, he doesn't believe it will change. He added, however, that "time will tell when the next person is confirmed."

EAC, an independent agency stood up in 2002 to help protect the integrity of elections, has come under fire from congressional Republicans.

In addition to a revived effort from Rep. Gregg Harper (R-Miss.) to shutter EAC, the House Financial Services and General Government Appropriations Subcommittee drafted a bill that would terminate the agency by the end of fiscal year 2018.

In response, subcommittee Ranking Member Mike Quigley (D-Ill.) introduced an amendment to retain the commission and provide $9.2 million in funding for fiscal year 2018.

NEXT STORY: Managing the risks of data sprawl