After GAO critique, DHS releases 2020 election security plan
‘No single organization, no single state, no locality can go at this problem alone,’ CISA director says
The government’s top cybersecurity agency will focus on four key objectives to secure this year’s elections from hacking and other interference: protecting election infrastructure, assisting political campaigns, increasing public awareness about foreign intrusion, and facilitating the flow of information on vulnerabilities and potential threats between the public and private sectors.
That’s according to the Cybersecurity and Infrastructure Security Agency’s #Protect2020 Strategic Plan, issued by the Homeland Security Department on Friday. The blueprint follows a Government Accountability Office report that said the agency would struggle to execute a nationwide strategy without a finalized agenda.
The strategic plan describes the agency’s plans to work with federal law enforcement and state and local election officials on a “whole-of-nation effort” to defend electoral systems.
“If we learned anything through 2016 and the Russian interference with our elections, it’s [that] no single organization, no single state, no locality can go at this problem alone,” CISA Director Christopher Krebs said in the report.
“State and local election officials are on the front lines, and the role of the federal government is to make sure that they are prepared,” he added. “Ultimately, CISA’s efforts depend on the trust and cooperation of state and local officials. Those relationships are strong and growing stronger.”
In its strategic plan, CISA highlighted its Last Mile Project, which it launched in 2018 with the goal of distributing customized election security tools to state and local officials. Fifteen states have accepted the tools, which include election security planning guides and emergency response guides that have reached more than 1,000 local election jurisdictions. Twenty other states have expressed interest in the tools, CISA said.
The planning and emergency response guides, which are customized by CISA to reflect each jurisdiction’s individual voting infrastructure and processes, come in the form of posters. The planning guides outline possible threats and ways to identify and report potential incidents.
The emergency response guides, designed to address a “capability gap” for addressing cyberattacks or other threats, provide local officials “with a simple yet eye-catching tool for determining what steps to take when an incident occurs and who to report the incident to,” CISA said.
The agency will continue to offer election officials free training exercises that simulate potential incidents, including disinformation campaigns and cyberattacks, to “reinforce existing communication channels and forge new ones to be used in the event of a crisis.” CISA also provides free, voluntary security assessments that can help local jurisdictions understand their own vulnerabilities.
CISA will offer many of the same services directly to political campaigns. The agency said it wants to “create a culture of active information sharing” with campaigns, which includes regular briefings for campaign officials on threat intelligence in collaboration with the FBI, and meetings with national campaigns and party officials.
The goal of working directly with campaigns, the agency said, is to “increase engagement between partisan actors and the federal government and promote a greater emphasis on cybersecurity and risk mitigation throughout the political infrastructure community.”
CISA’s plan also seeks to build “societal resilience” to foreign disinformation campaigns by partnering with researchers and academics on strategies to help build public awareness of disinformation campaigns. The agency said it is working with AARP and NAACP to get its message out.
“We can patch cyber vulnerabilities and defend our databases, but if we don’t also prepare the American people for the onslaught of foreign interference they face daily, then we will have failed,” said Brian Scully, who leads the Homeland Security Department’s task force on countering foreign influence.
Finally, the agency plans to continue its role as a liaison among state and local election officials and private sector election vendors and cybersecurity experts to “synchronize information from a variety of sources to understand the full threat picture.”
The GAO report, released Thursday, found that state election officials who have worked with CISA since Krebs named election security one of his top priorities last year were satisfied with the agency’s support. Some “spoke positively” about CISA’s new Elections Infrastructure Information Sharing and Analysis Center, or EI-ISAC, which facilitates communication among election officials.
Membership in EI-ISAC has grown considerably since 2018, GAO reported, and now includes 50 states and 2,267 local election jurisdictions as of last November — a 63 percent increase.
But “in the absence of completed plans, CISA is not well-positioned to execute a nationwide strategy for securing election infrastructure prior to the start of the 2020 election cycle,” the GAO report said.
GAO found that the agency’s plans to release its election security proposal were delayed by an ongoing internal reorganization and limited staffing resources. It also said the agency has yet to complete a draft of a second, more detailed blueprint called the Election Security Operations Plan.
In its response to GAO, DHS said the operations plan, which will describe “key organizational functions, processes, and resources employed to carry out the CISA mission,” would be released by mid-February.
But unlike the four-pronged strategic plan, the more granular operations plan may not include detailed proposals for providing security assistance to political campaigns and raising public awareness about disinformation campaigns, CISA officials told GAO. The operations plan is likely to focus primarily on protecting election infrastructure and sharing intelligence on potential threats, the officials said.