September 16, 2016-Department of Homeland Security Secretary Jeh Johnson today said DHS was ready to offer a range of cybersecurity help to state and local election officials to secure voting systems from cyber attacks, but emphasized that any such assistance would be provided only if state and local officials asked for it, and that it wouldn’t be accompanied by any “binding directives.”
Mr. Johnson’s remarks follow reports in recent weeks of cyber attacks on state election networks in Arizona and Illinois — possibly by Russian state actors — and comments from Obama administration officials that they are considering designating the U.S. election system as “critical infrastructure” that would be eligible for enhanced protection from hackers (TRDaily, Aug. 30). The DHS secretary made no mention of a possible critical infrastructure designation in his announcement today, but pointed to the possibility of cyber threats and the need to prepare for them, and to requests for help that DHS had received in recent weeks “from a number of states.”
“In recent months we have seen cyber intrusions involving political institutions and personal communications,” he said. “We have also seen some efforts at cyber intrusions of voter registration data maintained in state election systems. We have confidence in the overall integrity of our electoral systems. It is diverse, subject to local control, and has many checks and balance built in.”
“Nevertheless, we must face the reality that cyber intrusions and attacks in this country are increasingly sophisticated, from a range of increasingly capable actors that include nation-states, cyber hacktivists, and criminals. In this environment, we must be vigilant,” he said.
DHS “stands ready to assist state and local election officials in protecting their systems,” he said, but he took pains to emphasize that DHS did not want to assume any larger oversight role of those systems. “It is important to emphasize what DHS assistance does not entail,” Mr. Johnson said. “DHS assistance is strictly voluntary and does not entail regulation, binding directives, and is not offered to supersede state and local control over the process. The DHS role is limited to support only.”
“In our cybersecurity mission, this is the nature of what we do — offer and provide assistance upon request,” he said. “We do this for private businesses and other entities across the spectrum of the private and public sectors. This includes the most cybersecurity sophisticated businesses in corporate America.”
DHS can provide a wide range of help to state and local election officials, he said, including conducting remote “cyber hygiene scans” on Internet-facing systems along with recommendations on how to improve security; providing on-site risk and vulnerability assessments of internal and external systems; offering the help of DHS’s National Cybersecurity and Communications Integration Center (NCCIC) in identifying and remediating cyber incidents; and sharing cyber threat data through the Multi-State Information Sharing and Analysis Center.
Mr. Johnson also said DHS would make public by today best practices for securing voter registration databases and addressing potential threats to election systems from ransomware. — John Curran, firstname.lastname@example.org