DHS plans largest operation to secure U.S. election against hacking
A 24/7 war room will operate from Election Day until local officials are confident in the results. It shows just how far DHS’s cybersecurity agency has come since 2016.
“I anticipate possibly thousands of local election officials coming in to share information in real time, to coordinate, to track down what’s real and what’s not, separate fact from fiction on the ground,” said Matt Masterson, CISA’s senior cybersecurity adviser, who has helped lead election preparations. “We’ll be able to sort through what’s happening and identify: Is this a typical election event or is this something larger?”
The operation will run for days or weeks until winners are clear in most races — and potentially until the election is formally certified in December. “We’ll remain stood up until the [election] community tells us, ‘Okay, we’re good, you can stand down,’ ” Masterson said.
The wide-ranging operation is the culmination of four years during which CISA has grown from a backwater agency that was largely unknown outside Washington to the main federal government liaison to a nationwide ecosystem of officials running the elections.
CISA’s growth is especially notable because it has happened despite an abiding lack of interest in election security from President Trump. He has held only one Cabinet-level meeting on the topic during his presidency and generally views discussion about Russian interference as threatening the legitimacy of his 2016 victory over Hillary Clinton, even though there’s no evidence actual votes were changed.
CISA has been aggressively responding to interference attempts for weeks already. It helped states tackle a drumbeat of disinformation, including what officials said was an Iranian effort to intimidate voters in Florida and other states and a Russian scheme to hack Democratic and Republican Party officials.
As states brace for larger-scale interference attempts on Nov. 3 — including the possibility that hackers time may try to manipulate voter registration data or vote tallies, or otherwise prevent large numbers of people from casting ballots — CISA’s Northern Virginia headquarters will convene dozens of officials from DHS, intelligence agencies, political parties, social media companies and voting machine vendors to orchestrate how the government can respond.
If there are concerning signs of interference, teams of CISA employees stationed in different regions across the country stand ready to deploy to polling places or election offices to help assess what’s going on.
The agency is also focused on tamping down unwarranted panic: It’s planning phone conferences with media every few hours to explain any interference it sees — and to put into context events that may raise suspicions but turn out to be more typical Election Day problems, such as malfunctioning voting machines, confusion about voter rolls and crashing elections office websites.
CISA ran similar operations during the 2018 midterm elections and on Super Tuesday during the presidential primaries, neither of which was affected by significant hacking activity from abroad. CISA Director Chris Krebs warned at the time, however, that Russia may be “keeping its powder dry” and described those elections as a “dress rehearsal for the big show” in 2020.
Krebs and other officials have managed to talk candidly about those threats largely by flying beneath Trump’s radar, focusing on the nitty-gritty of securing voting machines and other election technology, and steering clear of broader questions about the U.S.-Russia relationship, current and former officials said.
“The folks at CISA continue to just play it straight and call it as they see it,” said Suzanne Spaulding, who led a predecessor agency to CISA called the National Protection and Programs Directorate during the Obama administration. “Part of it is flying under the radar, which is unfortunate. You’d like to have a president out there reinforcing the messages CISA’s putting out. But the best they can do is try to get their message out to the key people who need to hear it.”
While the agency has been criticized for a slow learning curve about the peculiarities of election administration and for sometimes not providing threat information quickly enough, CISA has almost certainly helped the U.S. vote become more secure now than it was four years ago. It has sent staff to test the cybersecurity of election systems in hundreds of jurisdictions since 2016 and helped many states shift to more secure voting systems that include paper records for all votes and the capability to conduct rigorous post-election audits.
And the war room effort crystallizes just how far the agency has come since it first tried to help election officials protect against cyberattacks in the last presidential election, amid early reports that Russia was responsible for hacking reams of documents from Hillary Clinton’s campaign and the Democratic National Committee and was scanning state election website for vulnerabilities.
At the time, the Obama administration was hesitant to voice its concerns about election security publicly out of fear of undermining voter confidence, but DHS officials tried to quietly share cybersecurity tools with states and urge them to ensure voter rolls and election night reporting systems were as protected as possible.
They had only limited success. The agency faced skepticism from some state officials and outright hostility from others who feared a federal takeover of elections. Georgia’s top election official at the time, now-Gov. Brian Kemp (R), even erroneously accused DHS of hacking into his state’s election systems. A DHS inspector general later determined there was no hacking and that the Internet traffic Kemp cited likely came from state employees visiting DHS databases.
On Election Day in 2016, the agency managed a smaller-scale war room but was hampered by its lack of relationships with state and local officials. It didn’t have any direct contact with those officials that night and instead used staff at the Election Assistance Commission and the National Association of Secretaries of State as an intermediary, said Neil Jenkins, a former DHS official who managed the operation.
Tensions got worse when the outgoing Obama administration designated election systems as “critical infrastructure” in January 2017 — a designation that’s also used for the financial, health-care and energy sectors that makes it easier to give election officials security clearances and share secret intelligence information. State officials balked. They rejected the designation in a joint declaration, suggesting DHS was spreading unfounded rumors that the 2016 election result itself was corrupted by hackers.
Jenkins likened the early DHS relationship with states then as akin to exchanging business cards in the middle of a crisis when the two sides had no reason to trust each other.
“Trust doesn’t happen right away. It takes a couple years to build trust, and that’s what CISA has done now. They’re in a totally different place now because they had time to develop that relationship,” he said.
That trust continued to build during the Trump administration after the president’s first DHS secretary, John Kelly, opted to retain the “critical infrastructure” label for election systems. It helped CISA burnish its image as a nonpartisan player and signaled that both a Republican and Democratic administration believed states needed to dramatically improve election cybersecurity. It was an especially notable move given the Trump administration’s commitment to overturning much of the Obama administration’s actions.
A drumbeat of new details about Russia’s 2016 operations that continued to trickle out via the media during the following years, and the release of the special counsel report by Robert S. Mueller III in 2019, also convinced many states to work collaboratively with the federal government.
“We realized that we were playing with a different animal,” West Virginia Secretary of State Mac Warner (R) said of the time frame between 2017 and 2018. “The federal government knew something we didn’t. That’s when the walls started to come down.”
Other key turning points, according to Warner, included a series of high-level threat briefings CISA gave state officials during the 2018 midterms and shortly after the U.S. drone strike that killed Iranian Maj. Gen. Qasem Soleimani in January.
“That same day the federal government gave us a warning saying if the Iranians put a worm inside your [election] systems, this might be the catalyst for them to turn it on,” he said. “That was such a change from just two years earlier when the federal government wouldn’t share anything with us. Now they’re sharing within 24 hours.”
The benefits of the partnership were seen as recently as this month, when law enforcement received reports of threatening emails sent to voters in four states including Florida and Alaska that the intelligence community attributed to Iran.
“Within really 16 to 18 hours, we’re having calls with the elections community to talk about what we know and what steps they can take to protect their systems,” Masterson said.
Michael Daniel, who was the White House cybersecurity coordinator during the Obama administration and now leads the Cyber Threat Alliance, hailed this progress. “My perception is that we’re light-years ahead of where we were in 2016 in terms of the relationship between CISA and state and local election officials.”
“This is one of the more remarkable stories frankly in an administration that has spent a lot of time wrecking or at least damaging large parts of the federal bureaucracy,” Daniel said.
Yet some election security advocates worry that election systems still aren’t as secure as they need to be given the looming threat from Russia and other adversaries — and they say CISA could do far more to help.
Warner and other election officials described the pace of information CISA shared about election threats as painfully slow after 2016 and still complain that the classified intelligence it shares doesn’t provide remotely enough insight into what adversaries are actually planning.
“They’ve done well but have to grow out of their infancy,” a former administration official who worked with CISA and spoke on the condition of anonymity to talk candidly, said.
Some security experts also say the agency hasn’t done enough to help secure the broader range of technology outside of voting machines and voter registration databases that adversaries could hack to sow chaos around the election. Potentially vulnerable systems include the websites that report vote tallies and county websites that direct voters to polling places.
A DHS inspector general review recently criticized the agency for not doing enough to keep polling places safe from physical violence by terrorist or extremist groups. The report also warned that CISA’s overall efforts were hampered by limited staffing and frequent turnover at the top ranks of DHS, which operated under five leaders during the past four years. It has been run by unconfirmed acting secretaries for the past 18 months.
“With the 2020 elections at hand and increased potential for revised election processes due to the COVID-19 pandemic, it is critical that CISA institute a well-coordinated approach and provide the guidance and assistance necessary to secure the Nation’s election infrastructure,” the report said.
Krebs and state election leaders criticized that report for being poorly timed with just a week to go before the election. Amy Cohen, executive director of the National Association of State Election Directors, said the report “does not fully demonstrate how far the relationship between the election community and CISA has come.”
Progress on election security is also not uniform across all states. About 10 percent of U.S. voters concentrated in seven states still don’t have an in-person voting option that includes a paper trail, which officials say is key to ensuring votes weren’t manipulated by hackers. That’s down significantly from 2016 when about 20 percent of voters lacked a paper backup, but still highly concerning to election experts. The silver lining: The percentage of votes cast without a paper record will likely be even lower than expected this year because of the surge in mail voting during the pandemic.
Yet even some critics of CISA say others share responsibility — and Congress especially can do far more to help. Lawmakers have delivered more than $1 billion to help states improve election security and safety since 2018.
Democrats have argued an additional $3 billion is needed to make elections sufficiently secure. “I have high confidence that our elections are more secure, but we need to continue to have an all-hands-on-deck approach,” said Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus. “Congress stepped up and provided millions for election security, but that’s only a down payment. Clearly more money is needed in the range of billions of dollars.”