Homeland Security cyber unit on alert for Election Day

Russia’s intervention in the 2016 presidential election yielded an unexpected result for officials at the Department of Homeland Security (DHS): it has put them in the driver’s seat for protecting future elections from cyberattacks.

Since January, officials at the agency have grappled with how to work with state and local election officials to share information on imminent threats and develop response plans for when things go awry.

The effort has spawned tensions with state officials, who are wary of a “federal takeover” of elections and have panned the slow pace at which the federal government offered up details on the Russia threat. 

Homeland Security has pressed forward, standing up a special council in October to engage with election officials on potential threats and how to defend against and respond to them. 

On the cusp of Tuesday’s gubernatorial elections in Virginia and New Jersey, Homeland Security says agents have been on the ground in both states to help shore up their systems in advance of the vote.

“We’ve helped them get prepared,” Bob Kolasky, the acting deputy undersecretary at the department’s cyber wing, the National Protection and Programs Directorate, said in an interview. “They have been very active and good partners with this. We will be in contact with them on Election Day and we will be ready to do anything to help.” 

The department’s efforts were triggered by the U.S. intelligence community’s assessment in early January that Russia sought to influence the 2016 election by ordering hacks of Democratic officials’ email accounts and targeting state and local electoral systems not involved in vote tallying. Both Arizona and Illinois saw their voter registration databases breached. 

The same day that the intelligence community released its unclassified report on Russia’s actions, the Obama administration designated election infrastructure as “critical” — opening up physical and digital election assets to federal protections, like cyber hygiene scanning, in states that request them. The designation has been maintained by the Trump administration. 

The responsibility has proven tricky for Homeland Security, which has had to fend off criticism from state officials and members of Congress for the amount of time it took to notify states that were targeted by Russian actors. They’ve also been criticized for the slow process of issuing security clearances to state election officials. 

The department notified election officials in 21 states in late September that their systems had been targeted by Russia before the 2016 vote. The disclosure came three months after a Homeland Security official said that 21 states had been targeted in public testimony before the Senate Intelligence Committee. Immediately, some states stepped up accusations that they had received misleading information, amid confusion over the systems that were actually targeted.

“Our notification from DHS last Friday was not only a year late, it also turned out to be bad information,” California Secretary of State Alex Padilla charged on Sept. 27. Sen. Claire McCaskill (D-Mo.) wrote to the department just this week demanding answers on why it took so long.

“For the most part, what we did in 2016 was as soon as we saw activity, we notified the system operator,” explained Kolasky, who said that the information, in turn, did not “necessarily” find its way to the chief election officer.  

“What we didn’t know in 2016 was the connection to the whole picture,” he added, referring to Moscow’s interference efforts. “That takes time to put together.”

The issue is one that Homeland Security is trying to address by convening the Election Infrastructure Coordinating Council, which includes representatives from state and local election offices as well as the National Association of Secretaries of State and the federal Election Assistance Commission. 

“Going forward, there won’t be that gap in time,” Kolasky said. 

One key element for improving information sharing with states is getting election officials the proper security clearances to view classified information — including the attribution of specific threat actors.

That process began in August, and Homeland Security hopes to have a “significant portion” of state officials with clearances by the time the council holds its next meeting at the beginning of the year. At that point, state officials will be able to receive classified briefings on threats. 

“They’re still waiting for a threat assessment. The secretaries still really don’t feel like they have had a full briefing,” said Leslie Reynolds, executive director of the National Association of Secretaries of State. “The thing that the states need that the federal government has is information.” 

Still, Homeland Security insists that in the meantime it will notify states of any “activity” on their networks — the government just may not be able to tell them who, or what, is behind it.

Despite criticism, there are signs of improvement and increased coordination between federal and state representatives. 

“It’s moving in the right direction,” Padilla told The Hill Friday on the relationship with Homeland Security. “I wish it was moving more quickly.” 

One of the states targeted by Russia in 2016 was Virginia, which has taken steps to scrap outdated touch-screen voting machines and solicit advice from Homeland Security on how to fix any critical cybersecurity vulnerabilities ahead of Tuesday’s election.

“I think the relationship has greatly improved over the past year,” said Edgardo Cortés, Virginia’s elections commissioner. “The biggest role that they are going to play is figuring out where we have gaps so we can put resources toward that.” 

“I think we are working towards hashing out how to better communicate, what sort of communications are going to be helpful for election officials,” Cortés added.  

Looking ahead to the 2018 midterm elections, Homeland Security is aiming to bolster relations with all 50 states to quickly share information and help election officials make decisions about how to address vulnerabilities. The department is aiming to create an incident response playbook to address potential cyberattacks.

One year out from the 2018 contests, fears have begun to mount in Washington over the possibility that Russia, or another foreign actor, could again try to tamper with the election.

While Kolasky would not divulge any information about specific targeting efforts in the last year, he indicated that the threat environment has remained on par with 2016.

“I’ll say it this way: We saw in 2016 that Russia had an intent to be involved in our elections and some capability to be active or to attempt to be active in scanning elections systems. We have not seen any evidence that intent or capability has changed,” Kolasky said.

“We believe the intent and capability is still out there.”

Reid Wilson contributed.