State election officials need more help from the federal government in protecting themselves from nation-state actors.
“We’re talking about local communities that are having trouble funding roads, water bills and hospitals,” said Jared Dearing, Kentucky’s state election director, at a forum at the Election Assistance Commission Aug. 15. “And we’re now asking them to take part in the defense against foreign state actors. The cliff that is looming before us is we are failing to fund them for critical infrastructure."
The hearing comes after a July report from the Senate Intelligence Committee detailed how Russian-backed actors scanned and attacked state election systems. The report highlighted significant cybersecurity shortfalls with state election networks.
“The federal government providing additional resources would be helpful," said Kyle Ardoin, Lousiana’s secretary of state. “But the federal government also needs to communicate to the states that they have an absolute responsibility” for their systems.
The Senate report also noted the significant issues some states had when communicating with the federal government. While the DHS sent security alerts to states, some officials said those alerts didn’t contain the proper context to understand the seriousness of the threat.
“Information is key for election officials. If we don’t get information, we can’t protect our system," Ardoin said. "The timeliness of information is absolute and for us to be able make sure our systems are secure, we’ve got to get that information as quickly as possible ... whether it’s a local partner, a state partner or a federal partner. And sometimes we just don’t get it.”
Congress passed $380 million in election security grants to states last year. The House has passed additional funding this year, but the bills have not received a vote in the Senate.
Geoffrey Hale, director of the elections division at the Cybersecurity and Infrastructure Security Agency (CISA), said the organization’s leaders are seeing the need to “to continue to do the fundamentals.” States need to make sure that their systems are auditable and are able to recover from attack, he said.
Hale said two of the most common vulnerabilities his agency has found is unsupported systems and immature patch management processes. But he acknowledged the hardships states face.
“Election officials are asked to administer a complex array of diverse systems under a severely resource constrained environment,” he said.
CISA, which falls under the Department of Homeland Security, is also running a program from the Idaho National Laboratory to test election vendors’ products for vulnerabilities. Hale said that there’s been “increased interest” from vendors in participating and that feedback has been positive.
The program allows CISA to “work with the vendor following the assessment on mitigation opportunities,” Hale said.
Throughout the last few months, many officials have said that all levels for government need to do a better job coordinating when there is a threat.
“All partners - local, state and federal - need to cooperate and work together on this funding issue for resources for securing our elections,” Ardoin said.