The Department of Homeland Security is readying a national risk management initiative that will include streamlining government and industry efforts on securing elections as states continue to struggle to replace outdated voting infrastructure, according to a top department cyber official.
Chris Krebs, under secretary for DHS’ National Protection and Programs Directorate, announced the new plan Friday, which will focus on improving integration of cyber services among DHS, the Treasury Department and the Department of Energy with their respective private sector partners.
“It’s about industry and government working together. We have to have integrated, cross-sector government and industry collaboration in the cyber security and critical infrastructure space. We are in the process of launching a national initiative that is going to focus on those activities,” Krebs told attendees at a Washington Post cyber event. “No state out there is going to be able to overcome this challenge by themselves. We have to work together. We’re pushing a collective security and defense model where we together to manage risk.”
Krebs also called on state election officials to be more specific on the level of outdated equipment that needs to be replaced and the cyber threats they face to drive congressional action to increase election security assistance.
“What I think we need to do in the very near future is, rather than just say ‘we need money, give us money,’ is we need ‘x’ amount of money to address ‘x’ threat and buy down ‘x’ amount of risk,” Krebs said. “We have to be much more precise. And that will inform and drive the conversation on the Hill.”
Congress authorized $380 million to states in the FY ’18 omnibus spending bill to replace vulnerable voting infrastructure, but election officials have told Krebs this is not enough to update all equipment.
“These systems are expensive to replace, and state budgets generally are not constructed for widespread IT capital investments on a snap basis,” Krebs said.
The House voted down a measure Thursday to send another $380 million in election assistance funding, after Republicans argued the program led by the Election Assistance commission did not require additional allocations.
DHS has found three persistent vulnerability trends with election infrastructure: running outdated operating systems, vulnerability and software patch management issues, and misconfiguration errors, according to Krebs.
Krebs also called on Senate to consider a bill passed by the House in December last year to rename NPPD the Cybersecurity and Infrastructure Security Agency, and said he was unsure why the legislation has not moved forward.
“I don’t know anybody that’s against it. What we need to a better job of from the department, but also industry, is communicate why this is so important and why we need to do this,” Krebs said.
The reorganization would help his office with recruiting cyber-skilled personnel and better inform potential industry partners on what assistance is offered, according to Krebs.
“NPPD, it sounds like a Soviet-era intelligence agency. It doesn’t tell anybody what we do,” Krebs said.