A top Department of Homeland Security official says that states do not have enough funds to replace outdated voting systems ahead of the midterm elections in November.
Christopher Krebs, DHS undersecretary for the National Protection and Programs Directorate, says that all 50 states’ election systems may have been subjected to cyber scanning by Russian actors in the 2016 election, underscoring the need to replace vulnerable voting infrastructure.
“There are challenges from a procurement perspective. There’s also the challenge of its frankly not enough money to transition that equipment,” Krebs tells the House Homeland Security Committee July 11.
The FY ’18 omnibus spending bill included $380 million to assist states with replacing old systems, which Krebs says may not be enough to transition to new equipment and be used towards information sharing and cyber programs.
“Not all states are similarly resourced and that is going to be a challenge going forward. And that is probably the greatest opportunity for policy discussion in this body,” Krebs said. “I would not, though, assume that all that money is going to replace out of date equipment.”
DHS officials said last year that Russian actors were able to infiltrate election systems in 21 states.
Krebs tells lawmakers that DHS now has full visibility into all election networks and every state could have potentially been scanned by cyber actors.
“I would suspect that Russia scanned all 50 states and five territories and the District of Columbia. Scanning, it happens every day. It’s an automated process. I think the 21 number, that’s based on what we were able to see,” he says.
Krebs says that both DHS and the intelligence community have determined that Russian actors are not posing the same cyber threat to try infiltrate election infrastructure in 2018 as was seen in 2016. Officials have noted a continued presence of operations to spread misinformation during the 2018 midterms, according to Krebs.
DHS is readying a national risk management initiative that will include streamlining government and industry efforts on securing elections as states continue to struggle to replace outdated voting infrastructure, Krebs says July 20 as part of a panel discussion. The new plan will focus on improving integration of cyber services among DHS, the Treasury Department and the Department of Energy with their respective private sector partners.
“It’s about industry and government working together. We have to have integrated, cross-sector government and industry collaboration in the cyber security and critical infrastructure space. We are in the process of launching a national initiative that is going to focus on those activities,” Krebs tells attendees at a Washington Post cyber event. “No state out there is going to be able to overcome this challenge by themselves. We have to work together. We’re pushing a collective security and defense model where we together to manage risk.”
Krebs also called on state election officials to be more specific on the level of outdated equipment that needs to be replaced and the cyber threats they face to drive congressional action to increase election security assistance.
“What I think we need to do in the very near future is, rather than just say ‘we need money, give us money,’ is we need ‘x’ amount of money to address ‘x’ threat and buy down ‘x’ amount of risk,” Krebs says. “We have to be much more precise. And that will inform and drive the conversation on the Hill.”
“These systems are expensive to replace, and state budgets generally are not constructed for widespread IT capital investments on a snap basis,” Krebs says.
The House voted down a measure July 19 to spend another $380 million in election assistance funding, after Republicans argued the program led by the Election Assistance commission did not require additional allocations.
DHS has found three persistent vulnerability trends with election infrastructure: running outdated operating systems, vulnerability and software patch management issues, and misconfiguration errors, according to Krebs.
Krebs also called on the Senate to consider a bill passed by the House in December last year to rename NPPD the Cybersecurity and Infrastructure Security Agency, and said he was unsure why the legislation has not moved forward.
“I don’t know anybody that’s against it. What we need to a better job of from the department, but also industry, is communicate why this is so important and why we need to do this,” Krebs said.
The reorganization would help his office with recruiting cyber-skilled personnel and better inform potential industry partners on what assistance is offered, according to Krebs.
“NPPD, it sounds like a Soviet-era intelligence agency. It doesn’t tell anybody what we do,” he says.