On Wednesday, the House Oversight and Reform Committee held a hearing, “Securing U.S. Election Infrastructure and Protecting Political Discourse”. While partisan chatter often dominates the discussion on securing our elections from cyberattacks, industry leaders and agency officials had the opportunity to present a fact-based review of the steps required to combat this threat.

Election Assistance Commission Chairwoman Christy McCormick highlighted the EAC’s central role in assisting the states in responding to cybersecurity threats:

The EAC is the only federal agency solely devoted to supporting election officials in their work. HAVA mandates that the EAC serve as the nation’s foremost clearinghouse on elections, conduct original research – such as the Election Administration and Voting Survey – that informs ways to improve election administration, establish federal voting system testing guidelines and operate the federal government’s voting system certification program, administer federal grant funding for states to improve election administration, and help America vote. These resources give election administrators the tools they need to carry out secure, accurate, and efficient elections. . . .

One of our primary focuses is election security, and I am pleased to have this opportunity to provide more detail about our efforts in that regard. Before I do, however, it is important to put that work into context. Election security is only one component of election administration. . . .

The EAC works alongside federal partners to leverage their subject matter expertise to augment the EAC’s whole-of-elections perspective with specialized products. The EAC works with these partners to produce EAC products, help other agencies better develop products for election stakeholders, and help our stakeholders understand and integrate these products into the context of their array of responsibilities. These partners include the Department of Defense, the Department of Justice, the Department of Homeland Security, the Office of the Director of National Intelligence, the National Institute of Standards and Technology (NIST), and the United States Postal Service.

Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency at the  U.S. Department of Homeland Security, had this to say in his testimony:

We will remain transparent as well as agile in combating and securing our physical and cyber infrastructure. However, we recognize that there is a significant technology deficit across [state, local, tribal, and territorial] governments, and state and local election systems, in particular. It will take significant and continual investment to ensure that election systems across the nation are upgraded and secure, with vulnerable systems retired.

One area of consensus among the panel and Members of Congress was the need for multi-level communication and threat awareness. Elections are by design a local domain, but state and Federal partners must ensure that localities are aware of threats when they arise, demonstrated by the testimony of Massachusetts Secretary of State Francis Galvin:

Consistent and efficient communication must be bi-directional and follow prescribed points of contact. All of the federal agencies mentioned above must, in a timely manner, keep the individual states informed of suspected breaches, alerts, intelligence as well as the tactics, techniques and procedures (TTPs) used by our adversaries.

While the overall conversation shifted toward political barbs from the 2016 election, the need for increased Federal resources was made clear. Director Krebs, in a line of questioning from Chairman Elijah Cummings, had the opportunity to state:

In the run up to the 2016 election, I think the only people in the federal government who understood elections was [EAC] Chairman McCormick and her team and [FEC] Chairman Weintraub. We came into this thing brand new. We’re cybersecurity and physical security experts, and still are . . . . I have 17 [full time] officials dedicated to this issue. In the runup to 2018 [midterms] I had over 550 individuals that were working at the national, local, state level on elections . . . . I will have more field staff to ensure 2020.

Krebs hoped that in the leadup to 2020, he could nearly double the 17 full time staff.  By working together to share information without usurping the states’ primary role in administering elections, federal entities such as the EAC and DHS can help the states secure elections while still maintaining the protection of our varied and decentralized election systems.