The Homeland Security Department is actively considering whether it should add the nation’s election system — or the individual systems that 9,000 local and state jurisdictions use to collect, tally and report votes — as an entity that needs DHS protection from cybersecurity attacks.
“We should carefully consider whether our election system, our election process, is critical infrastructure, like the financial sector, like the power grid,” DHS Secretary Jeh Johnson said during an Aug. 3 breakfast with reporters hosted by the Christian Science Monitor. “There is a vital national interest in our election process, so I do think we need to consider whether it should be considered by my department and others as critical infrastructure.”
Johnson said the department is “actively thinking” about election cybersecurity now, as the cyber threat landscape has evolved since Congress last passed major changes to the nation’s voting process in 2002.
“I am considering communicating with election officials across the country about best practices in the short term,” he said. “There are some best practices that exist, and we need to share those best practices with state and local election officials soon. There are probably longer term investments we need to make in the cybersecurity of our election process. There are various different points in the process that we have to be concerned about.”
Under the roles that the Obama administration recently clarified in a new presidential policy directive (PPD) last week, the FBI is responsible for gathering evidence involved in the DNC hack and sharing that information with DHS.
DHS will take the lead on asset response, meaning that the department will help affected organizations recover and get their systems back up to speed.
“In the simplest of terms, I am the fireman and [FBI Director] Jim Comey is the cop,” Johnson said of DHS’ role.
Neither agency is ready to attribute the DNC hack to a specific actor, Johnson said.
“What is critical is that we address the attack itself, we mitigate the harm, we expel the bad actor, we patch the vulnerability, we take what we’ve learned from that attack and we disseminate that information so that attack can not be successful again,” DHS Deputy Secretary Alejandro Mayorkas said last week at the department’s cyber and tech career fair. “That’s what’s really groundbreaking with respect to the PPD.”
DHS is expected to release an official draft of its response plan in September, Mayorkas said. The department will open it up for public comment and plans to publish a final version by the end of the year.
‘We are DHS’
Though DHS plays a major role in national cyber response, Johnson specifically praised his department’s work on two recent security operations at the Republican and Democratic national conventions.
DHS released a new video Aug. 3 to recognize the work and accomplishments of its employees across the 22 component agencies.
“It’s my effort to spruce up our image a bit,” Johnson said of the video.
DHS has struggled to improve its employee morale, amid several highly publicized challenges at the Transportation Security Administration, Secret Service and others. The department’s overall employee engagement grade on the Federal Employee Viewpoint Survey has dropped from a score of 60 in 2011 to 53 last year.
“In homeland security in our world very often, no news is good news,” Johnson said. “The extraordinary effort that our people in the Secret Service, TSA, Customs and Border Protection, NPPD [and] very often goes unreported, almost taken for granted.”