States: Rescind Electoral Critical Infrastructure Designation (InfoRiskToday)

Breach Preparedness
,
Cybersecurity
,
Data Breach

States: Rescind Electoral Critical Infrastructure Designation

Secretaries of State Allege Federal Intrusion into States’ Affairs

States: Rescind Electoral Critical Infrastructure Designation

State officials who oversee elections have objected to a Department of Homeland Security designation of America’s electoral system as critical infrastructure. The National Association of Secretaries of State is asking DHS Secretary John Kelly to rescind the designation made in January by his predecessor, Jeh Johnson.

See Also: Today’s Threat Landscape: Reduce Risk & Prevent Data Breaches


“The U.S. Department of Homeland Security has no authority to interfere with elections, even in the name of national security,” reads a resolution approved last week by the association. In most states, the secretary of state is the chief election official.


Kelly indicated during a Feb. 7 House hearing that he intends to uphold Johnson’s designation, according to the resolution. DHS has yet to respond to an ISMG query clarifying Kelly’s stand on the designation.


States, not the federal government, run elections, even those for president and Congress. But concerns over the hacking of Democratic Party servers, allegedly by the Russians, during the recent presidential election prompted Johnson to designate the electoral system as critical infrastructure (see Deep Dive: US Intelligence Report Into Russian Hacking). The critical infrastructure designation would only apply to computers involved in voter registration, voting and compilation of votes.


Pushing Back


State election officials have pushed back at the critical infrastructure designation. “It was clear to me after meeting with Homeland Security, the FBI and the U.S. Attorney’s office that they lacked the basic understanding necessary to assist in securing our nationally recognized system,” says Louisiana Secretary of State Tom Schedler, a Republican. “This is a federal intrusion issue and should not be taken lightly.”


Mississippi Secretary of State Delbert Horsemann, also a Republican, characterizes the designation as “overreaching and unnecessary,” noting that the Constitution delegates responsibility for conducting elections to the states. He suggests that having 51 separate election systems – the 50 states and District of Columbia – makes it difficult for hackers to attack the electoral system. “The diversity of current state election systems is one reason these systems have remained secure,” Horsemann says.


It’s a theme picked up by Connecticut Secretary of State Denise Merrill, a Democrat who serves as the association’s president: “State and local autonomy over elections is our greatest asset against malicious cyberattacks and manipulation. Our decentralized, low-connectivity electoral process is inherently designed to withstand such threats.”


When Johnson designated elections as critical infrastructure on Jan. 6, he made it clear that the federal government had no intention of assuming the management of the electoral process. “This designation does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country,” he said. “This designation does nothing to change the role state and local governments have in administering and running elections.


“The designation of election infrastructure as critical infrastructure subsector does mean that election infrastructure becomes a priority within the National Infrastructure Protection Plan. It also enables this department to prioritize our cybersecurity assistance to state and local election officials, but only for those who request it. ”


Skepticism Expressed


Still, some secretaries of state remain skeptical. “I am not going to let the federal government have the keys to our secured election system unless they can better articulate their intentions,” Louisiana’s Schedler says.


DHS has designated 16 industries as critical infrastructure. That means their physical or virtual assets are so vital the United States that their incapacitation would have a debilitating effect on security, the economy, public health or safety. Among critical infrastructure sectors are financial services, government facilities, healthcare and information technology. Johnson designated the electoral system as a subset of the government facilities sector.


DHS began to consider designating the election system as critical infrastructure after the revelation of the hack of the Democratic National Committee and the release of information from the breach that proved embarrassing to Democratic presidential candidate Hillary Clinton.


But the new designation will not cover political organizations, such as the DNC and Republican National Committee. Instead, it extends coverage to infrastructure controlled mostly by local and state governments, such as polling places, centralized vote tabulation locations, voter registration databases, voting machines and other systems used to manage the election process.

Source: SANS ISC SecNewsFeed @ February 22, 2017 at 01:09PM

0
Share