The caucuses in Iowa showed it doesn’t require foreign adversaries or political enemies to screw up voting. The locals did that all on their own. But still, election security is an important concern as the 2020 races heat up. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) considers election security as one its top priorities. If that’s the case, it needs to hurry up and finish its strategic plan according to the Government Accountability Office. For more, Federal Drive with Tom Temin turned to the GAO’s director of information technology and cybersecurity issues, Vijay D’Souza.
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
Tom Temin: Mr. D’Souza, good to have you on.
Vijay D’Souza: Thanks for having me.
Tom Temin: You looked at what CISA is doing. What are they doing, what is their role in a local election security in the first place?
Vijay D’Souza: Well, it’s important to remember that elections are run by states and localities in the United States. That being said CISA offers a number of services on a voluntary basis to states and localities to help them better secure their elections.
Tom Temin: All right, and how do they do that?
Vijay D’Souza: Some of the services they offer are technical service is such a cyber security assessments both remotely and on site. They also do training activities, for example, they have web-based training, and they’ve done to nationwide simulation exercises they call tabletop exercises. And then they’ve even done things like helping localities develop posters that explain various security issues to staff and the general public.
Tom Temin: And these are mainly cyber-related issues for voting systems that are non paper?
Vijay D’Souza: So it’s important to understand that election security is cyber, but cyber can be broader than you think. There can be other threats to elections that you might not think of a cyber. So one example is there’s a human element. We’ve heard a lot about sort of the coronavirus, for example. So what would you do if most of your election staff were to come down with some sort of illness on election day? So that’s an example of a security threat that’s not directly related, but it’s still very important.
Tom Temin: I guess, also the cyber elements of systems that are still on paper ballots, for example, voter registration databases — that a big concern also?
Vijay D’Souza: Sure, so when you look at threats to elections, there can be those that are pre-election, election day and post-election. So voter registration systems, as you mentioned, is a good example of the pre-election day threat. On election day, you could look at threats to poll books and then post-election you could look at the posting of the results on websites, for example.
Tom Temin: And does CISA have any kind of role or leverage in getting what it is that they train local electors on, spread out throughout the country? Because there’s tens of thousands of voting.
Vijay D’Souza: Yeah, we’ve actually reported over 10,000 localities operating elections in the United States. And again, I’ll go back to its — CISA operates primarily on a voluntary basis and one of the issues that happened initially in 2017, when elections were designated as critical infrastructures there was some nervousness from locality is about possible federal overreach. But what we heard from the states and localities we talked to is that CISA has made an effort to cultivate a good relationship with states, localities, both through site visits and conferences and interacting with various associations.
Tom Temin: And you found a number off challenges in your review of this. What were the principal ones?
Vijay D’Souza: The states localities we talked to identified two main challenges in working with CISA. One really doesn’t have anything to do with CISA, it’s simply a timing issue. Although we only hear about the big elections, elections are happening all the time. And then when there’s not elections, there’s various other issues that localities have to do to prepare for elections. So just finding the time to step aside and work on things with CISA is a challenge. The other issue that came up was sharing of information on threats. Originally, a lot of what CISA wanted to share may have been at a classified level, so it was challenging to share. Or sometimes they would share information and it wasn’t always clear to localities what they needed to do. You have to remember that a lot of people operating elections are not IT experts. They have a lot of other jobs. So one thing CISA has worked on is trying to make sure its information is clear and actionable and finding ways to share information with folks who maybe don’t have clearance.
Tom Temin: We’re speaking with Vijat D’Souza. He’s director of information technology and cybersecurity issues at the Government Accountability Office. And what about, I know you mentioned the CISA strategic plan for elections and specifically for the 2020 election. And they sound like they’ve got a speed up their work there.
Vijay D’Souza: Right. We took a look at their draft strategic plan and it had, you know, some good stuff in there, but again, it was in draft. One of the issues is DHS is undergoing a reorganization right now, and I think that slowed things down as far as finalizing that plan. But also under that plan, their intent is to have an operational plan, which lays out more details and specifics. And we hadn’t seen that at the time of our review, and we thought it was very important that they get both of those finalized as soon as possible.
Tom Temin: All right, anything else CISA has to pay attention to?
Vijay D’Souza:Well, I think it’s going to be a moving target, and they would freely acknowledge it. It’s hard to know what the surprises will be. And I think the most important thing is gonna be building those relationships and maintaining lines of communication in case something unexpected does happen.
Tom Temin: The issue in, I guess it’s still gonna be sorted out, we’ll probably [take] years sorting out what happened in Iowa. But you had people seemingly inexperienced in technology, inexperienced in governance, inexperienced in the kind of end-to-end closure security that you need to have in any kind of legitimate election. Is this the kind of thing that system might be able to help, especially the locals with?
Vijay D’Souza: Well, so our report didn’t look specifically at the issues in Iowa but generally speaking what I would say, you know, elections are always operated by a lot of part-time staff. Poll workers are typically volunteers, and so planning for that is important. That’s part of what the intent of the two nationwide exercises where that CISA did is to get folks together and have them think through, “What if this went long? What if that run wrong? What would we do? What is our backup plan? Do we have a backup to our backup plan?” So it’s planning. Ultimately, CISA is not gonna be able to do most of the work, it’s gonna be up to the localities. But what you can do is help the localities better prepare,
Tom Temin: And are there any known national standards, not so much regulations. We can’t really do that kind of regulation at the federal level, but are there standards that exist?
Vijay D’Souza: Sure. So there’s another federal organization called the Election Assistant Commissioner (EAC). And they work with other federal agencies to prepare voluntary voting standards that states can opt to use. And these standards address issues such a security and usability. So there are standards. But again, because elections are run by states and localities, they are primarily on a voluntary basis.
Tom Temin: I mean, in doing this type of work and talking with CISA, is it your sense that this is really important? Because the United States as the ultimate voting country and the model for so many other nations for so many years, if the United States can’t operate elections cleanly and efficiently … then you know what hope is there for the rest of the world?
Vijay D’Souza: Well, elections are key to people’s faith in government, and also having a sense of public trust in elections is key, too. So yes, this is definitely an important area. But, you know, I do want to emphasize that there are a lot of people working on this issue and concerned about this issue, so we do see a lot of progress underway in addressing the challenges in this area.
Tom Temin: Vijay D’Souza is director of information technology and cybersecurity issues at the Government Accountability Office. Thanks so much for joining me.
Vijay D’Souza: Thank you.
Tom Temin: We’ll post this interview along with a link to his report at www.federalnewsnetwork.com/FederalDrive. Hear the federal drive on your schedule. Subscribe at Apple Podcasts or Podcastone.