Written by CyberScoop Staff

Former Secretary of Homeland Security Jeh Johnson on Thursday warned members of Congress that additional actions to standardize and improve the cybersecurity of state election systems must be taken before the 2018 mid-term elections and the 2020 presidential election.

“National elections will be decided in key precincts in key states,” said Johnson, testifying before a task force of congressional Democrats investigating cyber threats to election infrastructure. “In other words, the integrity of our election outcomes on a national level dances on the head of a pin.”

Johnson, who issued multiple public statements in the run up to the 2016 presidential election referencing attempts by Russian hackers to infiltrate election systems in dozens of states, said although he knows of no evidence that any ballots were altered, he remains very concerned about the integrity of state election systems, particularly voter registration databases.

“Last years’ experience was a wake-up call,” Johnson said. “The way ballots are collected are all over the map. What was reassuring to find is that there is very little vote reporting that occurs on the Internet, and if it does there are backups. Most states recognize that that is not a best practice,” he said. “I think it’s up to Congress at the national level to explore whether some type of legislation is appropriate to legislate either certain federal minimum standards for the cybersecurity of our democracy, or a requirement of a certification.”

Suzanne Spaulding, the former undersecretary for the national protection and programs directorate (NPPD) at DHS, urged lawmakers to consider ways to require states to conduct a full cybersecurity assessment of election systems well ahead of major elections.

“Remove the politics from the threat assessment itself,” Spaulding said. “One of the suggestions would be for Congress to put in a legislative requirement that 120 days or 180 days out from a national election the intelligence community provide a threat assessment with regard to any threat activity they might see related to the elections. That helps to remove the implication that whatever administration is in place at the time is trying to put a thumb on the scale or influence the outcome of the election. It becomes a standard, required process.”

The comments come one day after acting Secretary Elaine Duke told a congressional committee that DHS promises to better coordinate with state and local government officials in efforts to defend election systems from hackers in the upcoming 2018 congressional campaign season.

Both Johnson and Spaulding recommended that Congress make standard assessments a prerequisite to receiving federal grant money.

“If you’re looking for a set of best practices that you might consider mandating I certainly would recommend the NIST Cybersecurity Framework,” Spaulding said. “But to the extent that states are nervous about having federal employees and officials coming into their systems, third party entities could, for example, be certified as offering substantially the same services.”

Johnson said he agreed with the idea of requiring an intelligence community assessment at least six months prior to an election.

“And if the states are resistant to any type of federal presence in their systems, perhaps a certified third-party validator is a good idea,” he said.

The first hearing of the Democrat-led Election Security Task Force comes just one week after DHS notified 21 states of attempted Russian hacking against their election systems.

A small number of networks were compromised, but none of the targeted systems involved the tallying of votes.

For the majority of the states targeted, only early-stage activity like scanning was seen. A minority of targeted states saw serious attempts to compromise networks, some of which were successful.

Alabama, Colorado, Illinois, Minnesota, Maryland, Virginia, Wisconsin and Washington are among the states that have acknowledged receiving a notification. The remaining states are publicly unknown.

News of the targeting first came to light in June when Jeanette Manfra, acting deputy undersecretary for cybersecurity and communications at the DHS’s National Protection and Programs Directorate, testified during a hearing held by the Senate Select Committee on Intelligence that focused on Russian interference in the U.S. election.

Since then, DHS has established a coordinating council under the Government Facilities critical infrastructure sector designation to work directly with states on improving the cybersecurity of election systems. The designation of election systems as critical infrastructure, which occurred in January under Johnson’s leadership, makes state elections officials a priority customer for DHS assistance and assures a trusted communications relationship so that sensitive information on security vulnerabilities is not disclosed.

“Russia is engaged in a long-term effort to undermine democracy. We need to broaden our focus,” Spaulding said. “We know enough now to understand what needs to be done. It’s time to act.”