The Department of Homeland Security's (DHS) cyber wing must “urgently” finalize and publish its plans to secure the 2020 U.S. elections from cyber attacks, the Government Accountability Office (GAO) said in a new report.
“In the absence of completed plans,” GAO wrote, “DHS’ Cybersecurity and Infrastructure Security Agency (CISA) is not well-positioned to execute a nationwide strategy for securing election infrastructure prior to the start of the 2020 election cycle. “
CISA has publicly said that it is developing strategic and operations plans with the intention of finalizing them by last month. However, it hasn’t met that goal, its progress hampered by a reorganization that set the target date back to February 14. The plan reportedly includes measures to safeguard the 2020 election against foreign interference, including making the public more aware of the threat, and provide support for political campaigns.
GAO is making three recommendations to CISA to secure the election infrastructure for the 2020 elections:
- Finalize the strategic and operations plans.
- Ensure that the operations plan fully addresses all lines of effort in the strategic plan.
- Document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency’s 2020 planning.
DHS has “concurred” with all three recommendations and provided estimated dates for implementing each one, the report said. The GAO report criticized CISA’s operations plan in that it “may not fully address all aspects outlined in its strategic plan, when finalized.” Additionally, CISA “has not developed plans for how it will address concerns about incident response.” In two reviews of the agency’s 2018 election security assistance, the audits identified a number of challenges, including:
- Inadequate tailoring of services.
- Not providing actionable recommendations in DHS classified threat briefings or making unclassified versions of the briefings available.
- The inability of CISA personnel supporting election security operations to access social media websites from situational awareness rooms.
- Few capabilities that CISA field staff could quickly provide on Election Day which could limit the agency's incident response time.
- A lack of clarity regarding CISA's incident response capabilities in the event of a compromise that exhausts state and local resources.
“Although CISA officials said that the challenges identified in the reviews have informed their strategic and operational planning, without finalized plans it is unknown whether CISA will address these challenges,” GAO wrote in the report.
CISA may get some assistance in deploying its election security plans. A new bipartisan bill called The Cybersecurity State Coordinator Act of 2020 would establish a standalone, federally funded program run by CISA that would assign each state with a cybersecurity coordinator to liaison with all levels of government to prepare, respond and remediate cyber attacks. And, the Federal Bureau of Investigation said it will now notify state officials when a local election has been hit by hackers, a course reversal from a prior closed door policy not to extend notification beyond victims of cyber attacks.