CISA’s Krebs seeks more measured approach to election security heading into 2020

Given the too-late realization that Russia interfered in the 2016 presidential election through massive disinformation campaigns and — as the Mueller report most recently documented with a few new twists — actual efforts to hack into state elections systems, it’s no surprise that election security under the rubric of “Protect 2020” was a key theme running throughout the Cybersecurity and Infrastructure Security Agency’s (CISA) second annual Cybersecurity Summit.

Even so, CISA Director Christopher Krebs kicked off the summit by cautioning against the fearful language and overwrought concerns currently surrounding the topic of election security. “We’ve got to be more straightforward, more measured, more reasonable in how we talk about things. Election security is a great example. Are there true, absolute, fundamental risks in the infrastructure? Yes, but we have to take the hysteria out of the conversation because ultimately what we do is we drive broader voter confidence down,” he said.

email marketing concept on blue background

A more balanced and less heated approach to election security does not mean, however, that the country can ignore the hard work that’s needed to ensure that the 2020 elections are safe from malicious actors and cyber threats. “I want to fast-forward to November next year and what will most likely be the most dynamic presidential race and campaign in our lifetimes, at least mine. What are you going to do to protect 2020, what is your company going to do? What is your organization going to do? How are you going to work at the local level to support your local precinct? Are you going to understand what the requirements are when you show up to vote?”

One emerging concern when it comes to the 2020 election is the role that ransomware could play in locking up local election systems, particularly given the recent ransomware attacks that crippled 23 municipalities in Texas. Based on threat modeling, in a year from now during the run-up to the 2020 election, “ransomware could be deployed against a voter registration database” and other election elements that “could wreak disruption to the process,” Krebs said. The balancing act CISA faces is to “not only work with our partners to secure those databases, but also understand that we’re not going to catch every arrow that comes at it.”

Election security money available

Later, in a panel discussion with Senator Mark Warner (D-VA), Krebs said election officials need help, they need money, but he’s confident that “things are headed in the right direction” when it comes to the stalemate in the Senate over passing election security legislation, some versions of which give state and local election officials more money to protect their election systems.

Author’s note: Later, in talking to CSO, Senator Warner hinted that he didn’t share Director Krebs’ optimism that such legislation would pass. Later that day, Senator Mitch McConnell (R-KY), the chief obstacle to the legislation, caved under pressure and agreed to a new election security measure that would give states $250 million to help them improve election security. That’s not enough, Warner responded. “I worry people are missing the point on this. Additional election security funding is a necessary but not sufficient part of securing our elections. Until Leader McConnell allows bipartisan election security legislation to proceed, our elections will remain vulnerable.” he said in a tweet.

The US was caught off guard in terms of the election-related attacks by Russia during the 2016 election but based on the assessments of local, state and federal officials in charge of rectifying election system weaknesses, the infrastructure is in a much stronger position today to ward off similar future attacks. The improvement is in part due to a tranche of new election security funds appropriated last year under the Help America Vote Act (HAVA).