The Department of Homeland Security (DHS) designated the U.S. election infrastructure as a critical infrastructure subsector, Secretary of Homeland Security Jeh Johnson announced Friday.
“Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law,” Johnson said in a statement.
Election infrastructure will be designated a subsector of the existing government facilities critical infrastructure sector.
Johnson highlighted that he reached this determination so election infrastructure will be a priority for cybersecurity assistance and protections that the Department of Homeland Security (DHS) provides to entities on a more formal and enduring basis.
The election infrastructure designation covers storage facilities, polling places, and centralized vote tabulations locations that support the election process. It also covers “information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”
Johnson acknowledged that many state and local election officials are opposed to the designation, but he underscored “This designation does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country.”
Brian Kemp, Georgia’s secretary of state, argued against this kind of designation at a September hearing of the House Oversight and Government Reform Subcommittee on Information Technology (Defense Daily, Sept. 28, 2016).
He said this designation could lead to a cyber security standard “that could lead to legal liabilities for states” and that state databases might end up being exposed to the federal government and possibly being shown to the public, which is “undermining the security of our elections.”
However, the DHS said designation does not change the role of state and local governments in administering and running elections. The election infrastructure will become a priority within the National Infrastructure Protection Plan and the designation allows DHS to prioritize cybersecurity assistance to state and local election officials who request it, the statement said.
Johnson argued the designation also makes it clear domestically and internationally that the U.S. election infrastructure enjoys the benefits and protections the government offers to critical infrastructure as well as making it easier for the government to have “full and frank discussions with key stakeholders regarding sensitive vulnerability information.”
“Particularly in these times, this designation is simply the right and obvious thing to do,” Johnson added.
“Election infrastructure is vital to our national interests, and cyber attacks on this country are becoming more sophisticated, and bad cyber actors – ranging from nation states, cyber criminals and hacktivists – are becoming more sophisticated and dangerous,” Johnson said.
This designation and the concern about election infrastructure “in these times” came the same day the unclassified version of a report drafted by the CIA, FBI, and NSA was released assessing Russian President Vladimir Putin ordered an influence campaign in the 2016 presidential election (Defense Daily, Jan. 6)
That report assessed Russia sought to hurt Hillary Clinton’s chances and help President-elect Donald Trump through, among other efforts, cyber intrusions.
Johnson’s statement stressed that while the increasingly connected and digital internet world has changed how people communicate and streamlines tasks, “it has also introduced an array of cyber threats and implications.”
DHS presently designates 16 critical infrastructure sectors, along with 20 subsectors, that are eligible to receive prioritized cybersecurity assistance from DHS. The sectors include chemical; commercial facilities; communications; critical manufacturing; dams; the Defense Industrial Base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology (IT); nuclear reactors, material, and waste; transportation systems; and water and wastewater systems.
Johnson pointed out that DHS has developed joint cybersecurity exercises with companies in the communications, IT, financial services, and energy services to improve their incident response capabilities. DHS has also streamlined access to both classified and unclassified information to critical infrastructure owners and operators in partnership with information sharing and analysis organizations.
DHS carries out operational cybersecurity missions through the National Cybersecurity and Communications Integration Center (NCCIC) that shares information about threats with public and private sector partners and operates as a round-the-clock watch center.
Johnson noted many critical infrastructure segments already include assets owned and operated by state and local governments like dams, public health, and water systems.
Rep. Bennie Thompson (D-Miss.), Ranking Member of the Committee on Homeland Security, praised the decision.
“In the long term, this will put our electoral systems on a more secure footing and maintain public confidence in our elections. I commend Secretary Johnson for making this important decision,” Thompson said in a statement.