The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has improved the cyber security of the nation's voting systems but could improve in this regard through better and more timely information sharing, and the agency needs to expand its election security efforts to better address physical security risks, an internal department overseer says in a new report.
The inspector general (IG) also says that election security efforts have been hampered by turnover at the top of DHS leadership, an undefined organizational structure for CISA, and staffing shortages within the agency.
"Amid the leadership vacancies and repeated turnover, within DHS, CISA has not sufficiently prioritized key activities or established effective performance measures to monitor its progress in accomplishing its mission and goals of securing the Nation's election infrastructure," says the report, DHS Has Secured the Nation's Election Systems, but Work Remains to Protect the Infrastructure (OIG-21-01). "Without DHS senior leadership guidance as a foundation, CISA cannot work successfully with sector representative to develop the plans and strategies needed to secure the election infrastructure."
The report is dated Oct. 22 and was released on Tuesday.
Citing CISA officials, the IG says the agency's focus on election security has been on cyber security risks, "particularly those associated with internet-connected systems," which the agency vies as the being most at risk.
When it comes to physical threats to election infrastructure, intelligence here "is not common," the report says. It also says that existing DHS and CISA plans related to next week's elections have been focused on cyber security, but "do not adequately address other elements such as physical security risk, threats of terrorism, and targeted violence at related storage facilities, polling places, and centralized vote tabulation locations that support the election process."
Previously called the National Protection and Programs Directorate, CISA was officially rebranded in 2018 but its organization and the related roles and responsibilities of its personnel haven't been settled, the IG says. This has created some confusion within DHS, it says.
The report highlights ongoing programs and tools used by CISA to help state and local officials discover cyber vulnerabilities to their election systems and reduce risks to these systems. It also says the agency has increased its outreach and coordination with these officials in the past 20 months.
The vast majority of state election's stakeholders surveyed by the IG say they are satisfied with CISA outreach and coordination efforts. However, interviews with CISA regional officials found issues with the sharing of threat information, including over-classification, not specific to stakeholder needs, and already available through open sources.
The IG says that CISA doesn't have authority to declassify information that has been classified by another source. It also says that the agency and the DHS Intelligence and Analysis (I&A) branch could better work together to avoid duplicating information shared with election's stakeholders.
In over half, 53 percent, of the records and interviews, the IG also found that cyber security assessments done by CISA's National Cybersecurity and Communications Integration Center (NCCIC) for election's stakeholders weren't timely.
"A Secretary of State initially requested a Phishing Campaign Assessment in October 2017," the report says. "However, CISA did not begin the assessment until June 2018. CISA's records show NCCIC did not complete the assessment until January 2019, more than a year after the request was made."
CISA also needs more staffing resources to better serve state and local election officials, the IG says. It reports that as of May 2020 the agency had 132 Cyber and Protective Security Advisors who help with cyber and physical security training such as COVID-19 response and mitigating threats from violent extremists across all the nation's critical infrastructure sectors. These wide-ranging responsibilities mean that advisers can't give election security the attention it may need, the IG says.
"Our interviews with 12 Cybersecurity Advisors, 15 Protective Security Advisors, and 10 Regional Directors disclosed that CISA's current staffing level is not adequate to provide support to state and local election officials for security the election infrastructure," the report says.
CISA agreed with all of the IG's recommendations, which include updating plans and strategies to account for broader risks to election infrastructure, improve collaboration between the agency and I&A, and ensure staffing is adequate for "timely cybersecurity and physical assessments" to help election's stakeholders bolster their infrastructure.