More than 100 state and local election jurisdictions that reached out to the federal government for help ensuring the digital security of their election-related systems have instead found themselves on a waitlist ahead of next week’s midterm elections, according to two people familiar with the backlog.
The tests in demand from the Cybersecurity and Infrastructure Security Agency — the Department of Homeland Security department responsible for providing tools to protect state-run election systems — include risk and vulnerability assessments as well as penetration tests, both of which determine how vulnerable computer networks are to hackers, including foreign state actors.
States are not required to undergo such tests. The Cybersecurity and Infrastructure Security Agency, known as CISA, offers the services on a voluntary basis.
The vast majority of voting machines are not connected to the internet, meaning a credible threat from foreign hackers on the election system as a whole is practically impossible. But some election information does run through the internet, like voting registration, official information about how and where to vote, and election officials’ email systems. So it could be possible to delete voters from rolls or change the way a website projects an election winner, creating chaos and confusion.
In a statement, CISA did not deny the backlog but noted the agency has provided free cyber hygiene tests for what CISA says are 425 “election-related entities” across all 50 states, the District of Columbia and U.S. territories. These tests are less labor intensive than the ones on backlog.
“We have found most organizations derive the greatest benefit from cyber hygiene vulnerability scanning, shared services, and capabilities offered in our free services catalog,” said Kim Wyman, CISA’s senior election security lead.
Both sources attributed the backlog in part to staffing shortages at CISA. A major contractor, Idaho National Labs, recently stopped providing such services to states and election machine manufacturers, according to a spokesperson for the company.
One U.S. official familiar with the backlog described the cause as a “bandwidth issue,” but CISA would not comment on the existence or reasons for the backlog.
“This has been the case for months and months,” the official added.
CISA’s cyber hygiene assessments can be almost as simple to use as adding a county to its list of websites to check. The risk vulnerability assessment program, which is backlogged, is far more resource intensive, and involves dispatching staffers to run tests on computer networks in person.
The sources declined to say which states and election jurisdictions have not received the help they asked for, or how many.
State and local election officials sought to beef up their security software after the 2019 report from special counsel Robert Mueller revealed Russian interference in the 2016 election. The report found that Russian intelligence sought access to state and local computer networks and was even able to compromise the Illinois State Board of Elections, even extracting “data related to thousands of U.S. voters before the malicious activity was identified.”
The Mueller report did not find that Russia or any other actor was actually able to change the election results, but it did raise concerns about election software vulnerabilities.
Jen Easterly, CISA’s director, has repeatedly said that she doesn’t expect a major cyber event disrupting the 2022 vote. In a talk hosted Tuesday by the think tank Center for Strategic and International Studies, Easterly said that she was “very confident that we have done everything we can to make election infrastructure as secure and as resilient as possible.”
“There is no information credible or specific about efforts to disrupt or compromise that election infrastructure,” Easterly said.
The fact that states and local election jurisdictions have been unable to get all the help they need from CISA has been unknown until now, as the agency has repeatedly said they are ensuring states have what they need.
“We have protective security advisors, cybersecurity advisors, cybersecurity state coordinators that are working hand in hand on the front line with those election officials to ensure they have what they need,” Easterly told NBC News in an interview last week. “And we have made this the top priority at CISA over the past year to ensure that we are supporting those election officials.”
Source: | This article originally belongs to Nbcnews.com
