Improving the cybersecurity of state election systems has until recently been primarily the domain of secretaries of state, election directors and officials from the U.S. Department of Homeland Security. But chief information officers are increasingly playing a role in election security, Delaware CIO James Collins said Friday at a National Governors Association conference.
When the federal government declared election systems part of the country’s critical infrastructure in 2017, state election officials had to undergo crash courses in cybersecurity, but Collins — who also serves as president of the National Association of State Chief Information Officers — described voting equipment, voter registration databases and election-results websites as variants of the IT systems that CIOs are already familiar with securing and managing.
“We know network infrastructure, we know risk assessment,” Collins said during a session on election security at NGA’s winter meeting in Washington. “I don’t mean to minimize any of the systems that have been mentioned, but from the CIO’s perspective, the election system is one of many systems we work to protect every day. We have information on every citizen from cradle to grave.”
But securing election systems is a relatively new addition to CIOs’ portfolios, Collins and other speakers admitted.
“When I was a state election official, I didn’t know who the state CIO was,” said Matt Masterson, a DHS cybersecurity adviser who previously served as an election official in Ohio.
Masterson also said that when federal authorities first spotted malicious network activity on states’ election-related computer systems in 2016, “DHS literally didn’t know who to call.” He said the department reached out to governors’ offices and CIOs, but election directors were harder to reach.
Collins recalled a phone call he got in 2016.
“When Homeland Security reached out and asked me if I knew Delaware had been scanned by the Russians, I said, ‘Nah, we get millions of knocks a day’,” he said. “But I checked and there they were.”
By Election Day 2018, there was much greater coordination between election officials, CIOs and federal cybersecurity agencies, Masterson said. The National Cybersecurity Situational Awareness Room, an online portal DHS established to respond to any day-of incidents, included more than 600 participants from state and local governments, including several IT chiefs, he said.
Still, while many of these measures are new to election officials, Collins described them as just one more task for IT executives.
“Let me start by saying the election systems are critical,” he told StateScoop. “Collectively, it all supports our democracy. It can’t get much more important than that. That said, there are many critical systems in every state that are supported by the CIO’s office, the enterprise IT agency. They have the relationships with the vendor partners and the [National] Guard and the federal government, when necessary.”
That experience, Collins continued, is there for elections officials who are still familiarizing themselves with cybersecurity to lean on.
“The threats have increased dramatically, so cybersecurity is huge and what we want to do is support those election officials,” he said. “This is kind of a new fight for the elections folks. But it’s a fight we’ve been in for a very long time.”