DHS and CISA Should Provide Additional Resources and Assistance to Fight Election Misinformation and Secure Election Infrastructure and Offices
DHS is uniquely positioned to address rising challenges to election security, through the department’s administration of security grants and CISA’s direct assistance to state and local election officials. The department should use this position to reinstate election spending requirements for federal grants, hire regional election security specialists to support election officials, renew and leverage partnerships to provide anti-doxing services, combat misinformation, and expand the scope and scale of CISA’s Crossfeed program.
Secretary Mayorkas should help direct needed resources to election offices
In 2020, the Federal Emergency Management Agency (FEMA) included election security components in two of the agency’s four national priority areas (NPAs), which guide its Homeland Security Grant Program (HSGP). State and local jurisdictions that received HSGP grants were required to use at least five percent of total funds on each NPA, guaranteeing that some funds would go toward election cybersecurity and physical security. For 2021, FEMA eliminated these election security components. And while FEMA included “enhancing election security” as an NPA for 2022, recipients of HSGP grants will not be required to dedicate funding toward election security as they will for other NPAs.
In future years, we urge FEMA, at the direction of DHS Secretary Mayorkas, to use its broad discretion as administrator of HSGP grants to once again require states to allocate a share of funding toward election security projects. Until then, FEMA should conduct outreach to recipients that elevates the importance of election security needs, provides guidance on effective election infrastructure investments, and encourages officials to direct significant funding for this purpose.
In addition, CISA and FEMA should set election security as a priority area for the newly created State and Local Cybersecurity Grant Program, which the Infrastructure Investment and Jobs Act established to distribute $1 billion in new cybersecurity funding over the next four years.
To ensure grant funding is being distributed to the most pressing state and local election security needs, Mayorkas should also direct FEMA to require that the chief state election official of each state, as defined by the National Voter Registration Act, be consulted in the HSGP and State and Local Cybersecurity Grant Program application processes.
The chief state election official could assist with the grant review process by affirming local plans are in line with overall state election security plans and are not already being funded through Help America Vote Act (HAVA) appropriations. Chief state election officials could also advise states on how to distribute funding to local recipients since local election offices have generally received prior federal funding through the chief election official.
These monies are badly needed. Despite the new risks to election security, Congress’s 2022 budget allocated just $75 million in HAVA election security funding, far less than was appropriated for elections in 2018, 2019, or 2020. And while DOJ recently announced that funds from the Byrne-JAG program can now be used to deter and prevent threats of violence against election workers, the use of these grants requires approval from other state and local officials, who typically have different funding priorities and may be less familiar with the challenges that election officials are now facing.
Meanwhile, the costs to protect elections continue to grow. The Brennan Center has estimated that states will need to spend at least $500 million on new voting machines in the next five years, and basic steps to address insider threats could cost hundreds of millions of dollars more. The total cost of adequately securing our election infrastructure from cyber threats over the next few years could easily exceed $2 billion. And none of this considers the additional cost of protecting election offices and workers from physical threats and violence or combatting election misinformation.
CISA should hire regional election security specialists to work in each CISA region
Since 2017, CISA has worked with state and local jurisdictions to combat threats in three key areas: cybersecurity; physical security; and misinformation, disinformation, and malinformation (MDM). Through this work, the agency has built strong relationships with thousands of state and local officials to respond to election security threats. CISA’s efforts resulted in “the most secure elections in American history” in 2020.
Building on these efforts, CISA should hire election security specialists to help regional directors in each of the 10 CISA regions across the country. Currently, CISA regional directors are responsible for too broad a range of security personnel and issue areas to meet the needs of more than 8,000 election officials nationwide. The agency already has a range of specialists to serve specific needs in areas such as cybersecurity, protective security, chemical security, and emergency communication. Adding election specialists to their professional personnel would increase CISA’s effectiveness in this area.
Importantly, election specialists would have the knowledge to address specific election security concerns and the capacity to do affirmative outreach to election officials on CISA products. Specialists would also be in the position to learn what threats election officials are facing at the state and local levels and which protective practices are working. They could then compile this information and share best practices with election boards and officials across the country to help enhance security measures.
Partly as a result of increased threats and political pressure, a large number of talented election officials with connections and trust in the wider election official community have already retired or intend to retire in 2022. Many would form an excellent pool of applicants for these positions.
CISA should leverage its relationship with the Center for Internet Security to help protect election officials and fight against election misinformation and disinformation
CISA already partners with the Center for Internet Security (CIS) to operate the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which monitor for cyber threats to state and local governments. Through a cooperative agreement, CISA funds CIS to be a critical resource for cyber threat prevention, protection, response, and recovery for state, local, and tribal election offices.
Utilize outside services for doxing protection
CISA should use its existing partnership with CIS to help protect election workers against the threat of doxing. While election officials and workers are indeed public employees, bad actors are revealing personal information about their private lives, like their home addresses, their license plate numbers, and even the cell phone numbers of their kids.
One solution to defend against doxing is to work with external organizations that provide anti-doxing protective services. A small number of jurisdictions, for example, contract with outside providers that help scrub personally identifying information for officials, conduct monthly checks to ensure that information does not return, and offer tailored guidance on how to protect personal information in the future. However, most election offices do not have the resources to purchase such services for key staff.
We do not believe CISA can or should provide such services directly to election officials (as it would entail gaining access to election workers’ personal information). But with additional funding, CISA could facilitate this assistance by amending its current agreements with CIS and allowing it to fund local election officials to contract for anti-doxing services.
Provide CIS with resources to leverage partnerships and share MDM data with EI- and MS-ISAC
During the 2020 election, CIS partnered with the Election Integrity Partnership (EIP), a group that responded to and analyzed voting-relating MDM, particularly on social media. EIP identified MDM trends and reported incidents to CIS to ensure that all federal stakeholders were aware and could take appropriate action.
The CIS-EIP partnership was critical to dispelling MDM during the 2020 cycle and will be equally critical for the upcoming election cycles. Congress should provide CISA with the resources needed to ensure that this partnership can continue and that CIS can use the EI- and MS-ISACs to circulate information gained from that partnership.
CISA should be given additional resources to expand Crossfeed
Finally, the federal government should make it a priority to fund an expansion of CISA’s Crossfeed program this year.
In 2020, CISA collaborated with Defense Digital Service to launch Crossfeed, a tool that collects data from a variety of public-facing resources and data feeds to give state and local governments a full picture of the weaknesses that attackers might find in their cyber infrastructure. CISA has used the program to monitor and warn state and local election officials about serious vulnerabilities in their election infrastructure.
The cybersecurity program should now be further expanded to proactively monitor public aspects of state and local office infrastructure and be used to check for weaknesses in other election-specific technology. CISA could also offer Crossfeed services to election vendors, campaigns, and other election-related entities to strengthen election security across the board.