The designation of the nation’s election systems as critical infrastructure will not infringe upon state and local authority to run elections.
In a recent memo to Senate Homeland Security and Governmental Affairs Committee Members, Ranking Member Claire McCaskill, D-Mo., relayed communications from the Department of Homeland Security that reiterated that fact.
“This designation does not allow for technical access by the Federal Government into the systems and assets of election infrastructure, without voluntary legal agreements made with the owners and operators of these systems,” DHS told McCaskill, also confirming that there is no intention to change that critical infrastructure designation. “This dynamic is consistent with engagements between the Federal Government and other previously established critical infrastructure sectors and subsectors.”
The nation’s election systems were classified as critical infrastructure in January 2017 under the Obama administration, though many state and local officials were opposed to such action.
The designation enables DHS to provide security clearances for election officials, if necessary, and to offer aid through cyber, threat intelligence, training, and best practices programs, such as offering hygiene assessments.
“Subject to the availability of its resources and at no cost to state and local governments, DHS can furnish voluntary assessments, services, and technical assistance to assist election officials in informing their decision-making and election administration processes, if requested by those officials,” DHS told McCaskill. “This suite of services–also no-cost and voluntary–includes penetration testing, social engineering, wireless access discovery and identification, as well as database and operating system scanning.”
According to the memo, voting machines are not included in much of this testing as they should not be Internet-connected in the first place. DHS told McCaskill that 33 state and 36 local election offices asked for basic hygiene testing before the 2016 election, and several more requested it afterward.
“[T]he decisions of what risks and vulnerabilities are deemed acceptable is entirely the responsibility of the state or local government, as are the costs to remediate the vulnerabilities and configuration errors they deem to be unacceptable,” DHS wrote.
According to the memo, DHS declined to request additional resources when asked by McCaskill.