CISA Stands Up For Elections
John Sebes
There’s lots of goodness about the Cybersecurity & Infrastructure Security Agency (CISA) taking steps to prioritize federal elections and the security of all public elections. Certainly, this includes the arrival of Kim Wyman—which we’ll have more to say about soon. However, a more subtle move with important impact that caught our attention was CISA designating elections “at the top of the list” for “national critical functions.”
Let’s unpack this a bit.
First, CISA is a federal agency, that originally got its start as part of the Department of Homeland Security (DHS) and remains an operational component under DHS oversight. CISA is focused on critical infrastructure security, including cyber security—in a big way.
- Critical infrastructure (CI) includes all services and their physical embodiment — most of it with computers inside — where if something goes wrong, really bad stuff can (and does) happen (e.g., fuel pipelines; power grids; hydro-electric dam controllers; train track controllers; air traffic control systems: telecommunications; you get the idea).
- Critically, in attacks on these systems, it’s not just downtime and inconveniences; there can be body bags.
- There are several types of critical infrastructure “sectors;” some of them in the news recently such as pubic transportation infrastructure where there has been pushback against fast-tracking new Federal regulations on related cyber-defense and cyber-attack reporting; preferring voluntary measures instead.
Second, CISA recently started working on something called “National Critical Functions” to identify important functions that cut across multiple sectors. Why now?
- Because we’re not seeing a lot of progress on getting critical infrastructure operators to step up their cyber game on general principles; and
- Being tagged as supporting a critical function might be more motivating to a critical infrastructure company (like, say, a voting systems manufacturer), or might be the basis for more narrow regulatory requirements.
CISA has a helpful brief description of the NCF worth a quick perusal. If you read that and click through to the critical functions set then you’ll discover that there are four categories of critical function:
- Connect
- Distribute
- Manage
- Supply
Under the “Manage” column right there at the top of the list you’ll see: “Conduct Elections.”
Nice. This is important recognition at least, and it’s very welcome compared to not so many years ago. Back then, I can readily recall when people, like myself, concerned about nation-state adversaries and cyber threats to elections, were looked at in a worried way as if to say, “And where is your tin foil hat?” Now, we can simply point to the CISA declaration.
So, now we know election infrastructure is designated “critical” (thanks, DHS) and categorized as a critical function in management of activities (thanks, CISA). And of course, it should be. However, this additional recognition, whatever its policy significance, also highlights how fragile election infrastructure is. You see, its so opaque and removed from most people’s daily lives that it is highly vulnerable to misinformation and disinformation (or more bluntly, lies.)
To illustrate this, compare these scenarios. First, somebody posts,
“A Russian ransomware gang shut down a fuel pipeline yesterday, and now parts of the northeast US are going to run out of gas.”
If you lived in the northeast, the next day you’d see the truth in the story first-hand. Second, somebody writes,
“Bulgarian hackers are shutting down the power grid in your area.”
Yet, your lights stay on, so you recognize that statement is false, first-hand. Third, somebody says,
“Chinese hackers got into the Internet access points where votes go over the network to be counted…”(note: that’s not how it works), “…and changed the votes to steal the election.”
However, in this case there is nothing to look at, no sudden lines at gas stations, or no lights going out or staying on. Yet, millions of people believe an election has been stolen.
And that’s really bad.
“How bad,” you ask? For the stability of our democracy and frankly our national security, it’s as bad as a toxic chemical spill, a train derailment, or a power outage in the middle of a cold snap in Texas.
And why is that, you ask?
Well, let’s start with January 6th 2021; that is if people dying is the measure of “really bad.”
So, yes, election administration is absolutely a national critical function. And it is in serious need of new technology to replace an existing black box infrastructure in a post-Dominion world where mendacious actors use that fact to create lies, weaken democracy, and dupe otherwise reasonable people into agitators… or worse.
At least now we can look to CISA to start taking that a whole lot more seriously.
—EJS | CTO
Post Note: Our co-founder and COO, a lawyer in addition to his tech background would chime-in with one more point, which I wholeheartedly endorse…
If we really want teeth in the critical infrastructure designation, so as to prevent that designation from being (unfathomably) downgraded at the whim of a future administration, and we want to ensure a high priority with more stable funding and resource allocation to protecting our election infrastructure (and improving its verifiability, accuracy, security, and transparency), then the DHS designation and now CISA classification should be codified into United States regulatory law. Specifically, we’re calling for adding “election technology infrastructure” into 6 USC 601(2)(j). That would permanently codify election infrastructure as a sub-sector of critical infrastructure (specifically, in part (j) or “Government facilities”). Until that point in legislative sausage making, we have this handy CISA declaration.