DHS's New Election Cybersecurity Committee Has No Cybersecurity Experts
from the prepare-to-be-memoed-at,-hackers dept
The National Association of Secretaries of State (NASS) [yes, there's an association for everything] has just announced its selections to head up a DHS "working group" tackling "election infrastructure cybersecurity." Like any committee formed in response to a hot-button topic, the appointees are better known for their years of tenure in government positions than their technical acumen, as the ACLU's Chris Soghoian points out.
4 state gov officials, 0 tech experts, appointed to new DHS Election Infrastructure Cybersecurity Working Group. https://t.co/jKH3SScpd4— Christopher Soghoian (@csoghoian) September 1, 2016
4 state gov officials, 0 tech experts, appointed to new DHS Election Infrastructure Cybersecurity Working Group.
About the only thing the appointees have going for them is that they fit the description: all four are state-level secretaries of state. Beyond that, there's very little to indicate they're qualified to take on cybersecurity issues.
The working group's president, Denise Merrill, is Connecticut's Secretary of State. At least her bio contains some initiatives loosely-related to the task at hand.
As Connecticut's chief elections official and business registrar, Merrill has focused on modernizing Connecticut's elections, business services and improving access to public records.
Secretary Merrill has worked to expand voter participation through Election Day and online voter registration. She has also improved Connecticut's democratic accountability and integrity with a series of rapid response processes to Election Day problems.
Indiana's Connie Lawson also appears focused on voter security, albeit in equally vague terms.
Connie Lawson is Indiana’s 61st Secretary of State. As Indiana’s Chief Elections Official, she is focused on ensuring the integrity and security for our state’s elections. Since taking office, Secretary Lawson has championed sweeping election reforms, and has led the effort to clean Indiana’s voter rolls.
Secretary Lawson is not just an advocate for election security. She is also working to modernize elections through vote centers. As a state Senator, Secretary Lawson authored legislation allowing any county in the state to move to the vote center model. As Secretary of State, she has worked to educate voters and elected officials on the cost saving benefits and convenience of the vote center model.
There's not much to be said about the other appointees -- Georgia's Brian Kemp and California's Alex Padilla -- in terms of cybersecurity. However, there's plenty to be said about safeguarding elections. Padilla has been sued twice over alleged election fraud. And Kemp's office mistakenly released the personal information of six million registered voters.
But there's one thing they can all agree on: there's nothing to worry about.
Indiana's voter system is safe from hackers according to the Indiana Election Division.
“We are confident that the security features of our statewide voter registration system protect against hacks described in the FBI alert sent last week,” says Angie Nussmeyer, co-director of the Indiana Election Division.
Working group president Denise Merrill on the possibility of election-related hacking in her state:
She explained that Connecticut has perhaps the most decentralized voting and registration system in the country with 169 cities and towns that act as their own districts. Built into that system is an entirely paper based trove of voter cards, ballots, and backups.
“When you go into vote and you go to register on the list, it’s all still on paper so there is no simple database that’s containing all of the information," Merrill said.
From Alex Padilla's office:
A spokesman for California secretary of state said the agency, which oversees elections statewide, was aware of the cyber attack reports.
"We have no evidence of any breaches or hacks of our system,” agency spokesman Sam Mahood said.
The best statement of self-assurance comes from appointee Brian Kemp, who just a few days earlier was claiming vote-hacking fears were an Obama-led attempt to federalize state voting.
The federal government wants to help states keep hackers from manipulating the November election, amid growing fears that the U.S. political system is vulnerable.
But Georgia’s top election official is balking at the offers of assistance — and accusing the Obama administration of using exaggerated warnings of cyberthreats to intrude on states’ authority.
“It seems like now it’s just the D.C. media and the bureaucrats, because of the DNC getting hacked — they now think our whole system is on the verge of disaster because some Russian’s going to tap into the voting system,” Kemp, a Republican, told POLITICO in an interview. “And that’s just not — I mean, anything is possible, but it is not probable at all, the way our systems are set up.”
It appears Kemp is worried more about preserving the integrity of his opposition status than he is about protecting the integrity of the presidential election. One day prior to the NASS press release, Kemp was claiming to have turned the position down.
Kemp recently declined an offer by the Department of Homeland Security for cyber security assistance, raising concerns about the federal government’s intrusion.
Fortunately, this lack of technical prowess won't prevent the working group from achieving the DHS's goal, which appears to have little to do with actual cybersecurity.
"Secretaries of State are committed to working with our federal partners to increase awareness of federal government cybersecurity resources and services that are available to election officials," said NASS President Denise W. Merrill, Connecticut Secretary of the State. "We look forward to sharing state best practices and technical advice that will strengthen understanding and collaboration between state and federal agencies."
"Increasing awareness" is one of those goals that sounds lofty, but generally materializes as mass emails and the occasional mandatory Powerpoint presentation most attendees will doze through. Every person listed here is a figurehead appointee to a figurehead working group -- one likely formed in response to a similar, higher-level "increase awareness" mandate handed down by administration officials. The lack of tech experts isn't going to cause much harm because the point of this committee is to be a committee. No one expects any sort of cybersecurity breakthroughs to be generated by something that will do little more one more line to these politicians' bios.