{"id":107688,"date":"2025-03-05T16:08:23","date_gmt":"2025-03-05T21:08:23","guid":{"rendered":"https:\/\/cdt.org\/?post_type=insight&p=107688"},"modified":"2025-03-05T16:08:23","modified_gmt":"2025-03-05T21:08:23","slug":"with-outcome-of-cisa-election-security-review-looming-agency-must-protect-critical-infrastructure","status":"publish","type":"insight","link":"https:\/\/cdt.org\/insights\/with-outcome-of-cisa-election-security-review-looming-agency-must-protect-critical-infrastructure\/","title":{"rendered":"With Outcome of CISA Election Security Review Looming, Agency Must Protect Critical Infrastructure\u00a0"},"content":{"rendered":"\n

On Friday, February 14th<\/sup>, acting Executive Director of the Cyber and Infrastructure Security Agency (CISA) Bridget Bean issued a memo to agency staff announcing<\/a> that all election security work would be paused pending an internal review in order to refocus on the agency\u2019s core mission. The memo also stated that funding would be cut for the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), a DHS-funded organization that provides crucial cybersecurity assistance to state and local election officials to harden the nation\u2019s elections systems against cyberattacks. <\/p>\n\n\n\n

Tomorrow, March 6th, marks CISA\u2019s self-imposed deadline to conclude its review and send its findings to the White House. It remains unclear if the memo will be made public, nor whether it will provide any measure of transparency regarding the programs that will \u2014 and will not \u2014 continue. <\/p>\n\n\n\n

If CISA is serious about focusing on its core mission, the agency must continue its cybersecurity, physical security, and foreign threat information sharing work. Failure to do so would undermine U.S. national security, jeopardize the safety of election officials, and further diminish U.S. standing on the global stage.  <\/p>\n\n\n\n

Cybersecurity<\/strong> <\/p>\n\n\n\n

As the bipartisan leadership of the National Association of Secretaries of State (NASS) recently explained<\/a>, CISA provides \u201cvaluable\u201d services that \u201cmany state and local election officials regularly utilize\u201d to defend against cybersecurity threat actors, including nation-states and cybercriminal organizations. <\/p>\n\n\n\n

Protecting the cybersecurity of state and local elections infrastructure is vital to the United States\u2019 national interest and security. DHS has designated election infrastructure<\/a>, including polling places, voter registration databases, and voting machines, as a critical infrastructure subsector since 2017. U.S. election infrastructure is a prize target of foreign governments, whose attacks have escalated<\/a> in scale, complexity, and brazenness. During the 2024 election, foreign adversaries targeted state and local elections offices using a variety of techniques, including probes<\/a> of network defenses, distributed denial of service<\/a> (DDoS) attacks, and ransomware<\/a> operations. These attacks seek to polarize the electorate, denigrate the integrity of our elections<\/a>, and incite political violence<\/a>, including specifically at election officials, who have experienced<\/a> escalating death threats and intimidation. <\/p>\n\n\n\n

Federal efforts have been crucial in identifying, analyzing, and responding to foreign cyberattacks. CISA, for instance, alerted local election officials<\/a> in Coffee County, Georgia that its county government network was targeted by Iranian actors. Coffee County election officials acted swiftly to disconnect from the state voter registration system, preventing the attack from accessing data. CISA \u2014 and the EI-ISAC that it funds \u2014 offer a large range of free services<\/a> that help counties like Coffee County, GA defend against cyber intrusion. These include support from cyber experts at the agency in conducting vulnerability scans and penetration testing, coordination on incident response, access to declassified intelligence reports, and a vast information sharing network. <\/p>\n\n\n\n

Since its inception, the EI-ISAC has grown<\/a> to include over 3,700 state and local election offices, and has distributed sophisticated sensors<\/a> to monitor for system intrusions to more than 1,000 elections officers around the country. CISA\u2019s free services also include access to the .gov top-level domain (TLD) and \u201chas made it available at no cost<\/a> to election offices and other qualifying government organizations.\u201d The .gov TLD is a crucial trust indicator<\/a> that helps voters identify their elections website as an authentic  government website and obtain accurate information about the time, place, and manner of voting. Authorities have identified dozens of fake election websites set up by foreign adversaries to mislead voters and prevent them from voting. <\/p>\n\n\n\n

Cybersecurity services from CISA and the EI-ISAC are irreplaceable. As Republican Secretary of the Commonwealth of Pennsylvania Al Schmidt said<\/a>, CISA has \u201ca national and global perspective when it comes to cyber security risks and all the rest that each individual state can\u2019t do on its own.\u201d For many underserved counties around the U.S., the cybersecurity assistance that CISA provides is often the only source of network hardening assistance available \u2014 not only for elections administrators, but for all county government offices on the network. For instance, in Washington state, 15 county governments receive<\/a> \u201cEndpoint Security and Malicious Domain Blocking and Reporting\u201d tools from CISA that secure their network defenses across the county government network. Removing free access to these and other cyber defenses would make local governments susceptible to ransomware and other attacks that could impact not only elections but emergency services, schools, and more. <\/p>\n\n\n\n

Physical Security<\/strong><\/p>\n\n\n\n

CISA not only protects the cybersecurity of elections offices, but their physical security as well \u2014 an essential resource as almost 40% of election officials have reported<\/a> receiving threats of intimidation, while more than half fear for their safety. CISA provides resources like physical security assessments of election facilities and coordinates federal efforts to detect, analyze, and respond to physical threats to election infrastructure as they emerge. In 2024, CISA and the EI-ISAC\u2019s information sharing and incident response teams warned election officials about white powder envelopes<\/a> (and worked with USPS and the FBI to remove some envelopes from the mail stream) that were targeted at election offices in at least 15 states<\/a>. They shared intelligence that ballot boxes would be targeted with attack, <\/a>and provided guidance on securing and monitoring them; assisted with response to fires<\/a> set in ballot dropboxes; and alerted officials ahead of Election Day to plans for wide-spread bomb threats<\/a> from foreign adversaries seeking to upend voting operations. As a result, and despite over 100 bomb threats around the country by Russian-linked<\/a> actors, voting operations were minimally impacted. <\/p>\n\n\n\n

CISA\u2019s Mandate and Capacity<\/strong><\/p>\n\n\n\n

Protecting the cyber and physical security of elections infrastructure aligns with the vision to \u201cdeliver a more focused provision of services for elections security activities\u201d as laid out<\/a> in Executive Director Bean\u2019s February 14th<\/sup> memo. CISA\u2019s enabling legislation<\/a> directs the agency to \u201ccoordinate a national effort to secure and protect against critical infrastructure risks\u201d and to \u201cprovide analyses, expertise, and other technical assistance to critical infrastructure owners and operators.\u201d Because election infrastructure is one form of critical infrastructure, providing cybersecurity and physical security assistance, in addition to coordinating threat information sharing with state and local election officials, falls squarely in this mandate. <\/p>\n\n\n\n

Continuing this work will require staffing the agency with cybersecurity and physical security advisors (CSAs and PSAs), as well as the ten regional election security advisors who were reportedly<\/a> fired from the agency. These staff acted as direct liaisons to election officials to conduct testing, coordinate response, and more. With over 10,000 election jurisdictions around the country, a depleted federal cybersecurity workforce will be overwhelmed with requests. This is particularly the case for requests for physical security assistance offered by CISA. According to DHS\u2019 Office of the Inspector General<\/a>, \u201c[e]ven though CISA had almost 140 PSAs in the field in 2024, the demand for services occasionally outpaced staff capacity. In one region, the high demand caused delays delivering CISA\u2019s assessments and other services.\u201c  <\/p>\n\n\n\n

CISA\u2019s Decision Should Be Transparent<\/strong><\/p>\n\n\n\n

While the Agency\u2019s deadline to conclude it\u2019s current election security review is tomorrow, it remains unclear if the outcome of that review will be made available to the public. <\/p>\n\n\n\n

If the agency permanently reduces or ends vital election security work, it should \u2014 at the very least \u2014 publicly disclose the details of this decision. This should include a clear explanation of the Agency’s rationale, transparency about the scope of its personnel and programmatic cuts, and its expectations as to how state and local election officials will fill the resulting security gaps. Election officials are scrambling to understand any changes to the help they can expect from the federal government. They need this information as soon as possible, as many states have local and special elections upcoming \u2014 including in Florida, where special elections will fill 2 vacated U.S. House seats in just 4 weeks. According<\/a> to Marion County Supervisor of Elections Wesley Wilcox, who will administer one of those elections, there is \u201cnothing else like\u201d the EI-ISAC\u2019s situation room, which allows election officials to report cyber attacks so others can block them in real time. \u201cWhen we do this special election here in four weeks, there\u2019s a very real chance that there won’t be a situation room.\u201d Without transparency about the scope of CISA\u2019s decisions, election officials won\u2019t even know what options are available to them.  <\/p>\n\n\n\n

As the bipartisan leadership of NASS has said<\/a>, \u201cCISA\u2019s prioritized services help election entities defend against these national security threats.\u201d Cutting support for the EI-ISAC and eliminating CISA\u2019s work to protect the cyber and physical security of election infrastructure would weaken America\u2019s election defenses and make it easier for America\u2019s enemies to cripple critical infrastructure, obstruct voting, mobilize violence, and undermine America\u2019s influence on the global stage. CISA\u2019s leadership should make clear that such work remains core to CISA\u2019s mission and will resume upon completion of the ongoing review. <\/p>\n","protected":false},"featured_media":86101,"template":"","content_type":[7251],"area-of-focus":[849],"class_list":["post-107688","insight","type-insight","status-publish","has-post-thumbnail","hentry","content_type-blog","area-of-focus-elections-democracy"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/insight\/107688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/insight"}],"about":[{"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/types\/insight"}],"version-history":[{"count":2,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/insight\/107688\/revisions"}],"predecessor-version":[{"id":107690,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/insight\/107688\/revisions\/107690"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/media\/86101"}],"wp:attachment":[{"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/media?parent=107688"}],"wp:term":[{"taxonomy":"content_type","embeddable":true,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/content_type?post=107688"},{"taxonomy":"area-of-focus","embeddable":true,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/area-of-focus?post=107688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}