March 21, 2018

Harris Presses DHS Officials on Election Security Priorities Ahead of 2018 Midterms

HD Video of Harris’ Questioning

WASHINGTON, D.C. – At a Senate Select Committee on Intelligence hearing today to examine election security, U.S. Senator Kamala D. Harris pressed Department of Homeland Security (DHS) Secretary Kirstjen Nielsen on whether the Department is prioritizing providing election security assistance ahead of the 2018 midterm elections. Last month, Harris also pressed DHS Deputy Secretary Elaine Duke and Acting Under Secretary Christopher Krebs on what steps the Department was taking to prioritize states with upcoming primaries, and did not receive clear indication such states were being prioritized.

Harris asked, “Secretary Nielsen, at a roundtable forty-two days ago at the Homeland Security Committee meeting, I asked Deputy Secretary Duke and Undersecretary Krebs whether DHS is prioritizing risk and vulnerability assessments for the states. I didn't get a clear commitment that you are, and I’d also like to know, have you received the request that we made for a timetable for those assessments? Because we've not received a response to that request.”

Nielsen responded, “Yes, ma'am, we are prioritizing. We have 19 that are state and localities that are either been completed or are in process. We continue to offer the systems, but we have made the commitment to prioritize resources that any state or locality that requests that, we will have it completed before the midterm election.”

Harris continued by asking whether Nielsen has set a date for completing the assessments, and if she would commit to completing them by June 1. Nielsen responded, “Depending on who requests. But I’m happy to work with you on timelines as soon as we get a request.”

Also at the hearing, Harris questioned Jeanette Manfra, DHS Assistant Secretary for the Office of Cyber Security and Communications, on whether the Department has prioritized the security of elections in swing states and key counties. Both are widely understood as important to determining the outcome of an election and are therefore likely targets by foreign adversaries.

Harris: So that we can just take it out of the theoretical, there's pretty much consensus about what are the so-called swing states and swing counties. What I really hope and would like to know is that you and DHS has identified those perhaps as being priorities, knowing that foreign adversaries, Russia, for example, all they have to do is pick up the paper to figure out where they should target if they actually want to manipulate the outcome of the national election.

Manfra: We would - yes, ma'am, we would consider those priorities.

In December 2017, Harris along with co-sponsors Senators James Lankford (R-OK), Amy Klobuchar (D-MN), Susan Collins (R-ME), Martin Heinrich (D-NM), and Lindsey Graham (R-SC), introduced the Secure Elections Act, a bill to modernize election cybersecurity and protect against foreign interference in future elections.

Full transcript of Harris’ questioning below:

Panel 1:

Harris: Secretary Nielsen, at a roundtable forty-two days ago at the Homeland Security Committee meeting, I asked Deputy Secretary Duke and Undersecretary Krebs whether DHS is prioritizing risk and vulnerability assessments for the states. I didn't get a clear commitment that you are, and I’d also like to know, have you received the request that we made for a timetable for those assessments? Because we've not received a response to that request. 

Nielsen: Yes, ma'am, we are prioritizing. We have 19 that are state and localities that are either been completed or are in process. We continue to offer the systems, but we have made the commitment to prioritize resources that any state or locality that requests that, we will have it completed before the midterm election. 

Harris: Do you have a date for completion?

Nielsen: Well, of the 19, I can get back to you, but those are the only ones who have requested so far. 

Harris: Can you commit to completing all these assessments by June 1, which would be five months before the election? 

Nielsen: Depending on who requests. But I’m happy to work with you on timelines as soon as we get a request.  

Harris: And of the number you mentioned, you said, “have been completed” or “in the process”? 

Nielsen: Yes, that's correct. 

Harris: How many have been completed?

Nielsen: To my knowledge, 15. If that's not correct, I’ll ask Jeanette Manfra to correct me when she speaks. 

Harris: Ok because you earlier said, “in the process of” or “have been completed”. 

Nielsen: That’s right. I believe 15 have been completed but again, she'll verify if I have that number wrong. 

Harris: Ok well we heard from her yesterday and she said that 14 are in the process. 

Nielsen: Ok. That's 19 total. 

Harris: Can you follow up with how many have actually been completed? 

Nielsen: Sure, sure. And it's also a little confusing because of course there are states and localities, so 19 is states and localities. 

Harris: Ok, my question concerns states. Thank you.

Nielsen: Perfect.

Harris: And is there a protocol for following up to ensure that the reforms that you recommend have actually been completed? 

Nielsen: We do continue to work with them through hygiene scanning and other - 

Harris: Is there a protocol? 

Nielsen: That is the protocol that we offer but again it's all voluntary. So it's not a mandatory check. 

Harris: Okay. In the Intelligence Community, there's a concept called duty to warn. And Secretary Johnson, I’d like to ask you, and essentially the concept is that if a federal agency learns that a person is at a risk of imminent harm or an entity is at risk, that they should be informed, and obviously without giving up critical information that we have in terms of sources and methods. Do you believe, in the future, that the Department should have a duty to warn states if the Department of Homeland Security is informed that there are imminent cyber security threats to their election systems? 

Johnson: Yes. Absolutely. 

Harris: Secretary Nielsen, do you agree with that? 

Nielsen: Yes. 

Harris: And will you commit, then, to this committee that you will, in fact, warn those states when you become aware of imminent threat to their cyber security systems for elections? 

Nielsen: With the interagency, yes, ma'am.

Harris: Okay. And when you learn of these threats, will you also commit to informing immediately congressional committees and particularly the Intelligence Committee?

Nielsen: As you know, we will work with you on that. As you know, the entire process is voluntary. What we find is when we notify others of who the victims are, unfortunately it has a chilling effect and we no longer get the information from those who have been attacked. So we'll continue to work with you on how to do that.

Harris: So my question is, will you commit to specifically informing the Senate Intelligence Committee when you become aware of those threats?

Nielsen: We'll continue to work with you on the best protocols for that, yes.

Harris: So the answer is yes?

Nielsen: The answer is, it's very difficult if a state does not want to be identified because it's a voluntary relationship. I don't want to do anything that would limit our ability to understand who is being attacked. So we'd have to work with the victim just like we do in any other sector and work with you to make sure that we do it in the right way.

Harris: Would you commit to informing your oversight committee, which is the Homeland Security Committee of the United States Senate? 

Nielsen: I understand your question and again, we'll have to work with the victims. It's a voluntary system. 

Harris: You sit on the Principals Committee of the National Security Council, is that correct? 

Nielsen: I'm a member, yes.

Harris: And that committee is comprised of cabinet officials and is responsible for advising the President and coordinating policy on America’s most serious national security challenges. Has the Principals Committee held a meeting focused on the security of the 2018 election?  

Nielsen: I myself hosted it, yes. 

Harris: And when did that meeting take place? 

Nielsen: A few weeks ago. 

Harris: And what decisions were made regarding election security? 

Nielsen: That state and locals remain in charge, that DHS needs to continue to expand our tool kit of what we can provide and support, that we need to work on tear lines, we need to work on victim notification, we need to work on clearances and we need to work on communications to make sure that the public is aware of the threat. 

Harris: And did you indicate timelines and due dates for what should happen before the 2018 election? 

Nielsen: Well, clearly, everything should be done before that, but yes, for each one of those, we have an agreement on a path forward.

Harris: Will you provide that to this committee?

Nielsen: Happy to.

Harris: Thank you.

Panel 2:

Harris: And I couldn't agree more with Senator Lankford, Ms. Manfra. Every day it seems like we're seeing you in one of these committees so thank you for your work. Mr. Rosenbach, so as everyone understands, achieving cybersecurity will be extremely difficult, in fact, some say we're never going to actually achieve security but we will try to do as best as we can but there are no absolutes in this realm. So, the concern I have is that I think that there is a very real chance that when we're talking about HAVA, which is the Help America Vote Act of 2012, or 2002, that it may be a simplistic approach to suggest that the HAVA grant program is the solution to election cybersecurity. And one of the concerns that I have heard and I’d like your opinion about it is that there's a very real chance that states could acquire a new batch of insecure systems. And Ms. Cohen actually spoke a bit about that concern as well, because they just don't have the resources and it may be the technical resources or advice or support to make the best decisions about acquiring the best and most secure equipment. So, what is your perspective about that, and should states be required also to use those funds only for cybersecurity improvements versus other needs they may have? 

Rosenbach: Yes, ma'am. I think to start with, your idea and highlighting that risk mitigation in cyber needs to be much broader than just a technical cybersecurity issue. So you talk about an incident response plan and leadership at the top. Vermont seems like a model in terms of the Secretary of State who can talk about two-factor authentication and is doing all these things. That’s what you want.

Harris: And he's at this table for that very reason. 

Rosenbach: Exactly. But that's a rare thing and the states take this very seriously but that level of knowledge is a rare thing. And so the money will do one thing, but it's leadership that's even more important and rehearsing what happens when you do get hacked or if you don't get hacked but the Russians manipulate your information, that is very important. I do think having outside technical expertise that has no vested interest can be helpful to the states in trying to determine maybe how to allocate resources, right? I don't think that you want to make it bureaucratic because we need to move fast and things are already bureaucratic enough in government but some way to help the states, I think, would be appropriate.

Harris: And so as you think about that, do you - as Congress considers appropriating this money, do you have some thoughts about how we can make sure that grant recipients use it in the best way, in the most efficient way?

Rosenbach: Yes, ma'am. I think you definitely should appropriate it. There's no doubt about that. And a couple options would be something almost like the NIST framework where it's agreed upon framework, you would never try to stipulate specifically what they should do, because the diversity of systems is so great, it would never be exactly right. It would also change in two years. That broad type of approach, with some outside technical expertise, may be one option.

Harris: Assistant Secretary Manfra, do you agree that there's a certain type of election interference that we should be concerned about that would target the so-called swing states or those jurisdictions within states that have been identified as perhaps making all the difference in terms of the outcome of a national election? I know we've talked a lot about the diversity and the number of jurisdictions that hold elections, but some, perhaps, are more pivotal than others as we have seen. 

Manfra: Yes, ma'am. Thank you for your question. While our focus is on the security, not the political dynamics of elections, we do take a risk based approach to everything that we do with critical infrastructure in terms of how we prioritize. So what we seek to understand is how would the adversary if their end goal was to - whether that's to sow chaos and discord or to manipulate a voting process, what would be the most likely way that they would do that? So definitely include consideration of that scenario that you described as how we would think about a risk-based approach to prioritize. That answer your question, ma’am?

Harris: It is, and so that we can just take it out of the theoretical, there's pretty much consensus about what are the so-called swing states and swing counties. What I really hope and would like to know is that you and DHS has identified those perhaps as being priorities, knowing that foreign adversaries, Russia, for example, all they have to do is pick up the paper to figure out where they should target if they actually want to manipulate the outcome of the national election. 

Manfra: We would - yes, ma'am, we would consider those priorities.

Harris: Great. And my understanding is that basically if a state election agency is hacked, you pretty much send out a hazmat team to get right out there on the ground, boots on the ground, and do whatever's necessary to help the state in terms of getting back up and also figuring out, in a forensic way, maybe an investigative way, what you need to determine in terms of who was responsible, who the perpetrator is, where the specific breaches are and so on, is that correct?

Manfra: Yes, ma'am. There's two models. One would be where we know whether the state has - and this is applying our model that we use for all critical infrastructure and federal networks to states, but one scenario where a state or an entity reports that they have had some type of unauthorized access and they voluntarily request our assistance. Our priority then would be to deploy a team. Sometimes we can do it remotely but we would deploy a team, work with them to gain access to their system and then our responders would help first identify the presence and how wide scale that presence is. We need to be careful not to evict them too quickly because we want to understand completely how much of the network or the systems that they're on. Once we've identified that, then we work with the victim organization to remove the malicious actors from their system and then importantly help them get back up and running very quickly. In other scenarios where we have maybe intelligence or other information where we think someone may have been a target but we don't know, we do something that's called a hunt and that is also voluntary, but we work with that target. Ideally, they would voluntarily let us connect to their system and we attempt to search for any evidence of that adversary. Sometimes we find them. Sometimes we find that they were - the entity blocked that potential intrusion.

Harris: And if I may, I know I’m over my time, but all of that happens, all of that work happens when and if you have been notified by the state, correct?

Manfra: In the former case, it would require notification by the state. In the latter case, it would be usually something from intelligence community, though it could be from the state or, say, from the MS-ISAC.

Harris: So the inference being, and Mr. Condos I think you would agree, that DHS is best able to do its job if there is that kind of notification and cooperation.

Manfra: Yes, ma'am.

Harris: Thank you.

###