Designation ‘Critical Infrastructure’: What It Does and Doesn’t Mean for States and Their Vendors

Designation ‘Critical Infrastructure’: What It Does and Doesn’t Mean for States and Their Vendors

By Holly Dragoo

Cyber Technology & Information Security Lab

Georgia Tech Research Institute

Before President Donald Trump’s first 100 days began, the U.S. Department of Homeland Security signaled a change to election systems that leaves many questions still unanswered. Just weeks before the change in administration, the Department of Homeland Security (DHS) designated state election systems as one of 16 national “critical infrastructure” systems, making them eligible for federal security assistance. Since then, much skepticism has been aired about the timing, impetus, and political intent behind the move.

Does it signal an expanded government view of what qualifies as “critical infrastructure”? If so, what other systems could Washington, D.C., deem “critical” in the public and private sectors? Or, under a new administration, will state-by-state control tilt back into the picture?

Vocal opposition from individual states suggests a fear of new election regulations, potential for partisan manipulation, or worse. Former DHS Secretary Jeh Johnson addressed these fears directly in an official statement when he said, "It is important to stress what this designation does and does not mean. This designation does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country."

Being designated as “critical infrastructure” by DHS does not mean the agency will take over planning, equipment, organization, or execution of state elections or the commercial components included in them. What this means is DHS will now add election systems to a growing list of computer networks to monitor for and protect against physical and cyber security breaches and malware.

These networks control functions (such as power grids, water supply, or financial trading platforms) that DHS – and society – deems critical to American economic or national security. Adding election systems to the list also will facilitate information sharing between state and local groups, DHS, and related federal authorities. Under this designation, threat updates, malware alerts, security events, or other political concerns should have fewer obstacles to interagency sharing, allowing stakeholders to carry out solutions, quickly.

Cyber threats to election systems are very real and warrant more scrutiny. A chief practical concern is protecting the personally identifiable information contained in registration databases, but electoral integrity and freedom from foreign influence is of course paramount. The summer of 2016 alone saw two confirmed penetrations of election databases in Illinois and Arizona, later attributed to Russia, and over twenty other confirmed attempts. Secure election systems will not be an easy or quick effort to synchronize, due to wide-varying system disparity in all 50 states, but moving forward under one federal standard is a good first step in the right direction.

Although it’s improving, states are often ill-equipped to deal with both the sophistication and scale of cyberattacks. This can manifest in small, local communities without resources to independently test vendor claims of election equipment or in large cities using insecure connections to hook election equipment to the Internet (which should not be done at all). Because of this, new/additional resources should flow nationwide to standardize both physical and digital chain of custody procedures, with measurable compliance aspects.

If that assistance comes from the National Institute for Standards and Technology (NIST), the Election Assistance Commission (EAC), or from DHS, does it matter? Could federal assistance not increase the financial resources available to states (which may see commercial solutions from the private sector)?

As for the timing of this policy shift – conceived among the acrid climate of hacked political groups and hotly contested election results – those opposed to this shift see it as a sudden, desperate power grab by a lame-duck administration. However, the idea comes amid several last-minute cybersecurity changes that concluded the Obama administration, and the original idea of putting electoral systems under the purview of DHS is not a new one, discussed as recently as the summer of 2016.

Incoming DHS Secretary John F. Kelly, known for preferring less regulation and bureaucracy, may move to repeal the designation, and his actions will signal what this means for both commercial vendors and states alike.

Holly Dragoo is a research associate with the Cyber Technology & Information Security Laboratory at the Georgia Tech Research Institute. Her previous work with the U.S. Department of Defense and Federal Bureau of Investigation give her a unique understanding of intelligence community requirements. Dragoo’s research interests include cybersecurity policy issues, threat attribution, metadata analysis, and adversarial network reconstruction.