OCR of the Document

View the Document >>

Congressional Research Service, Brian E. Humphreys, The Designation of Election Systems as Critical Infrastructure, September 18, 2019. Unclassified.

Updated September 18 2019 The Designation of Election Systems as Critical Infrastructure Prior to the 2016 federal election a series of cyberattacks occurred on information systems of state and local election jurisdictions Subsequently in January 2017 the Department of Homeland Security DHS designated the election infrastructure used in federal elections as a component of U S critical infrastructure The designation sparked some initial concerns by state and local election officials about federal encroachment of their prerogatives but progress has been made in overcoming those concerns and providing assistance to election jurisdictions What Led to the Designation In August 2016 the Federal Bureau of Investigation FBI announced that some state election jurisdictions had been the victims of cyberattacks aimed at exfiltrating data from information systems in those jurisdictions The attacks appeared to be of Russian-government origin That same month DHS contacted state election officials to offer cybersecurity assistance for their election infrastructure Most states accepted the offer Although the cyberattacks did not appear to affect the integrity of the election infrastructure some observers began calling for it to be designated as critical infrastructure CI On January 6 2017 the Secretary of Homeland Security announced that designation What Is Critical Infrastructure Under federal law CI refers to systems and assets for which “incapacity or destruction … would have a debilitating impact on security national economic security national public health or safety or any combination” of them 42 U S C §5195c e Most CI entities are not governmentowned or -operated Presidential Policy Directive 21 PPD 21 identified 16 CI sectors with some including subsectors Sectors vary in scope and in degree of regulation For example the financial services sector is highly regulated whereas the information technology sector is not Election infrastructure has been designated as a subsector of government facilities That sector includes two previously established subsectors education facilities and national monuments and icons The Homeland Security Act of 2002 P L 107-296 gave DHS responsibility for several functions aimed at promoting the security and resilience of CI with respect to both physical and cyber-based hazards either human or natural in origin Among those functions are providing assessments guidance and coordination of federal efforts Each CI sector has been assigned one or two federal sectorspecific agencies SSAs which are responsible for coordinating public private collaborative efforts to protect the sector including incident management and technical assistance DHS has regulatory authority over two sectors chemical and transportation systems It serves as SSA for several including the elections infrastructure subsector EIS The components of the EIS as described by DHS include physical locations storage facilities polling places and locations where votes are tabulated and technology infrastructure voter registration databases voting systems and other technology used to manage elections and to report and validate results It does not include infrastructure related to political campaigns However DHS does provide cyber vulnerability assessments and risk mitigation guidance to political campaigns upon request as resources permit Does the Designation Permit Federal Regulation of Election Infrastructure DHS does not have regulatory authority over EIS Five other agencies have significant roles with respect to federal elections but none has claimed regulatory authority over the EIS  The Election Assistance Commission EAC created by the Help America Vote Act HAVA P L 107-252 provides a broad range of assistance to states including development of voluntary technical standards for voting systems voluntary guidance on implementing HAVA requirements and research on issues in election administration It also has statutory authority for administering formula payments to states to assist them in meeting HAVA requirements and improving election administration including $380 million appropriated in FY2018 in response to security concerns  The National Institute of Standards and Technology NIST assists the EAC on technical matters including development of the voting system standards certification of voting systems and research  The Department of Justice DOJ has some enforcement responsibilities with respect to requirements in HAVA and other relevant statutes  The Department of Defense DOD assists military and overseas voters  The Federal Election Commission FEC is responsible for enforcement of campaign finance law but is not involved in election administration by state and local jurisdictions HAVA expressly prohibits the EAC from issuing regulations of relevance to the CI designation and it leaves the methods of implementation of the act’s requirements to the states However it does permit DOJ to bring civil actions if necessary to implement HAVA’s requirements https crsreports congress gov The Designation of Election Systems as Critical Infrastructure What Does the Designation Mean While both DHS and the EAC provided assistance to states in addressing the security concerns that arose in the run-up to the November 2016 election the CI designation had several notable consequences  It raised the priority for DHS to provide security assistance to election jurisdictions that request it and for other executive branch actions such as economic sanctions that the Department of the Treasury can impose against foreign actors who attack elements of U S CI including tampering with elections  It brings the subsector under a 2015 United Nations nonbinding consensus report A 70 174 stating that nations should not conduct or support cyber-activity that intentionally damages or impairs the operation of CI in providing services to the public It also states that nations should take steps to protect their own CI from cyberattacks and to assist other nations in protecting their CI and responding to cyberattacks on it The report was the work of a group of governmental experts from 20 nations including Russia and the United States  It provided DHS the authority to establish formal coordination mechanisms for CI sectors and subsectors and to use existing entities to support the security of the subsector Those mechanisms are used to enhance information sharing within the subsector and to facilitate collaboration within and across subsectors and sectors For example both the FBI and the Office of the Director of National Intelligence ODNI have participated in briefing election officials on threats to the EIS Among the coordination mechanisms for the subsector are the following  Government Coordinating Council The GCC consists of representatives of DHS and the EAC as well as secretaries of state lieutenant governors and elections officials who altogether represent 24 state and local governments It also includes non-voting members from other relevant federal agencies The GCC facilitates coordination across government entities both within EIS and in other sectors Activities include communications planning issue resolution and implementation of the security missions of the entities  Sector Coordinating Council The SCC consists of representatives of nongovernment entities most of which are providers of voting systems and other election-related products and services SCCs are selforganized and self-governed They are intended to represent private-sector interests and to facilitate collaboration activities including information sharing among the private-sector entities in the CI sector and with government entities  Sector-Specific Plan Public- and private-sector partners have created SSPs for each of the 16 CI sectors The plans are components of an overall National Infrastructure Protection Plan and provide a means for the sectors to establish goals and priorities for addressing risks They are generally updated on a fouryear cycle DHS is currently drafting an SSP for the EIS The CI designation for election infrastructure is also intended to facilitate use of existing resources such as  Cybersecurity and Infrastructure Security Agency CISA CISA an agency within DHS serves as the SSA for the EIS  Critical Infrastructure Partnership Advisory Council CIPAC provides election officials access to a broad range of relevant expertise and participation in sensitive planning conversations  Multi-State Information Sharing and Analysis Center The MS-ISAC is one of the centers created to facilitate the sharing of security information for different CI sectors It works with CISA all states and many local governments to assist them in cybersecurity The MSISAC supports the EIS-ISAC created in 2018 to facilitate information-sharing activities for and among more than 500 members consisting of state and local election offices as well as the National Association of Secretaries of State NASS and the National Association of State Election Directors NASED Pursuant to the EIS designation DHS and the EAC assisted both jurisdictions and vendors in preparations on election security for the 2018 federal election For more information see https www dhs gov topic electionsecurity https www eac gov election-officials electionscritical-infrastructure https www cisecurity org ei-isac Why Was the Designation Initially Controversial Misgivings about DHS involvement were raised when it first offered assistance to election jurisdictions in August 2016 Some observers feared that DHS would begin to exert control over the administration of elections or to engage in unrequested security activities Controversy over the federal role in election administration is not new Concerns about federal regulation of the election process were prominent during the legislative debate over HAVA and led to the inclusion of the regulatory restrictions in the law Furthermore bills in prior Congresses that would have provided DHS broad regulatory authority over cybersecurity have all failed The CI designation does not contravene the HAVA restrictions on EAC regulations or create DHS regulatory authority for the EIS DHS provides assistance to election jurisdictions only on a voluntary basis In the 115th Congress a few bills would have established mandatory standards or federal rule-making authority but none received committee or floor action Bills with relevant provisions have also been introduced in the 116th Congress Brian E Humphreys Analyst in Science and Technology Policy https crsreports congress gov The Designation of Election Systems as Critical Infrastructure IF10677 Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material https crsreports congress gov IF10677 · VERSION 7 · UPDATED