With midterm races in the home stretch and the 2020 presidential election on the horizon, a pair of top national security officials have a message for state election administrators: Trust us when we warn you about cyberthreats. William Evanina, director of the National Counterintelligence and Security Center, and Christopher Krebs, the Department of Homeland Security’s cybersecurity chief, urged state officials to keep their lines open to the feds as Election Day approaches and the possibility of an attack on their systems looms large. “At some point in your future, next month or 2020, there will be a piece of intelligence that comes so fast and furious in the community, the phone call will be made to Chris that will tell him, ‘Hey, this happened and we need to act,’ ” Evanina said Wednesday at an election security summit on Capitol Hill with state leaders and members of Congress. “Chris will pick up the phone and call a state and say, ‘You need to do something.’ And you have to trust Chris.”
State and federal officials insist they’ve made vast improvements in the way they share threat information since the 2016 election, when a lack of coordination between state offices and the government’s sprawling intelligence bureaucracy prevented them from getting a clear picture of Russia’s interference campaign and responding accordingly. But the remarks from Evanina and Krebs show that a potential communication breakdown remains a top concern. And the November midterms will represent a critical test for how much those relationships have improved.
In the wake of the 2016 election, many states bristled at the idea of the federal government taking a greater role in election security, said Krebs, the head of the National Protection and Programs Directorate, DHS’s main cybersecurity unit. The department, he said, got “a number of love letters, or hate mail, or however you want to describe it” from state officials angry about the Obama administration’s abrupt decision to designate election systems as critical infrastructure, which tasked DHS with protecting voting machines and election equipment from digital and physical threats in the same way they protect power plants and hospitals. Many state officials viewed the move as overreach by the federal government.
It was a challenge to convince states to take action on the government’s warnings about cyberthreats because the right communication channels didn’t exist, Krebs said. Nor did NPPD have the credibility or name recognition among states when officials came to them with warnings about vulnerabilities or malicious activity. “Back in 2016 when the phone calls were made, saying, ‘Hey, look, we’re seeing something. There’s something go on in your network. I need you to take action. By the way, you have no idea who I am, you’ve never heard of NPPD, you’ve never heard who the leadership was at the time, but I need you to take this action.’ There was no trust, and there was no certainty or confidence in that ask,” he said.