At an April 4 Election Assistance Commission public hearing, a senior Department of Homeland Security official sought to stress one thing: The designation of election systems as critical infrastructure doesn’t cut into states’ autonomy. Concerns over DHS control have simmered since then-Secretary Jeh Johnson first suggested the critical infrastructure designation last summer. Yet Neil Jenkins, DHS’ director of the Enterprise Performance Management Office, said at the EAC hearing that his agency sees the National Association of Secretaries of State (NASS) Election Cybersecurity Task Force as the main point of contact for deciding when DHS system-scanning tools are needed. Jenkins also said he sees the EAC as a critical point of contact for local officials who may be interested in utilizing DHS scanning and security products.
Robert Hanson, DHS’ director of the prioritization and modeling at Office of Cyber and Infrastructure Analysis, added that many state and local governments already have turned to DHS for such support. In the lead up to 2016 elections, 33 states and 36 counties used DHS tools to determine potential vulnerabilities and get mitigation advice. Hanson declined to share the specific list of customers and services with the EAC commissioners, saying that information was classified.
State and local officials, however, reiterated their concerns on the critical infrastructure designation. “While we are still strongly opposed, we are coming to the table reluctantly because the wheels are already in motion,” said Connecticut Secretary of State Denise Merrill, who also serves as president of NASS.