The Department of Homeland Security's chief cybersecurity official Jeanette Manfra testified in a Congressional committee hearing yesterday that her agency is "doing everything that we can" to protect the nation's electoral infrastructure, including prioritizing any state's request for a voting system risk assessment.
But while DHS has made important strides in developing programs and measures for mitigating cybersecurity risks that threaten federal operations and critical infrastructure, the agency is still falling short of recommendations issued two years ago by the U.S. Government Accountability Office, according to a new report issued as written testimony from Gregory Wilshusen, GAO's director of information security issues.
The hearing, held by the U.S. Senate Committee on Homeland Security and Government Affairs, sought to determine the efficacy of DHS' recent efforts to provide federal government programs and voluntary services that mitigate cyber risk. Not surprisingly, a chief area of concern was the threat to national elections, especially after DHS disclosed that Russian hackers targeted at least 21 states' election networks and websites and successfully penetrated a small subset of them.
When asked point-blank by Sen. Maggie Hassan (D-N.H.) if DHS has detected any malicious cyberactivity targeting voting infrastructure in the lead-up to the 2018 midterm elections, Manfra, the Assistant Secretary with the Office of Cybersecurity and Communications at DHS' National Protection and Programs Directorate (NPPD), replied, "We have not at this time, Ma'am."
To counter such threats, the DHS currently operates an elections task force comprised of roughly 10 to 15 people, most of whom focus exclusively on voting security and infrastructure, according to Manfra's oral testimony.
In response to questioning from the committee's ranking member Sen. Claire McCaskill (D-Mo.), Manfra also testified that DHS continues to respond in a timely manner to state officials' requests for free cyber risk assessments.
"Nobody in the election community is waiting for an assessment because we prioritize them," said Manfra. "We now have a significant backlog in other critical infrastructure sectors and federal agencies, but nobody in the election community is waiting."
Manfra comments appeared to resonate with Committee chairman Sen. Ron Johnson (R-Wis.), who said that while securing elections is important, DHS' heavy emphasis on voting infrastructure could be to the detriment of other sectors.
"I'm far more concerned about attacks into our electrical grid, into our financial system that could be unbelievably disruptive..." said Johnson, adding that "we may be playing into Russia's hands" by questioning "the legitimacy of the election," while neglecting "other aspects of our critical infrastructure."
DHS came under some additional scrutiny from the Government Accountability Office report, which states that as of April 2018, the agency has yet to demonstrate that it has fully adopted most of the 29 recommendations GAO issued in 2016 so that DHS can further improve its ability to mitigate cybersecurity risks threatening federal and critical infrastructure systems.
For instance, Wilshusen notes in the report that DHS has failed to fully implement eight of nine recommendations for enhancing the capabilities of its National Cybersecurity Protection System -- also known as EINSTEIN -- which delivers intrusion detection and prevention capabilities across the federal government.
The report also notes that DHS is falling behind schedule as it implements its Continuous Diagnostics and Mitigation (CDM) program, which is intended to supply federal agencies with automation capabilities for monitoring vulnerabilities and unauthorized network activity.
DHS also reportedly has not implemented any of GAO's nine recommendations for boosting the effectiveness and measuring the performance of the National Cybersecurity and Communications Integration Center (NCCIC), an information and threat sharing interface for both federal and non-federal entities.
The GAO also said that DHS has not fully implemented recommendations for facilitating government and critical infrastructure adoption of the National Institute of Standards and Technology's (NIST) cybersecurity framework, nor has it adopted GAO's recommended steps for collaborating with sector partners in order to develop performance metrics and improve reporting of mitigation efforts.
"Consistent with its statutory authorities and responsibilities under federal policy, the department has acted to assist federal agencies and private-sector partners in bolstering their cybersecurity capabilities," the report concludes. "However, the effectiveness of DHS's activities has been limited or not clearly understood because of shortcomings with its programs and a lack of useful performance measures. DHS needs to enhance its capabilities; expedite delivery of services; continue to provide guidance and assistance to federal agencies and private-sector partners; and establish useful performance metrics to assess the effectiveness of its cybersecurity-related activities."
The GAO report also cites the importance of "developing and maintaining a qualified cybersecurity workforce," noting that DHS said it would take steps to address GAO's recommendations on this matter by June 2018.