Senator Lankford Seeks Update on Election Security ahead of November 2020
CLICK HERE to watch Lankford’s Q&A.
WASHINGTON, DC – Senator James Lankford (R-OK) today questioned national security witnesses at a Senate Committee on Homeland Security and Governmental Affairs Committee (HSGAC) hearing entitled “What States, Locals and the Business Community Should Know and Do: A Roadmap for Effective Cybersecurity.” Lankford questioned Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs for an update on the status of funding already allocated to states for election security and preparations for the 2020 election.
Lankford introduced a bipartisan bill in March 2018, the Secure Elections Act, to strengthen election cybersecurity in America. In August 2018 Lankford testified before the Senate Judiciary Subcommittee on Crime and Terrorism during a hearing entitled “Cyber Threats to Our Nation’s Critical Infrastructure.”
In May 2019, Lankford joined a bipartisan group of senators to introduce the Voting System Cybersecurity Act of 2019, which would ensure that a cybersecurity expert from DHS is involved in crafting the voluntary voting system guidelines established by the Election Assistance. In September 2019 Lankford voted to advance a funding bill that included additional funds for states to secure our elections, and he followed up on the status of that work with national security officials at a November 2019 HSGAC hearing. In January 2020 Lankford also hosted a conference call with Oklahoma small business owners and cyber security experts to help ensure Oklahomans are aware of best practices and the federal information resources available to protect personal and business information from cyber-attacks.
On election security funding allocated to states
(00:53-03:49) Lankford: Let me bring up a couple of things we’ve talked about before, that’s election security. It is a concern, it’s a major focus of your office obviously as we’re focusing in on what’s happening now. Everyone is paying attention to Iowa and the debacle there and the apps and all those things there. That’s not really the cyber election issue that we have. It’s really an outbound an outward threat coming at us or someone internal being a threat to our systems as well. Let me outline a couple of concerns that I have, and I’d like to hear more of what you’re doing.
In 2018 Congress passed $380 million in election security-assisting grant money to the states. As of the end of last year, states have spent a total of $92 million of that $380 million allocated to them. About 24 percent of the money that we allocated in 2018, they still haven’t spent by the end of 2019. We just allocated another $425 million back to those states again, which certainly won’t be out the door because they haven’t got the money out the door from 2018 yet still. With this, there’s not a real change in hardware or software because the states are sitting on the money rather than actually spending the money to improve their structure on election security. What is your office doing to be able to help us in the election security footprint right now?
Director Krebs: So, specific to the HAVA [Help America Vote Act] funding—the $700 or so odd million—I would not focus too much on the percentages that were spent, particularly the $380 and the $425 and I think my partners here might be better witnesses to answer to that. But what I understand, is spending money at the state government level is really hard. It doesn’t just flow out the door. The additional thing is, I would rather they spend the money right than just spend it.
Lankford: I would agree.
Krebs: This is taxpayers dollars. And it is multi-year money, so when you’re talking about hiring in some cases, which we’ve encouraged cyber navigators, sometimes that is five, I think some of the money is five-year money, so they have to account and obligate salaries for multiple years.
Lankford: Several of the states that I’ve talked to that haven’t spent the money out have said their interacting with your office or DHS specifically and said we’re doing some background work with them and the federal government is trying to be able to help them through the process. So walk me through what’s happening.
Krebs: So specifically what we’re doing here, we’ve done a number of risk and vulnerability assessments, penetration testing, things of that nature, and we’ve discovered over—I think we’ve done 24 of these at the state and local level—and what we found is we approached 20 and then we moved up to 21, 22, 23, 24 that we were getting 95 percent to 98 percent of the same results for every vulnerability assessment. So we were able to do two things: one is just pack out from those assessments what they key risks, vulnerabilities, or other issues that need to be addressed. We then package that through the Government Coordinating Council, which we established a couple of years ago for spending guidance. You know, if you’re going to go spend this money, here are the things you need to go spend it on.
On cyber security preparedness for the 2020 elections
(4:14-5:36) Lankford: So anything that you could say at this point that is missing from either resources you need or resources the states need to be able to prepare for the election in 2020?
Krebs: So for the 2020 elections, I think the plans are in place, particularly from a procurement perspective for election equipment. They are locked and loaded. They’re not going to be able to scale or replace equipment. Things I’d be thinking about for election security funding—and this the decision that needs to be made—I really see three buckets of funding. One is addressing the immediate risks. The way the HAVA formula works right now is it’s based on the registered population of the 2010 Census. That’ll obviously get updated in 20. Florida’s Secretary Lee has done something interesting. Rather than allocating the Florida HAVA money to the biggest jurisdictions, they’ve actually taken a risk-based approach in getting it to the more rural communities that need that investment. I think that’s probably a good approach for the national level. Let’s go help New Jersey, for instance, transition off their direct-recording equipment. The second piece is sustainable funding. I don’t care how much it is, but we just need certainty year over year over year. And the third thing is, we want to encourage innovation. So how do we do that? I think that it makes sense to have a separate pot of money that could be dedicated to innovating around post-election audits, risk-limiting audits. These things take time for concepts, piloting, training, and rollout.