Washington, D.C. – Today, Colorado U.S. Senator Michael Bennet wrote to the Trump Administration calling its election security policies to date inadequate, especially as millions of Americans prepare to vote on Super Tuesday in the presidential primaries. The letter is addressed to Shelby Pierson, the Intelligence Community Election Threats Executive at the Office of the Director of National Intelligence and Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS).
“Tomorrow, millions of Americans across 14 states, including Colorado, will vote in the presidential primaries. Although the 2020 elections are well underway, it remains unclear whether the administration is fully prepared to ensure their security,” wrote Bennet. “President Trump continues to downplay repeated warnings from the Intelligence Community that hostile foreign actors, including Russia, seek to interfere in the 2020 elections. The presidential election has already been targeted. Despite progress at the local, state, and federal levels, U.S. elections remain vulnerable and require enhanced, timely, and unambiguous support.”
In the letter, Bennet asked the administration to address recommendations to strengthen election security from the Senate Select Committee on Intelligence (SSCI) and the Government Accountability Office (GAO). Specifically, Bennet asked about steps the administration has taken to improve information sharing with state and local officials, develop operational plans to implement its election security priorities, and strengthen its capacity to respond to election day incidents in the field. Bennet also asked the administration to share its lessons learned from the 2018 elections and specify its budget and personnel devoted to election security for 2020.
Following hostile foreign attacks on the 2016 election, Bennet has made election security a priority. Bennet is a member of the Senate Select Committee on Intelligence, which has produced three bipartisan reports on foreign election interference in the 2016 election. Last November, Bennet led 38 of his Senate colleagues in a letter calling on Congressional appropriators to increase election security funding for state and local governments. The following month, Congress passed $425 million in new election security funds. This Congress, Bennet has also co-sponsored a range of election security legislation, including the FIRE Act to require campaigns to report attempted acts of foreign election influence to relevant federal authorities, the PAVE Act to require paper ballots and risk-limiting audits in all federal elections, and the SAFE Act to provide $1 billion in election security grants for states. Last week, Bennet wrote to Facebook CEO Mark Zuckerberg asking the company to take greater responsibility for disinformation in elections in the United States and around the world.
The text of the letter is available HERE and below.
Dear Director Krebs and Mrs. Pierson:
Tomorrow, millions of Americans across 14 states, including Colorado, will vote in the presidential primaries. Although the 2020 elections are well underway, it remains unclear whether the administration is fully prepared to ensure their security. President Trump continues to downplay repeated warnings from the Intelligence Community (IC) that hostile foreign actors, including Russia, seek to interfere in the 2020 elections. The presidential election has already been targeted. Despite progress at the local, state, and federal levels, U.S. elections remain vulnerable and require enhanced, timely, and unambiguous support.
Last July, the Senate Select Committee on Intelligence (SSCI) issued a bipartisan report with recommendations for the administration to improve election security. These include expanding work with states to harden cybersecurity; engaging vendors of U.S. voting machines to address supply chain vulnerabilities; and enhancing support from the Department of Homeland Security (DHS) and its partners. The SSCI report also noted challenges with information sharing between the federal government and state and local election officials. In many cases, these officials lacked security clearances to access threat information. In other cases, even when officials received threat information, they often did not find it useful.
This February, the Government Accountability Office (GAO) also produced a report with recommendations to improve election security, directed specifically to the Cybersecurity and Infrastructure Security Agency (CISA). Under Director Krebs’s leadership, CISA deserves credit for improving outreach to state and local election officials, organizing valuable tabletop exercises, and introducing an open-source tool for states to conduct risk-limiting audits. I also welcome CISA’s new #Protect2020 Strategic Plan and the four “lines of effort” to prioritize its election security efforts.
Despite these steps, I remain concerned about CISA’s preparedness and the consequences of inadequate federal capacity for election security and cybersecurity. In its February report, GAO noted that CISA planned to develop operational plans detailing the “organizational functions, processes, and resources” needed to implement only two of the four lines of effort in its #Protect2020 Strategic Plan. As of last week, GAO had not even received CISA’s draft operations plan. CISA’s response also failed to address GAO’s concerns about “a lack of clarity regarding CISA’s incident response capabilities in the event of a compromise” and the view from state and local officials that CISA recommendations were often not “actionable.”
Additionally, turnover for senior cybersecurity positions in the administration has been considerable, and last year, hundreds of CISA positions remained vacant, including critical cybersecurity roles. According to GAO, CISA has only 25 regional staff deployed in the field covering over 10,000 election jurisdictions nationwide. Now, the administration has proposed a budget that would cut CISA’s funding by $250 million.
In light of these concerns, I ask that you please respond to the following questions no later than March 31, 2020:
- What lessons have you learned from the 2018 elections, and what resource allocations and policies have changed based on those lessons?
- Please provide an overview of the budgets for and number of full-time employees working on election security within CISA and the IC.
- How do you plan to make threat intelligence available to state and local officials when possible and in a timely manner? How will CISA and the IC work to make classified intelligence actionable for those officials?
- What information can you provide that demonstrates that there are clear channels of communication from the state and local level to federal entities?
- How many of the top 150 state election officials have received security clearances? Will those who have not received their clearance have them by the November election?
- How are you prioritizing resources toward threats or vulnerabilities across states?
- What information do you have that demonstrates that programs and resources instituted since 2016 and 2018 are working?
- When will CISA release its operational plans, and will they cover all four lines of effort, including Campaigns & Political Infrastructure and the American Electorate? If CISA does not plan to release operational plans for all four lines of effort, why not? If this decision relates to resource constraints, what does CISA require to remedy this?
- Will CISA brief Congress on its operational plans once released?
- Given existing cybersecurity and other threats to political parties and campaigns, does CISA have plans to tailor or expand its support to these organizations ahead of the 2020 elections?
- How many vacancies remain at CISA, and how many of them directly relate to cybersecurity and election security? Does CISA have plans to strengthen its cyber expertise and to attract and retain top cyber talent?
- How many states have already adopted, or are in the process of adopting, CISA’s open-source tool for risk-limiting audits?
- Can you detail CISA’s engagement with U.S. voting machine vendors about supply chain risks?
- Will you commit to briefing Congress about election security threats and developments at the conclusion of the presidential primary cycle?
- What steps are CISA and ODNI taking to provide assistance to state and local election officials without undue political influence?
Thank you for your vital work to protect our nation and our democracy. I look forward to your response and appreciate your attention to these concerns.