With Outcome of CISA Election Security Review Looming, Agency Must Protect Critical Infrastructure
On Friday, February 14th, acting Executive Director of the Cyber and Infrastructure Security Agency (CISA) Bridget Bean issued a memo to agency staff announcing that all election security work would be paused pending an internal review in order to refocus on the agency’s core mission. The memo also stated that funding would be cut for the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), a DHS-funded organization that provides crucial cybersecurity assistance to state and local election officials to harden the nation’s elections systems against cyberattacks.
Tomorrow, March 6th, marks CISA’s self-imposed deadline to conclude its review and send its findings to the White House. It remains unclear if the memo will be made public, nor whether it will provide any measure of transparency regarding the programs that will — and will not — continue.
If CISA is serious about focusing on its core mission, the agency must continue its cybersecurity, physical security, and foreign threat information sharing work. Failure to do so would undermine U.S. national security, jeopardize the safety of election officials, and further diminish U.S. standing on the global stage.
Cybersecurity
As the bipartisan leadership of the National Association of Secretaries of State (NASS) recently explained, CISA provides “valuable” services that “many state and local election officials regularly utilize” to defend against cybersecurity threat actors, including nation-states and cybercriminal organizations.
Protecting the cybersecurity of state and local elections infrastructure is vital to the United States’ national interest and security. DHS has designated election infrastructure, including polling places, voter registration databases, and voting machines, as a critical infrastructure subsector since 2017. U.S. election infrastructure is a prize target of foreign governments, whose attacks have escalated in scale, complexity, and brazenness. During the 2024 election, foreign adversaries targeted state and local elections offices using a variety of techniques, including probes of network defenses, distributed denial of service (DDoS) attacks, and ransomware operations. These attacks seek to polarize the electorate, denigrate the integrity of our elections, and incite political violence, including specifically at election officials, who have experienced escalating death threats and intimidation.
Federal efforts have been crucial in identifying, analyzing, and responding to foreign cyberattacks. CISA, for instance, alerted local election officials in Coffee County, Georgia that its county government network was targeted by Iranian actors. Coffee County election officials acted swiftly to disconnect from the state voter registration system, preventing the attack from accessing data. CISA — and the EI-ISAC that it funds — offer a large range of free services that help counties like Coffee County, GA defend against cyber intrusion. These include support from cyber experts at the agency in conducting vulnerability scans and penetration testing, coordination on incident response, access to declassified intelligence reports, and a vast information sharing network.
Since its inception, the EI-ISAC has grown to include over 3,700 state and local election offices, and has distributed sophisticated sensors to monitor for system intrusions to more than 1,000 elections officers around the country. CISA’s free services also include access to the .gov top-level domain (TLD) and “has made it available at no cost to election offices and other qualifying government organizations.” The .gov TLD is a crucial trust indicator that helps voters identify their elections website as an authentic government website and obtain accurate information about the time, place, and manner of voting. Authorities have identified dozens of fake election websites set up by foreign adversaries to mislead voters and prevent them from voting.
Cybersecurity services from CISA and the EI-ISAC are irreplaceable. As Republican Secretary of the Commonwealth of Pennsylvania Al Schmidt said, CISA has “a national and global perspective when it comes to cyber security risks and all the rest that each individual state can’t do on its own.” For many underserved counties around the U.S., the cybersecurity assistance that CISA provides is often the only source of network hardening assistance available — not only for elections administrators, but for all county government offices on the network. For instance, in Washington state, 15 county governments receive “Endpoint Security and Malicious Domain Blocking and Reporting” tools from CISA that secure their network defenses across the county government network. Removing free access to these and other cyber defenses would make local governments susceptible to ransomware and other attacks that could impact not only elections but emergency services, schools, and more.
Physical Security
CISA not only protects the cybersecurity of elections offices, but their physical security as well — an essential resource as almost 40% of election officials have reported receiving threats of intimidation, while more than half fear for their safety. CISA provides resources like physical security assessments of election facilities and coordinates federal efforts to detect, analyze, and respond to physical threats to election infrastructure as they emerge. In 2024, CISA and the EI-ISAC’s information sharing and incident response teams warned election officials about white powder envelopes (and worked with USPS and the FBI to remove some envelopes from the mail stream) that were targeted at election offices in at least 15 states. They shared intelligence that ballot boxes would be targeted with attack, and provided guidance on securing and monitoring them; assisted with response to fires set in ballot dropboxes; and alerted officials ahead of Election Day to plans for wide-spread bomb threats from foreign adversaries seeking to upend voting operations. As a result, and despite over 100 bomb threats around the country by Russian-linked actors, voting operations were minimally impacted.
CISA’s Mandate and Capacity
Protecting the cyber and physical security of elections infrastructure aligns with the vision to “deliver a more focused provision of services for elections security activities” as laid out in Executive Director Bean’s February 14th memo. CISA’s enabling legislation directs the agency to “coordinate a national effort to secure and protect against critical infrastructure risks” and to “provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators.” Because election infrastructure is one form of critical infrastructure, providing cybersecurity and physical security assistance, in addition to coordinating threat information sharing with state and local election officials, falls squarely in this mandate.
Continuing this work will require staffing the agency with cybersecurity and physical security advisors (CSAs and PSAs), as well as the ten regional election security advisors who were reportedly fired from the agency. These staff acted as direct liaisons to election officials to conduct testing, coordinate response, and more. With over 10,000 election jurisdictions around the country, a depleted federal cybersecurity workforce will be overwhelmed with requests. This is particularly the case for requests for physical security assistance offered by CISA. According to DHS’ Office of the Inspector General, “[e]ven though CISA had almost 140 PSAs in the field in 2024, the demand for services occasionally outpaced staff capacity. In one region, the high demand caused delays delivering CISA’s assessments and other services.“
CISA’s Decision Should Be Transparent
While the Agency’s deadline to conclude it’s current election security review is tomorrow, it remains unclear if the outcome of that review will be made available to the public.
If the agency permanently reduces or ends vital election security work, it should — at the very least — publicly disclose the details of this decision. This should include a clear explanation of the Agency’s rationale, transparency about the scope of its personnel and programmatic cuts, and its expectations as to how state and local election officials will fill the resulting security gaps. Election officials are scrambling to understand any changes to the help they can expect from the federal government. They need this information as soon as possible, as many states have local and special elections upcoming — including in Florida, where special elections will fill 2 vacated U.S. House seats in just 4 weeks. According to Marion County Supervisor of Elections Wesley Wilcox, who will administer one of those elections, there is “nothing else like” the EI-ISAC’s situation room, which allows election officials to report cyber attacks so others can block them in real time. “When we do this special election here in four weeks, there’s a very real chance that there won’t be a situation room.” Without transparency about the scope of CISA’s decisions, election officials won’t even know what options are available to them.
As the bipartisan leadership of NASS has said, “CISA’s prioritized services help election entities defend against these national security threats.” Cutting support for the EI-ISAC and eliminating CISA’s work to protect the cyber and physical security of election infrastructure would weaken America’s election defenses and make it easier for America’s enemies to cripple critical infrastructure, obstruct voting, mobilize violence, and undermine America’s influence on the global stage. CISA’s leadership should make clear that such work remains core to CISA’s mission and will resume upon completion of the ongoing review.
