Elections Systems Are Critical Infrastructure, DHS Chief Affirms
Initially dubious, John Kelly now says he concurs with the Obama administration's approach.
Homeland Security Secretary John Kelly wants to continue treating election systems as critical infrastructure, retaining a controversial designation made late in the Obama administration, he told lawmakers Tuesday.
Kelly’s predecessor Jeh Johnson designated federal and state election and voting systems as critical infrastructure during the final days of the Obama administration despite objections from some state officials who worried about a federal power grab.
Critical infrastructure is an official DHS designation that comprises 17 industry categories, including chemical and power plants, transportation systems and dams.
Johnson’s move came days after then-President Barack Obama imposed additional sanctions on Russian intelligence agencies and officials for hacking Democratic political organizations in an effort to aid the electoral chances of President Donald Trump and to damage Democratic nominee Hillary Clinton.
“I believe we should help all of the states, provide them as much help as we can to make sure their systems are protected in future elections, so, I would argue that, yes, we should keep that in place,” Kelly said of the designation during a hearing on border security before the House Homeland Security Committee.
That designation makes it easier for DHS to provide grants and other funds to state election systems to ward off physical and cyberattacks. Cyber experts from the U.S. and other nations have also endorsed a rule of the road for international cybersecurity that states critical infrastructure should be off limits from cyberattacks.
Kelly was less bullish on the designation in advance of his confirmation, saying in a questionnaire that “the notion that DHS can or should exercise some degree of influence over state voting systems is highly controversial and appears to be a political question beyond the scope of DHS’ current legislative cyber mandates.”
While U.S. officials have long feared a destructive cyberattack on critical infrastructure, only a few are known to have occurred, including the U.S.-linked Stuxnet attack on Iran’s nuclear program, the Iran-linked attack on a Saudi oil company and the Russia-linked attack on Ukraine’s power grid.