A

Hello and welcome to State Scoop's Priorities podcast. I'm Colin Wood, StateScoop's editor in chief. This week we have Jeff Hale, a visiting Fellow for Election Security at the center for Democracy and Technology, to talk about a new initiative he's leading to assist election administrators in shoring up their cyber defenses. But first, here's what's happening this week. The State of Representatives in Idaho has approved legislation that would prohibit the state from procuring or even using large language models that promote diversity, equity or inclusion. Borrowing language from an executive order the president issued last year, the bill aims to ensure that all LLMs used by the state are truth seeking and possess ideological neutrality. California Chief Information Officer Leona Bailey Crimmins last week announced she's retiring from state service after nearly four decades in government and several years heading IT in the Golden State. North Carolina CIO Tina Piccione has announced she's stepping down, but to return to the private sector. She called her less than two years heading IT in North Carolina a profound honor. Last month, the nonprofit advocacy group center for Democracy and Technology announced a new initiative to help local election administrators improve their cybersecurity defenses. The work is led by Jeff Hale, who is a visiting fellow for Election Security at cdt. Hale is a former Associate Director for Election Security at the Cybersecurity and Infrastructure Security Agency within dhs. I ask him about how the cybersecurity landscape and federal policy landscape has changed over the last decade. But first I ask what local governments can expect to see out of this new CDT initiative.

B

I was able to join the center for Democracy and Technology to help them address resource gaps for state and local election officials as they prepare to secure from cybersecurity threats going Forward into the 26 midterms as well as the 28 elections to come. And in that it's really a focus on election infrastructure, the progress that has been made over the last decade in securing election infrastructure. By those you mean the office systems, the government networks, the voting systems, your voter registration databases, your e poll books and everything that is kind of it related that an election official may rely on to administer the election. And how do we ensure that those are well protected from the from sophisticated cyber actors and those advanced threats, right?

A

Well, the last decade has been I

C

mean if you look at what people were talking about cybersecurity wise in 2016 or before. Not that that I don't maybe 2016 was a notable year for for various reasons, but how would you describe what that progress has looked like over the Last decade. What are the biggest changes?

B

It has been tremendous. I. I can't speak to before 2016 because I kind of got my start. I guess I could thank Russia for that because in 2016 I was working for the Department of Homeland Security, the, the predecessor to the Cybersecurity and Infrastructure Security Agency. CISA started in 2018, but before that it was an acronym of the National Protection and Programs Directorate, NPPD. And in the spring and summer of 2016, Russia had hacked the DNC, which everybody is pretty aware of, but also did some reconnaissance and some cyber activity on a voter registration database at a state level. We, being DHS at the time, recognized that this was an advanced actor, cyber actor, and wanted to engage state and locals in helping to ensure that they're prepared and not alone facing the cybersecurity threats like that now. It was a huge undertaking and DHS made a lot of mistakes throughout that. We made a lot of mistakes in who we contacted, what our understanding was, but we were always there to lend support. And over time, we built trust in the election community where they would share information, they would help us understand we could bring information from the intelligence community or from our cyber private sector partners. And really, over the course of that 10 years, you saw the maturation of cybersecurity programs for election officials really advanced. So many states developed vulnerability disclosure programs, many had vulnerability management programs. They were improving their visibility on their own exposures and how they were closing those in a timely manner. The success was tremendous. It's always iterative progress and there's always more to do in cybersecurity, but it really shifted from a. A community that may have been hesitant to consider themselves cyber professionals to really embracing that aspect of the role.

C

Right. I imagine at a certain point it was just undeniable to that cybersecurity was broadly relevant to everyone, not just the job of the IT geeks.

B

I think that's true across more than just elections. But yeah, increasingly every major executive understands that cyber is part of their role, part of their portfolio. And so, like other state officials, the influence of their CIO, of their CIO, or the Chief election official themselves in understanding cybersecurity and the steps that they're taking to mitigate risk was always important.

C

Right. So kind of flash forward to 2026, we could get into the ways that DHS has changed or how politics might be coming to bear on some of this. But for now, what are the resource gaps and the ways that you're going to seek to aid local election officials, given how the general environment has changed over the last decade.

B

Yeah, there's still a lot of good work being done across the board. But anyone who's spoken to an election official knows that their most important resource is time. And every day brings us closer to another election. So amid that, as the cybersecurity support environment fractures and there's a contraction of the type of support that happens, it takes time for election officials to navigate, going to this location to receive that type of support, going to this to receive that type of information, identifying what isn't existing going forward. So where are they going to get their cyber threat intel? Where are they going to learn about new and pressing vulnerabilities? Where are they going to learn about the current threat environment because of the geopolitical situation with Iran? These are necessary areas that for operational cyber risk that in previous years was very clear. And then that you could go to cisa, you could go to the EI isac, the Elections Infrastructure Information Sharing and Analysis Center. And now I think there's a contraction of that support where I hear that there's a contraction of, from. Of that support from election officials. And so we're looking to ensure at CDT that we're partnering with the right people to translate and fill some of those coordination gaps and get the information down to election officials where necessary. It doesn't always have to be APPCDT or a CDT branded product, but connecting that dot so that election officials aren't spending their time trying to fill those gaps themselves.

C

Right. And despite this administration pulling back from support for the center for Internet Security in particular, which runs the two ISECs that you mentioned, they've told me and you know, repeatedly that they obviously weren't thrilled with losing their funding and they weren't happy with all that, but that DHS and the federal government generally remains a critical partner for them. Obviously that, you know, they still think that no one is better positioned to handle a lot of the coordination and intelligence sharing activities that the federal government does. How do you view, given, you know, given your history and your current position now, how do you view that whole, the whole landscape under the current Trump administration?

B

So it's clear that organizations like CISA are going to apply fewer resources towards election security. That said, they still have such a critical mission and such a critical ability to perform that mission. CISA sits at the focal point between the intelligence community, law enforcement communities, the private sector. So your cyber industry partners, state and local governments. So I think that, that they will still have an ability to publish very important Informations and they, they're kind of top of class. So if you want to know what the Chinese campaign against edge devices are, that's still really good production coming from cisa. Now you would hope, and it is yet to be seen, that if that information is relevant to election officials, that there will be publications for election officials and largely the ability to get that information to election officials. That's an area that's really been weakened is that trust in that existing relationship of who knows how to contact whom under what circumstances. So yeah, I still love the CISA mission and the holdings that exist there and the work that's being done by plenty of good people. But that relationship with the election community seems to have been frayed.

C

Sure. Yep, I've heard that as well. And you kind of alluded to one of the biggest benefits, as I've also been told of just this sort of preparatory cybersecurity work is that a lot of the idea is just having the right sources and connections in place and the relationships and then in the event that something does happen, you're not starting from zero. It's like we've talked about this, what we would do, we know who to go to, maybe more or less, rather than, you know, having to maybe introduce yourself to a bunch of people for the first time while the, while the building is on fire.

B

Yeah, you, it's smarter people than I always describe it as. Cyber is a team sport and you don't want it to be a pickup game like so you want to know who you're passing to, you want to know who you're engaging with and who your defense is. Nobody's going to be an expert across the board on everything. If you have to do incident response, if you have to do cyber intelligence sharing, if you have to do communications of a cyber incident, all of those things are really different capabilities. And pushing to understand who has what information under those circumstances is a really key area that you want to have that in that preparatory environment.

C

Yep. Now you mentioned the war in Iran. Do you have any sense of, I mean, I can't imagine that that's helping in any, in any way, but do you have any sense of what that's doing to the midterm election work, for example?

B

I'm not sitting on any particular intelligence, but it's really interesting to think back of Iranian activity. They were active, very active in 2020, they were very active in 2022. And while many of their activities were kind of ham handed and easily detected or effectively detected by the intelligence community by State and locals and the whole defensive apparatus. The reality is under these tensions, they've already demonstrated that they are one of the most aggressive actors for election related activity. What is it going to look like when the safeguards are off, when, when they have fewer guardrails in place so yet to be seen? If I were a state and local ciso, if I were focused on election security at the state level, I would be pressing to receive as much information as many briefings, classified, unclassified, from whomever to be best positioned to defend myself from their type of adversarial behavior.

C

Right. So returning to the CDT's initiative, how does it work organizationally? Is it just a matter of those interested reaching out to you? Do you have a cohort that you're, that you're specifically targeting? How does, how does all that work?

B

So we've got a team, we've kind of got two layers of work taking place at the national policy level. We're certainly talking about how to establish information sharing organizations not in competition with the isac, but really recognizing the value of information sharing and making sure that the sinews are connected. And then for the kind of capability building that takes place, that kind of cyber guidance that takes place, that touches election officials directly, we're working with other organizations to provide the clearinghouse of data to train, to push particular cyber programs on chain of custody, on incident response, on incident preparedness in order to advance the community going forward through 26 and beyond.

C

Do you, when you're doing this work with election officials, is it a scenario that, that any, you know, whether you guys or anyone else ever looks at like, you know, there's obviously a lot of speculation about the, a threat coming from within the current White House in terms of trying to undermine or steal the election in some fashion. Is that something that gets discussed at the, the level of local elections on like what to do?

B

So I would say that election officials are natural risk managers. Like their whole business is to operate with integrity and administer the process as best possible under the circumstances. So they're very aware of physical threat environments, they're very aware of cyber environments, and they're tracking the news. So do I know for a fact that there are our plans or insider threat or other elements or engagement from the administration? Not exactly, but I do know election officials to be excellent planners and that they test and prepare for many types of scenarios.

C

Whenever I go down that road, it

A

starts to feel like a conspiracy theory.

C

But then when you listen to what the President is actually saying, like it, you know, it's been, it's been some months since he tweeted a picture of himself wearing a crown. But, like, stuff like that, it's like, it's not exactly a conspiracy anymore.

B

If, if he's telegraphing, we're in interesting times. And it makes, like, the ability to secure elections all the more important and kind of verify them in a transparent way. It's. It's weird that election security has become a partisan issue, but verifying elections hasn't. So the more safeguards and controls we can put in place for that, all the better.

A

That was Jeff Hale, a fellow with the center for Democracy and Technology. That's it for this episode. The Priorities Podcast is a production of Scoop News group in Washington, D.C. production work is done by Adam Butler and Carlin Fisher. I'm Colin Wood.

C

Thanks for listening.