The Designation of Election Systems as Critical Infrastructure



Updated September 18, 2019
The Designation of Election Systems as Critical Infrastructure
Prior to the 2016 federal election, a series of cyberattacks
several, including the elections infrastructure subsector
occurred on information systems of state and local election
(EIS).
jurisdictions. Subsequently, in January 2017 the
Department of Homeland Security (DHS) designated the
The components of the EIS as described by DHS include
election infrastructure used in federal elections as a
physical locations (storage facilities, polling places, and
component of U.S. critical infrastructure. The designation
locations where votes are tabulated) and technology
sparked some initial concerns by state and local election
infrastructure (voter registration databases, voting systems,
officials about federal encroachment of their prerogatives,
and other technology used to manage elections and to report
but progress has been made in overcoming those concerns
and validate results). It does not include infrastructure
and providing assistance to election jurisdictions.
related to political campaigns. However, DHS does provide
cyber vulnerability assessments and risk mitigation
What Led to the Designation?
guidance to political campaigns upon request as resources
In August 2016, the Federal Bureau of Investigation (FBI)
permit.
announced that some state election jurisdictions had been
the victims of cyberattacks aimed at exfiltrating data from
Does the Designation Permit Federal
information systems in those jurisdictions. The attacks
Regulation of Election Infrastructure?
appeared to be of Russian-government origin. That same
DHS does not have regulatory authority over EIS. Five
month, DHS contacted state election officials to offer
other agencies have significant roles with respect to federal
cybersecurity assistance for their election infrastructure.
elections, but none has claimed regulatory authority over
Most states accepted the offer. Although the cyberattacks
the EIS:
did not appear to affect the integrity of the election
infrastructure, some observers began calling for it to be
 The Election Assistance Commission (EAC), created by
designated as critical infrastructure (CI). On January 6,
the Help America Vote Act (HAVA, P.L. 107-252),
2017, the Secretary of Homeland Security announced that
provides a broad range of assistance to states, including
designation.
development of voluntary technical standards for voting
systems, voluntary guidance on implementing HAVA
What Is Critical Infrastructure?
requirements, and research on issues in election
Under federal law, CI refers to systems and assets for which
administration. It also has statutory authority for
“incapacity or destruction … would have a debilitating
administering formula payments to states to assist them
impact on security, national economic security, national
in meeting HAVA requirements and improving election
public health or safety, or any combination” of them (42
administration, including $380 million appropriated in
U.S.C. §5195c(e)). Most CI entities are not government-
FY2018 in response to security concerns.
owned or -operated. Presidential Policy Directive 21(PPD
21) identified 16 CI sectors, with some including
 The National Institute of Standards and Technology
subsectors. Sectors vary in scope and in degree of
(NIST) assists the EAC on technical matters, including
regulation. For example, the financial services sector is
development of the voting system standards,
highly regulated, whereas the information technology sector
certification of voting systems, and research.
is not. Election infrastructure has been designated as a
subsector of government facilities. That sector includes two
 The Department of Justice (DOJ) has some enforcement
previously established subsectors: education facilities, and
responsibilities with respect to requirements in HAVA
national monuments and icons.
and other relevant statutes.
The Homeland Security Act of 2002 (P.L. 107-296) gave
 The Department of Defense (DOD) assists military and
DHS responsibility for several functions aimed at
overseas voters.
promoting the security and resilience of CI with respect to
both physical and cyber-based hazards, either human or
 The Federal Election Commission (FEC) is responsible
natural in origin. Among those functions are providing
for enforcement of campaign finance law but is not
assessments, guidance, and coordination of federal efforts.
involved in election administration by state and local
jurisdictions.
Each CI sector has been assigned one or two federal sector-
specific agencies (SSAs), which are responsible for
HAVA expressly prohibits the EAC from issuing
coordinating public/private collaborative efforts to protect
regulations of relevance to the CI designation, and it leaves
the sector, including incident management and technical
the methods of implementation of the act’s requirements to
assistance. DHS has regulatory authority over two sectors:
the states. However, it does permit DOJ to bring civil
chemical and transportation systems. It serves as SSA for
actions if necessary to implement HAVA’s requirements.
https://crsreports.congress.gov

The Designation of Election Systems as Critical Infrastructure
What Does the Designation Mean?
addressing risks. They are generally updated on a four-
While both DHS and the EAC provided assistance to states
year cycle. DHS is currently drafting an SSP for the
in addressing the security concerns that arose in the run-up
EIS.
to the November 2016 election, the CI designation had
several notable consequences:
The CI designation for election infrastructure is also
intended to facilitate use of existing resources, such as
 It raised the priority for DHS to provide security
assistance to election jurisdictions that request it and for
Cybersecurity and Infrastructure Security Agency
other executive branch actions, such as economic
(CISA). CISA, an agency within DHS, serves as the
sanctions that the Department of the Treasury can
SSA for the EIS.
impose against foreign actors who attack elements of
U.S. CI, including tampering with elections.
Critical Infrastructure Partnership Advisory Council.
CIPAC provides election officials access to a broad
 It brings the subsector under a 2015 United Nations
range of relevant expertise and participation in sensitive
nonbinding consensus report (A/70/174) stating that
planning conversations.
nations should not conduct or support cyber-activity that
intentionally damages or impairs the operation of CI in
Multi-State Information Sharing and Analysis Center.
providing services to the public. It also states that
The MS-ISAC is one of the centers created to facilitate
nations should take steps to protect their own CI from
the sharing of security information for different CI
cyberattacks and to assist other nations in protecting
sectors. It works with CISA, all states, and many local
their CI and responding to cyberattacks on it. The report
governments to assist them in cybersecurity. The MS-
was the work of a group of governmental experts from
ISAC supports the EIS-ISAC, created in 2018 to
20 nations, including Russia and the United States.
facilitate information-sharing activities for and among
more than 500 members consisting of state and local
 It provided DHS the authority to establish formal
election offices, as well as the National Association of
coordination mechanisms for CI sectors and subsectors
Secretaries of State (NASS) and the National
and to use existing entities to support the security of the
Association of State Election Directors (NASED).
subsector. Those mechanisms are used to enhance
information sharing within the subsector and to facilitate
Pursuant to the EIS designation, DHS and the EAC assisted
collaboration within and across subsectors and sectors.
both jurisdictions and vendors in preparations on election
For example, both the FBI and the Office of the Director
security for the 2018 federal election. For more
of National Intelligence (ODNI) have participated in
information, see https://www.dhs.gov/topic/election-
briefing election officials on threats to the EIS.
security, https://www.eac.gov/election-officials/elections-
critical-infrastructure/, https://www.cisecurity.org/ei-isac/.
Among the coordination mechanisms for the subsector are
the following:
Why Was the Designation Initially
Controversial?
Government Coordinating Council. The GCC consists
Misgivings about DHS involvement were raised when it
of representatives of DHS and the EAC, as well as
first offered assistance to election jurisdictions in August
secretaries of state, lieutenant governors, and elections
2016. Some observers feared that DHS would begin to exert
officials who altogether represent 24 state and local
control over the administration of elections or to engage in
governments. It also includes non-voting members from
unrequested security activities.
other relevant federal agencies. The GCC facilitates
coordination across government entities both within EIS
Controversy over the federal role in election administration
and in other sectors. Activities include communications,
is not new. Concerns about federal regulation of the
planning, issue resolution, and implementation of the
election process were prominent during the legislative
security missions of the entities.
debate over HAVA and led to the inclusion of the
regulatory restrictions in the law. Furthermore, bills in prior
Sector Coordinating Council. The SCC consists of
Congresses that would have provided DHS broad
representatives of nongovernment entities, most of
regulatory authority over cybersecurity have all failed.
which are providers of voting systems and other
election-related products and services. SCCs are self-
The CI designation does not contravene the HAVA
organized and self-governed. They are intended to
restrictions on EAC regulations or create DHS regulatory
represent private-sector interests and to facilitate
authority for the EIS. DHS provides assistance to election
collaboration activities, including information sharing,
jurisdictions only on a voluntary basis. In the 115th
among the private-sector entities in the CI sector and
Congress, a few bills would have established mandatory
with government entities.
standards or federal rule-making authority, but none
received committee or floor action. Bills with relevant
Sector-Specific Plan. Public- and private-sector partners
provisions have also been introduced in the 116th Congress.
have created SSPs for each of the 16 CI sectors. The
plans are components of an overall National
Brian E. Humphreys, Analyst in Science and Technology
Infrastructure Protection Plan and provide a means for
Policy
the sectors to establish goals and priorities for
https://crsreports.congress.gov

The Designation of Election Systems as Critical Infrastructure

IF10677


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF10677 · VERSION 7 · UPDATED