The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) just turned two years old. Before this presidential election, most Americans had never heard of the agency. Now, it is in the spotlight due to a statement posted on its website.
That statement declared that the 2020 presidential election was “the most secure in American history.” Really? How would CISA know?
Seizing on this statement, many in the media and on the Left have mischaracterized CISA’s role as an authority on whether the election was secure from fraud, misconduct by election officials, and other problems and irregularities. It matters because some of these issues, including software manipulation, are being litigated in court – with the Federal Election Commission Chairman’s concurrence.
CISA, in fact, has no authority, no jurisdiction, and no capability to determine whether fraud or other electoral problems occurred. Its only role is to provide advice and information to the states on cybersecurity issues and threats, including potential attacks from hackers and foreign actors.
The agency calls itself the “nation’s risk advisor,” noting that it works “collaboratively with those on the front lines of elections—state and local governments, election officials, federal partners, and vendors—to manage risks to the Nation’s election infrastructure.” But the only “risks” it deals with are in the cybersecurity realm, not the risks posed by bad voter rolls, lax security protocols governing absentee ballots, or other potential problems in the election process.
CISA serves as a best-practices advisory group for state and local election officials who choose to use it. Election officials do not report to CISA; rather it is voluntary and relationship-based.
The day after this year’s election, then-CISA Director Chris Krebs stated, “[W]e have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies.” In other words, DHS did not have evidence that foreign actors successfully hacked into our voting systems. It is questionable that CISA would even be the best federal government entity to have knowledge of such activity, if it occurred, given its role as a voluntary and best practices provider.
Krebs admitted that the public needed to “continue to look to your state and local election officials for trusted information on election results.” This statement at least tacitly acknowledged that state and local officials, not CISA, have jurisdiction over what actually happened within their states and precincts, including any ballot or system fraud or other problems.
Much of the controversy has to do with the huge amount of mail-in ballots, often turned in not by the voter, but through a political process called ballot harvesting. But again, CISA has no jurisdiction, institutional expertise, or claim to be able to determine whether this process was legitimate and without fraud, coercion, or other problems.
A question being raised in this presidential election review involves potential problems within the Dominion Voting Systems election hardware and software used in several states. In 2019, Senators Elizabeth Warren (D-Mass.), Amy Klobuchar (D-Minn.), Ron Wyden (D-Ore.), and Congressman Mark Pocan (D-Wis.) expressed security concerns with Dominion Voting Systems, including machines switching votes. CISA has no role in testing, certifying, or otherwise examining voting equipment, so how would it know if any of the equipment used in this election was “secure?”
In July 2020, CISA published an Election Infrastructure Cyber Risk Assessment to assist the election community in understanding and managing cyber risk to their critical systems. In it, CISA’s key findings included this statement: “Compromises to the integrity of state-level voter registration systems, the preparation of election data (e.g., ballot programming), vote aggregation systems, and election websites present particular risk to the ability of jurisdictions to conduct elections.”
The assessment lays out the many points of vulnerabilities in the very types of systems used throughout the country in this election. As such, it is curious for CISA to claim that this election was the most secure in American history when all of the evidence has not yet been evaluated (and may never be fully evaluated). And it’s doubly curious when you consider that investigating and reviewing election integrity is not CISA’s role.
CISA’s unsupported claim led to President Trump firing Krebs. Afterward, Krebs tweeted “I never claimed there wasn’t fraud in the election, [because] that’s not CISA’s job – it’s a law enforcement matter.”
The election contests are working their way through the system. Recounts and audits are underway, and evidence from multiple lawsuits is now being submitted to various courts across the country. When the election is over, no matter what the ultimate result, there should also be an extensive review of all of the problems and vulnerabilities that were found so we can resolve those problems and remedy those security lapses.
Ultimately, the American people deserve to have confidence in the results of their elections. Agencies falsely implying that they can give a categorical clean bill of health to the election do not help further that confidence. CISA was created to help secure elections from cyber attacks, not to act as the czar of our election system or to make grandiose statements about the election process that go far beyond its limited role, capabilities, and expertise.
Lora Ries is Senior Research Fellow for Homeland Security at The Heritage Foundation and the former Acting Deputy Chief of Staff at the Department of Homeland Security. Hans von Spakovsky is a Senior Legal Fellow at The Heritage Foundation and a former commissioner at the Federal Election Commission.