Documents Obtained by EPIC Reveal DHS’s Slow Response to Election Cybersecurity Threats, Underscore Risks Posed by New Voting Technologies

EPIC has obtained additional documents related to federal efforts to respond to election cybersecurity threats in its suit against the Department of Homeland Security. The documents include summaries of: the DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report. The incident logs reveal difficulties contacting campaign officials in the lead up to the 2016 Election and concern voiced within the agency about "unbalanced" outreach. And DHS contacts with state election officials were somewhat limited as some were wary that the critical infrastructure designation "would at a later time lead to regulation on states." In the September 2016 Election Infrastructure Cyber Risk Characterization Report, the DHS Office of Cyber and Infrastructure Analysis found that compromises in voter registration databases resulted in the potential release of personally identifiable information but not the modification of the underlying records. The DHS determined that exposure of this information could undermine public confidence in election systems. The DHS also counseled strongly against untested voting technologies, finding that the "introduction of new technologies in the voting system will increase vulnerabilities to the election system in the future," particularly the implementation of internet-connected voting systems. The case is EPIC v. DHS, 17-2047 (D.D.C.).