‘Most secure election ever’? Report by agency Chris Krebs headed detailed glaring vulnerabilities

by WorldTribune Staff, February 16, 2024

On Dec. 16, 2020, Chris Krebs, the former Cybersecurity and Infrastructure Security Agency (CISA) Director, was called to testify before the Senate Homeland Security Governmental Affairs Committee about the 2020 election.

Krebs, who was fired from his position by President Donald Trump, famously announced that day, “The 2020 election was the most secure in U.S. history.”

Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, testifies during a Senate Homeland Security and Governmental Affairs Committee hearing on Dec. 16, 2020. / Greg Nash-Pool / Getty Images

In March 2021, the same agency Krebs used to head, CISA, compiled a report which detailed glaring vulnerabilities in Election Infrastructure (EI) offices throughout the country in 2020.

But CISA hid the report from the public.

It took a Freedom of Information Act (FOIA) request to get CISA to cough up the report.

The report, first posted by Bergen County, New Jersey committee member Yehuda Miller on Feb. 14, exposed Krebs’s claim as blatantly false.

It found:

• 76% of EI entities for which CISA performed a Risk and Vulnerability Assessment (RVA) had spearphishing weaknesses, which provide an entry point for adversaries to launch attacks.

• 48% of entities had a critical or high severity vulnerability on at least one Internet accessible host, providing potential attack vectors to adversaries.

• 39% of entities ran at least one risky service on an Internet-accessible host, providing the opportunity for threat actors to attack otherwise legitimate services.

• 34% of entities ran unsupported operating systems (OSs) on at least one Internet accessible host, which exposes entities to compromise.

On page four of the report, CISA notes that an Advanced Persistent Threat (APT) successfully obtained U.S. voter registration data:

In the run-up to the 2020 election, an APT actor successfully obtained U.S. voter registration data, including in at least one instance from a state election website, and launched an election-related disinformation campaign. In October 2020, CISA also observed APTs targeting elections infrastructure in state, local, tribal, and territorial (SLTT) government entities’ networks. As of October 24, 2020, CISA had no evidence to indicate that integrity of elections data was compromised.

On page seven of the report, CISA CyHy scanning detected 48,796 total vulnerabilities on hosts in the 324 participating EI entities. Of those vulnerabilities, 319 (0.80 percent) were of critical severity, and 1,820 (4.55 percent) were of high severity based on the CVSS base score.

On page 15 of the report, officials found another 451 vulnerabilities and weaknesses in the systems:

In EY20, CISA performed RPTs and RVAs for 108 EI entities. RPT and RVA teams performed penetration tests, phishing assessments, web application assessments, and database assessments. These teams identified 451 findings (see figure 12), which are vulnerabilities and weaknesses that present a risk to the entity.

(The report in its entirety can be viewed/downloaded here.)


Your Choice


Quality Resource for Citizen Journalists