Better cybersecurity is critical to protecting future elections
The cornerstone of democracy is the electoral process. The very definition of a democratic country is one that conducts free, fair and open elections. More than any other norm of behavior, the idea of an election that periodically counts the votes of citizens is at the heart of America’s understanding of a liberal (small “l”) world order.
Today, however, the election process is vulnerable to manipulation by hostile powers. We know that (beyond social media manipulation) Russia quite brazenly hacked into the IT systems of political campaign committees and tried to gain access to data held by local elections boards. Though direct manipulation of the election results does not appear to have happened, the mere fact that the effort was made serves to undermine confidence in democracy and subvert our willingness to accept the results.
There is no reason at all to think that this effort will not be repeated. Indeed, quite to the contrary, given the poverty of America’s response (for which we must thank both the Obama and Trump administrations), our adversaries have every reason to continue their efforts — they have achieved significant disruption at virtually no cost to themselves.
We need to deter these attacks in the future. Part of that may involve diplomatic responses, but another, equally important part will involve strengthening the security of our electoral infrastructure. Today, the election system is a lot like the electrical system was back in the early 2000s — diffuse, with limited resources and insufficient awareness of the threat. We have significantly improved the resilience of the electrical grid; we can do the same for the electoral system.
The Secure Elections Act, recently introduced by a bipartisan group of senators, is a good start to the conversation about how to improve the security of our election system. It includes excellent ideas that merit serious consideration by Congress, the Trump administration and the states.
To begin, one lesson we learned from the electrical grid experience is the value of sharing threat and vulnerability information among those within a sector who are affected by the threat. The SEA would establish and authorize a presumption for information-sharing by state electoral organizations with the Department of Homeland Security (DHS) and reciprocal DHS information-sharing with states. One of the failures of the past election cycle was DHS’s notifying 21 states that they had been targeted for possible intrusion — long after the election was over. Timely, actionable cyber-threat intelligence is essential to an effective response.
A second lesson we have learned is that many actors who are unaware of cyber threats would be more than happy to respond, but they simply don’t know what to do or how to do it. One of the most successful cybersecurity enhancement efforts of the last five years was that of the National Institute for Standards and Technology (NIST), which developed a baseline set of standards known as the Cybersecurity Framework. Built in a collaborative, non-regulatory manner, the NIST framework is a useful guide to best practices.
The SEA would attempt to replicate that process by creating an advisory panel of independent experts on election cybersecurity who, in consultation with other federal agencies and state authorities, would develop such things as best practices, guidance, requirements and audit protocols.
This is a sound idea – but one that needs to be lifted from the turgid process of chartering and developing a new advisory committee. Using the advisory committee model would mean that no recommendations would be returned before the 2018 election — and America simply cannot afford to wait that long. A far better idea would be to build on the existing NIST structure by adding any unique, requisite expertise in election security.
The final piece of the puzzle, also well-known from past experience, is the question of resources. Implementing recommended practices and procedures costs money. And worse yet, it is “preventative” money that is often not thought of as “well-spent,” since the mark of success is a lack of failure. Nobody in government (or the private sector, for that matter) likes to spend money on prevention — it’s just cost without any readily apparent benefit.
Here, too, Congress has a role. It can, and should, provide grants to states that want to modernize their infrastructure. Federal grant authority is a powerful way of driving states to adopt improved standards across the board. While the best rule is for the federal government not to dictate any particular solution, federal funding can and should be used to incentivize improvements.
These are not the only ideas that might help, of course. One can, for example, imagine using federal assets to conduct a threat assessment of a State system or run a Red Team exercise testing vulnerability. Some proposals are building on that idea to establish a “hack the election program,” modeled on the successful DefCon program last year, that would offer a bug bounty and a safe harbor to those who find vulnerabilities in existing systems.
In short, there is no shortage of good ideas for improving election cybersecurity. Much of what can be done is in the nature of picking “low hanging fruit” — simple steps that merit wide-spread support. Congress (and, in particular, the Senate) deserve praise for beginning the conversation — now all that is necessary is commitment to carry through these proposals to completion.
