While much of the country was focused today on the testimony of Michael Cohen–President Trump’s former lawyer–before the House Committee on Oversight and Reform, elsewhere on the Hill the House Committee on Appropriations Financial Services and General Government Subcommittee was hearing testimony on election security.
With the 2020 election cycle already underway, election security has been a hot-button issue both for the Federal government as well as states and localities across the country. Today the subcommittee heard from both academic experts and state election leaders who shared their thoughts on struggles facing the U.S. election systems and ways the country can shore up election system cybersecurity.
Dr. J. Alex Halderman, professor of Computer Science and Engineering at the University of Michigan and director of the Michigan Center for Computer Security and Society, explained that the threats to U.S. election systems are not hypothetical and that successful attacks have already happened.
“Three years ago, the United States Presidential election was attacked,” he said. “Hackers penetrated political campaigns and leaked internal communications online, they manipulated social media in an effort order to sow discord, and they targeted our election infrastructure, including voter registration systems in at least 18 states. These attacks were about more than undermining voter confidence. In the assessment of the Director of National Intelligence, they marked a ‘significant escalation’ of foreign ‘efforts to undermine the U.S.-led liberal democratic order.’”
Eric Rosenbach, co-director of the Belfer Center for Science and International Affairs at Harvard’s Kennedy School, praised the success of the 2018 midterm elections while cautioning election leaders to still be on guard for future attacks.
“In early February, the U.S. Intelligence Community confirmed that, ‘there is no evidence to date that any identified activities of a foreign government or foreign agent had a material impact on the integrity or security of election infrastructure or political and campaign infrastructure used in the 2018 midterm elections for the United States Congress.’ This is certainly a testament to the increased preparedness of state and local election officials; however, we simply should not assume our adversaries have moved away from targeting U.S. elections,” he said.
From the perspective of a state election leader, Steven S. Sandvoss, executive director of the Illinois State Board of Elections (SBE), weighed in with how Illinois handled and reacted to the 2016 election system cyberattack from Russian operatives. Sandvoss noted that after the attack was discovered, the SBE undertook an “unprecedented effort to secure its voter registration database as well as other IT related applications.” Specifically, Sandvoss cited the CyberNavigator Program (CNP), which Illinois created with grant money from the Election Assistance Commission.
Sandvoss explained that the CNP consists of three main parts. First, Illinois election authorities (EAs) are required to adopt the Illinois Century Network (ICN) as their internet service provider for all traffic between their offices and the SBE. ICN is a state-managed network delivering network and internet services to government agencies in Illinois. Second, SBE engages in a cybersecurity information sharing program with EAs. Finally, the CNP created a team of “Cyber Navigators” to provide cyber assistance to the EAs.
Halderman did offer up what he called “three essential measures” that the United States needs to adopt and implement to “better defend election infrastructure and protect it from cyberattacks in 2020 and beyond.”
He said the U.S. needs to replace “obsolete and vulnerable voting equipment, such as paperless systems, with optical scanners and paper ballots.” He explained that paper ballots “provide a resilient physical record of the vote that simply can’t be compromised by a cyberattack.” He also said that the country needs to consistently audit elections to ensure whether computer results from optical scanners are correct. He said that can be done through a risk-limiting audit, which he called “common-sense quality control.” Finally, he said, “we need to raise the bar for attacks of all sorts, including both vote tampering and sabotage, by applying cybersecurity best practices to the design of voting equipment and registration systems and to the operation of computer systems at election offices.”
Rosenbach also offered three actions Congress needs to prioritize in advance of the 2020 election: bolstering domestic defenses and resilience; developing precise and legal offensive cyber capabilities; and adopting a clear, public deterrence posture. As to the last action, he called out the U.S.’s response to the Russian attacks during the 2016 election cycle, saying, “Our response to Russian interference in 2016 was not strong enough; that has resulted in a perception by our adversaries that they can attack American democracy without incurring any pain or costs. We need a strong national response that interfering in our elections in any manner is unacceptable.”
Rosenbach also urged cooperation across all levels of government, as well as between the private and public sectors.
“No defense will ever be perfect,” he said. “We need a robust private sector to maintain our position as the world’s technological leader. We need a Federal government that is engaged in helping state and local election officials, who are on the frontlines of defending our democracy. Elections are at the core of our democracy, and at the end of the day, require a whole-of-nation effort to be prepared for any adversaries who try to target the 2020 elections.”
While Sandvoss didn’t offer any specific steps he believes Congress needs to take, he did explain that in addition to establishing the CNP, Illinois also increased its investment in personnel, hardware, software, security assessments, and ongoing monitoring. And he urged continued Federal funding for election security.
“Cybersecurity is an ongoing, ever-escalating process that doesn’t have an end date, and as such there will be an ongoing need for funds to maintain the [CNP] program,” he concluded.