In times of emergency, state governors have regularly called in the National Guard, for reasons such as assisting the recovery after natural disasters like Hurricane Katrina in 2005 or to suppress protests in Ferguson, Mo., in 2014. If voting systems are under siege, should they do the same?
Sen. Kirsten Gillibrand, D-N.Y., floated that idea last week at a hearing of the Senate Armed Services cybersecurity subcommittee, comparing cyberattacks to kinetic attacks and saying states could call on the cyber expertise of the Guard and Reserves. In the wake of widespread Russian efforts to meddle in the 2016 presidential election, resulting in indictments against 13 Russian nationals and three Russian organizations for conducting “information warfare” to disrupt the election, U.S. officials are raising the alarm about threats to the integrity of the 2018 midterm elections.
Russian hackers have used social media and other means to foment political divisions and influence elections, but although there is no evidence that any votes were changed, the Department of Homeland Security (DHS) said last year that hackers had probed systems in 21 states and that a few systems were compromised. This week, NBC News reported that the U.S. Intelligence Community had found evidence that systems in seven states–Alaska, Arizona, California, Florida, Illinois, Texas, and Wisconsin–were compromised by Russian hackers, and while several of those states were notified, none were told the Russians were behind it.
Calling in the Guard would be one way of adding another layer of security. How would it work?
Heather Conley, director for the Center for Strategic and International Studies’ Europe Program, said during the hearing that, while the Department of Defense (DoD) shouldn’t have a primary responsibility of protecting elections, the Guard could help by educating state officials on the latest cyber threats and training local officials to work with DHS in detecting signs of outside influence.
The Guard also could step into the role of white-hat hackers, which is what Ohio already has done. The state called on the Ohio National Guard’s cyberprotection unit in 2016 to hack the state’s network in search of vulnerabilities. “We want to be tested,” Ohio Secretary of State Jon Husted said at the time. West Virgina also has enlisted its National Guard, embedding staff from the West Virginia National Guard into its secretary of state’s effort to protect election systems from cyber threats.
Other states could follow suit, though the part that Guard and Reserve cyber units play in election protection could be limited. At a hearing last fall before the Senate Armed Services Committee, Kenneth Rapuano, assistant secretary of defense for homeland defense and global security at the DoD, cited the separation of civilian and military operations as one hurdle. The United States’ “long-standing tradition of not using the military for civilian functions,” could stand in the way, while using military forces with regard to elections could risk “diluting DoD focus on its core military mission to fight and win wars,” Rapuano said. Marshalling all of those resources also could be difficult: A 2016 Government Accountability Office Report noted that DoD needs to do a better job of keeping track of Guard units’ capabilities.
Cyber warriors in the National Guard and military Reserves are included among the U.S. Cyber Command’s 133 Cyber Mission Forces that, in addition to protecting DoD networks and supporting military missions, are tasked with protecting U.S. infrastructure and national interests.
Cyber Command officials have touted the advantages of having cyber personnel from the Guard and Reserves because many of them work in their civilian jobs in information technology and/or cybersecurity, and bring additional skills to the mission. They’ve worked alongside the other military services in exercises such as the Army’s annual Cyber Shield and contribute to the command’s operations. As well, Guard units also have their own cyber protection teams, which include the units called in by Ohio and West Virginia.
Whether or not the Guard and Reserves get called in, the security of elections is a burgeoning issue. Gillibrand and Sen. Lindsey Graham, R-S.C., last fall proposed a bill to create a 9/11-style commission to look into cyberattacks during the 2016 election and recommend ways to counter similar attacks. “We need a public accounting of how they were able to do it so effectively, and how we can protect our country when Russia or any other nation tries to attack us again,” Gillibrand said in a statement at the time. “The clock is ticking before our next election, and these questions are urgent.” The bill, S.1821, is still in committee.