May 25, 2018
From Russia With Love: More Questions for Congress (Part I – Election Security)
After recent document dumps related to the probe into Russian meddling in the 2016 presidential election, there is a growing list of questions for congressional investigators.
In May, the Senate Select Committee on Intelligence (SSCI) issued its “Unclassified 1st Installment in Russia Report, Updated Recommendations on Election Security. The SSCI’s release focused on “Russian Targeting of Election Infrastructure During the 2016 Election.” The Committee concluded:
In 2016, cyber actors affiliated with the Russian Government conducted an unprecedented, coordinated cyber campaign against state election infrastructure. Russian actors scanned databases for vulnerabilities, attempted intrusions, and in a small number of cases successfully penetrated a voter registration database. This activity was part of a larger campaign to prepare to undermine confidence in the voting process. The Committee has not seen any evidence that vote tallies were manipulated or that voter registration information was deleted or modified.
In the 2018 election year, investigators should prioritize the big questions related to election security to prevent additional interference.
Will Congress elevate federal and state election security to the status of a primary national security issue?
What specific actions will Congress take to promote and protect election security in future federal and state elections?
In March, the Democratic Minority of House Permanent Select Committee on Intelligence (HPSCI) released its report entitled, Status of the Russia Investigation.
Election security questions drawn from the HPSCI report:
- What specific vulnerabilities to voting systems exist?
- What remedial measures are needed?
- How should political parties, campaigns, and candidates secure their communications to defend against cyber attacks?
- What measures and protocols should the federal government, including our intelligence and law enforcement agencies, adopt?
- How can Congress facilitate these steps?
- Will Congress determine whether state and local officials conduct forensic examinations of their state and local election infrastructure in order to confirm whether their election-related systems were compromised?
- On what evidence does the SSCI base its preliminary conclusion that it “...saw no evidence that votes were changed and found that, on balance, the diversity of our voting infrastructure is a strength”?
- Does the Committee intend to investigate further whether votes were changed?
- Why should states “remain firmly in the lead on running elections”?
- How should the “U.S. Government...clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly”?
- How should “[t]he Federal government, in particular the State Department and Defense Department, ...engage allies and partners to establish new international cyber norms”?
- Will Congress investigate the cybersecurity practices of vendors of election software and equipment?
- Why does the SSCI believe that the “U.S. election infrastructure is fundamentally resilient”?
- Should Congress require paper records of votes in federal elections as a backup counting system that can be reliably verified?
- Should Congress prohibit the use of Paperless Direct Electronic (DRE) voting machines in federal elections?
The SSCI recommends that state government and local government officials prioritize action on the following recommendations:
- Institute two-factor authentication for state databases.
- Install monitoring sensors on state systems. One option is to further expand DHS’s ALBERT network.
- Identify the weak points in the network, including any under-resourced localities, and prioritize assistance towards those entities.
- Update software in voter registration systems. Create backups, including paper copies, of state voter registration databases. Include voter registration database recovery in state continuity of operations plans.
- Consider a voter education program to ensure voters check registration well prior to an election.
- Undertake intensive security audits of state and local voter registration systems, ideally utilizing an outside entity.
- Perform risk assessments for any current or potential third-party vendors to ensure they are meeting the necessary cyber security standards in protecting their election systems.
The SSCI further recommends that state governments take the following steps:
- States should rapidly replace outdated and vulnerable voting systems. At a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability.
- If use of paper ballots becomes more widespread, election officials should re-examine current practices for securing the chain of custody of all paper ballots and verify no opportunities exist for the introduction of fraudulent votes.
- States should consider implementing more widespread, statistically sound audits of election results. Risk-limiting audits, in particular, can be a cost-effective way to ensure that votes cast are votes counted.
- DHS should work with vendors to educate them about the potential vulnerabilities of both voting machines and the supply chains.
Finally, as to federal financial assistance to the states, the SSCI recommends that “States should use federal grant funds to improve cybersecurity by hiring additional Information Technology staff, updating software, and contracting vendors to provide cybersecurity services, among other steps. Funds should also be available to defray the costs of instituting audits.”
Will Congress appropriate the funds states will need to make these improvements?
Will Congress require states to use these federal grant funds to implement these improvements in federal elections?
The SSCI also recommends the Department of Homeland Security (DHS) take the following steps:
- Work closely with election experts, develop a risk management framework that can be used in engagements with state and local election infrastructure owners to document and mitigate risks to all components of the electoral process.
- Create voluntary guidelines on cybersecurity best practices and a public awareness campaign to promote election security awareness, working through the U.S. Election Assistance Commission (EAC), the National Association of Secretaries of State (NASS), and the National Association of State Election Directors (NASED).
- Maintain and more aggressively promote the catalog of services DHS has available for states to help secure their systems, and update the catalog as DHS refines their understanding of what states need.
- Expand capacity to reduce wait times for DHS cybersecurity services.
- Work with GSA to establish a list of credible private sector vendors who can provide services similar to those provided by DHS.
Will Congress mandate implementation by DHS of these activities in federal elections?