Cybersecurity & Tech Democracy & Elections

Kudos to Congress for Taking Election Security Seriously

Paul Rosenzweig
Thursday, March 22, 2018, 5:33 PM

By now most are familiar with the contours of Russian efforts to influence our elections. The use of social media by Russian (and also, apparently, by the Trump campaign) have resonated with many.

Published by The Lawfare Institute
in Cooperation With

By now most are familiar with the contours of Russian efforts to influence our elections. The use of social media by Russian (and also, apparently, by the Trump campaign) have resonated with many.

Lost in the shuffle, however, has been an equally important concern – the apparently frequent but unsuccessful efforts by malicious Russian actors to penetrate the security of the American electoral infrastructure. In broad strokes, the election system begins with voter registration, and that registration is then maintained in a data base which forms the basis for precinct level voter lists (known typically as “voting books”). Individuals who are in a local voting book are then authorized to cast a ballot on election day (or, alternatively, by mail prior to election day). These ballots are tallied in a tabulation that sums the individual voting preferences to identify a winner. Finally, sometimes, though not always, that final tabulation is subject to a post-election review, whether through statistical analysis or a recount. Each step along the way involves the collection, storage and transformation of data – data that, in the end, is potentially subject to cyber intrusion through degradation, disruption, denial or destruction.

Happily Congress has begun to react to the potential for disruption. The House version of the Omnibus spending bill includes $380 million for Election Assistance Commission grants to states “to improve the administration of elections for Federal office, including to enhance election technology and make election security improvements.”

While that broad mandate has yet to be defined, one can easily imagine the funding being used for a host of security improvements. For example, this funding might go to assist in the purchase of electronic voting machines that maintain physical paper voting records. In an understandable reaction to the “hanging chad” problems of the 2000 election, America moved to electronic voting systems. But without a paper back up record an audit of the vote is not feasible. As one analyst put it: "With paper, you can recount or audit that paper and carefully check the performance of the voting system, ensuring that the electronic result would match what a full hand count would show. . . Without a paper audit trail, any recount is just like hitting enter on the keyboard over and over again: You get the same answer and you have no clue if that answer is correct.”

The money can also help fund States to adopt other relatively simple, standard protective measures. Not all will be feasible for every election system, of course, but all State and local election boards should be encouraged to implement as many of them as feasible. For example, log-ins to critical databases should require two-factor authentication to reduce the possibility of malicious access; where feasible election records should be encrypted; and where feasible remote access to election systems via virtual private networks (VPNs) should be restricted or eliminated altogether. These are not novel ideas – they simply are ones which have not been on the radar screen for most election agencies and whose implementation will require time and money. With this funding bill, Congress has promised the money.

In addition, the spending bill also moves toward effort to give greater capability to law enforcement to counter the Russian efforts directly. It increases funding for the FBI, with some money to be used for “the counterintelligence and cyber-related investments necessary to help respond to foreign actors, including those seeking to compromise democratic institutions and processes.” The Department of Homeland Security title also specifies funding “to support the new Election Infrastructure Security Initiative (EISI).”

Often Congress is derided for failing to act. That’s perfectly fair. But we should, likewise, recognize when it has done the right thing. These steps to protect American elections are just the beginning – but it is important to recognize that they are steps in the right direction.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare