With election security firmly in place as the popular policy de jour on Capitol Hill in the ramp-up to the 2020 election cycle, House members from both sides of the aisle voiced support at a Nov. 19 hearing for more focus on cyberattacks targeting election infrastructure, with a particular focus on ransomware exploits.
The hearing of the House Homeland Security Committee subcommittee on Cybersecurity, Infrastructure Protection, and Innovation featured testimony from officials in the Federal government, academia, and the private sector, but mainly targeted efforts the private sector is making to protect U.S. elections infrastructure and political campaigns from malicious actors.
Subcommittee Chairman Cedric Richards, D-La., began the hearing by highlighting Russia’s malicious cyber activity in the 2016 elections, saying, “The Russian government’s covert malicious foreign interference campaign attacked every aspect of our elections.” He further pointed to two new countries he said are working towards attacking U.S. elections – Iran and China. Rep. Richards said those countries are “weaponizing new technologies to disrupt our democracy, distort the daily news, and compromise our election security.”
Ginny Badanes, director of strategic projects of Microsoft’s Defending Democracy Program, agreed with Rep. Richards and stressed the importance of securing U.S. elections, “Campaign organizations face the threat of capable, well-funded, and agile adversaries. Organizations of any size would struggle to be prepared for these challenges, but the size and nature of campaign organizations makes them especially vulnerable.”
In his opening statement, Subcommittee Ranking Member John Katko, R-N.Y., said the 2018 midterm elections “demonstrated the progress that the Federal government and our state and local partners have made” on ensuring election integrity. In terms of solutions to ongoing security concerns, Katko reiterated the importance of paper-ballot systems, which are now present in the vast majority of states. He further said that “software independence of our election infrastructure is essential for the integrity of our election systems.”
Matt Blaze, McDevitt chair of Computer Science and Law at Georgetown University, agreed with Katko on the importance of paper-based voting machines, saying, “Paperless voting machines should be phased out from U.S. elections immediately, and urgently replaced with precinct-counted optical scan ballots that leave a direct artifact of voters’ choices.” Alongside paper-based voting systems, Blaze also said risk-limiting audits that are “statistically rigorous” should be undertaken routinely after every election, include state and local contests. He said that this would help “detect and correct software failures and attacks.”
Blaze also addressed how state and local voting officials can be helped, saying those officials “should receive access to significant additional resources, infrastructure, and training to help them protect their election management IT systems against increasingly sophisticated adversaries.”
Retired Air Force Gen. Frank Taylor, former under secretary for Intelligence and Analysis at the Department of Homeland Security (DHS) and a board member at U.S. CyberDome, talked about the tough security challenges faced by political campaigns. He said campaigns are underprepared for defending against cyberattacks, they are isolated from cybersecurity resources, they are singularly focused on getting elected to the exclusion of other priorities, and they struggle with the “last mile” of cybersecurity – meaning they don’t have the information they need to properly defend themselves.
However, Taylor stressed three actionable steps that can be taken to better secure campaigns.
First, he said, non-profits should be utilized to support campaigns. “Non-profits avoid misgivings campaigns may have about utilizing Federal government and for-profit resources directly,” he said.
Badanes agreed with Taylor and stressed how the private sector, as well as nonprofits, can help campaigns. She said campaigns “will benefit from industry partners providing access to tools that support these efforts. They will benefit from NGOs like Defending Digital Campaigns and Cyberdome who can help filter and provide tools at affordable rates.”
Second, Taylor urged the Federal government to set minimum cybersecurity standards for campaigns. “Campaigns may have greater incentive to spend effort and funds on cyber protections if they know their competitors are obligated to the same expenditures,” he argued.
Finally, he said Congress must focus on “key technical challenges.” He testified, “Congress should consider mandating that all U.S. government threat intelligence be disseminated in computer-readable formats, in addition to prose. This simple requirement would go a long way to ensuring that action can be taken swiftly once threat intelligence information is received.”
Richard Stengel, former under secretary of State for public diplomacy and public affairs and distinguished fellow, Digital Forensics Research Lab at the Atlantic Council, also weighed in on steps the government and private sector can take.
“I would endorse the Senate Intelligence Committee’s recommendations for fighting disinformation, and in particular the timely sharing of information between the private and public sector of real-time threats,” he said. “I’d also recommend the Five D’s of combatting disinformation: detection, demotion, deletion, disclosure, and digital literacy.” He also urged the empowerment of the Global Engagement Center to “truly help fight all kinds of disinformation could be a vital effort of the government.”