Cybersecurity: Legislation

Assessing the Bipartisan Secure Elections Act

By Michael Sulmeyer
Wednesday, January 3, 2018, 7:00 AM

On Dec. 21, all eyes were on the Republican bill to cut taxes. Yet a bipartisan group of six senators also had their eyes on the far less sexy (but still important!) topic of election hacking. They quietly introduced a bill called the Secure Elections Act that, if passed, would be a good down payment on improving the confidence we can have in the integrity of our elections. This short, stocking-stuffer size review will: review some of the core questions around election security, assess the bill’s provisions to improve information sharing, its grant program, and its bug bounty, and conclude with some tough realism about additional work that needs to be undertaken to protect our elections.

How did we get here?

Regular Lawfare readers are likely well-versed on the controversies surrounding the integrity of the 2016 election, specifically the role that Russian hackers played in trying to manipulate and undermine confidence in different aspects of the election. Even before 2016, it wasn’t hard to see shortcomings in the current approaches to securing federal elections. In October 2017, my colleague Ben Buchanan and I surveyed these risks in a report called Hacking Chads and recommended five steps that either presidential candidate should take if they won:

  1. Designate federal elections and their infrastructure as critical infrastructure
  2. Ensure that every vote is cast by a paper ballot marked (or verifiable) by the voter
  3. Encourage security audits and the adoption of basic cybersecurity standards for voting infrastructure
  4. Improve post-election auditing, especially through statistical sampling
  5. Articulate a declaratory policy that threatens to impose costs on those who seek to threaten the integrity of US elections

We were not first to the fight on this topic (Matt Blaze, Alex Halderman, Joe Hall, and Ed Felten have been on the case for years), but we wanted to situate cybersecurity of elections for those who work in or study public policy, as opposed to computer science.

Overall Grade: Pretty Good!

Overall, this new Election Security Act succeeds in addressing all of these recommendations except the first. There’s a good reason for this exception, however: the Department of Homeland Security (DHS) previously designated election systems as critical infrastructure in January 2017. It is worth reflecting on this recommendation because it reflects a controversial tension of federalism between the role of states and municipalities that administer elections and the role of the federal government, which is responsible for protecting the country from critical threats. For example, the Elections Clause of the Constitution assigns to the states the responsibility for determining the “times, places, and manner” for elections, but also empowers Congress to modify these determinations. It should not be surprising that state officials may balk if they perceive that their federal counterparts are meddling in state affairs. Indeed, the National Association of Secretaries of State passed a resolution in February 2017 opposing DHS’s designation of election systems as critical infrastructure. One lesson, therefore, is that any federal legislation that tries to improve election-related cybersecurity must thread the federalism needle.

Overall, this new Election Security Act succeeds in doing so: It does not command states to act in specific ways, it does not hijack election administration from counties, states, or municipalities, and it limits the federal government’s role to advising and empowering state and local jurisdictions to run their proverbial railroads.

Before breaking down the bill, it’s worth reinforcing its bipartisan support. Election security is a topic and a threat that is too important to fall victim to partisan infighting, so it is refreshing to see Republican Sens. James Lankford, Lindsey Graham and Susan Collins working with Democratic Sens. Kamala Harris, Amy Klobuchar and Martin Heinrich to address an issue of our common security. It’s nice to close out 2017 with an example of leaders in both parties working together.

The bill itself hits three central themes:

  • Promote better information sharing about cybersecurity threats
  • Fund improvements to state election systems and processes through federal grants
  • Establish a bug bounty program to uncover new vulnerabilities in election systems

As such, this bill focuses on making our elections harder to hack, while previous legislation has sanctioned perpetrators of election hacking. As much as we hear that “the best defense is a good offense,” sometimes the key to good defense is actually a better defense. If this bill passes and congressional appropriators provide the required funding, we stand to be better off on defense than we are today.

Information Sharing

I’ve never been in love with proposals that call for more information sharing as a way to improve cybersecurity. On its face, information sharing is great: If I have information about a hacker or his tactics about a vulnerability in a piece of software, sharing it with others can improve the common defense. However, there are many reasons why this doesn’t work in practice. First, those who posses threat information are not always incentivized to share it. Forgive me for being cynical, but if I just got hacked, am I all that eager to help my competitors to avoid that fate and profit at my expense? The financial sector is the exception to this rule, as their information sharing and analysis center gets pretty high marks. (Thankfully, election administration is immune from this disincentive to share information.) Second, even if the incentives to share are present, the timeliness of the sharing is crucial. If the federal government tells me I’ve been compromised six months after the fact, that’s not particularly helpful. Finally, those who receive cybersecurity threat information need to be able to act on it. Absent context, telling me “the Russians did it” does little to help me defend myself. To act on more granular technical threat information requires some investment by the recipient.

Despite these challenges to information sharing in general, this bill’s information sharing provisions are a step in the right direction. They motivate the federal government to get its act together and to create a default presumption that election-related threat information needs to be shared, not hoarded. Remember: It took DHS almost a year to notify states that Russia was probing their systems. Classification issues are addressed by pushing for declassifying more election-related threat information and by granting security clearances to election administration officials. The former is likely to be more successful than the latter if the federal government can be more creative with stripping sensitive collection-related information so that the actionable information can be shared more easily. Otherwise, even cleared state officials may not know what to do with the classified information they are shown.

Two provisions stand out as holding the most promise to improve awareness through information sharing. First, the law calls for states to notify the federal government when their election systems are hacked. Similarly, contractors and vendors need to notify election agencies when they have been compromised. These are necessary provisions to reinforce the importance of calling for help when an organization determines that hackers have compromised their systems.

The second promising provision is the requirement that the federal government builds a catalog of cybersecurity services that they can provide to state agencies. Because most state government institutions have little experience with working with the federal government on cybersecurity, this is an excellent approach to improve transparency and to help states avoid reinventing the cybersecurity wheel by contracting for the development of new services that the federal government already offers. This section is light on detail, but the concept of a cybersecurity catalog that states can shop from makes a lot of sense.

Grants

The Secure Elections Act also establishes a multifaceted grant program to improve cybersecurity at the state and local level. Most of the bill’s text is devoted to setting up this program, limitations on funding amounts, etc. But what strikes me the most is how the bill authors set up these grants to improve accountability and transparency in elections. For example, one of the big pushes that election cybersecurity pros recommend is a return to paper ballots. Not that the hanging chads controversy needs to be rehashed, but paper ballots are a crucial component to enabling post-election audits. With elections sometimes coming down to a single vote (as occurred recently in Virginia), the ability to recount and audit is crucial. Indeed, Ben Buchanan and I noted in Hacking Chads that “five states lack such paper trails entirely and in some states, including swing states like Pennsylvania, a majority of counties do not use machines with voter-verifiable paper trails.”

Another theme these grants promote is the modernization of voting systems. The last significant overhaul of the nation’s voting machines was after the troubled 2000 election. Seventeen years is a long time in the evolution of digital technology, yet many jurisdictions throughout the country have not been able to keep up. Relying on technology that old to protect an institution as critical as voting is a recipe for trouble, so upgrading this technology is a worthwhile cause. That the federal government would provide grants to facilitate these upgrades makes the most sense, given the scant resources in local communities to replace this old technology.

There’s a lot more detail in the bill about how these grants will work, including how an independent advisory panel comprised of technical experts will shape guidelines for their administration. My concern here has less to do with the substance of the grants and more to do with how long it will take to get the program up and running. The bill’s drafters caught this and created an additional interim grant program, so hopefully that will facilitate some help for some states before the 2018 midterms. But realistically, I wouldn’t expect much change before 2020.

Bug Bounty Program

Only in the final two pages of the bill are readers presented with one of the most innovative moves in election cybersecurity: a volunteer bug bounty program called Hack the Election. (This portion of the bill seems to take its inspiration from a piece of previously-introduced legislation by Heinrich and Collins called the Securing America's Voting Equipment (SAFE) Act of 2017.) Bug bounties are not new, as companies have often sought the assistance of white-hat hackers to find and fix potential cybersecurity flaws before malicious hackers can exploit them. My friend and colleague Katie Moussouris is a longtime professional in this space, and she advised my former Department of Defense (DoD) colleagues Lisa Wiswell and Charley Snyder on the creation of the first federal government bug bounty, called Hack the Pentagon. The idea was to offer non-monetary compensation to a screened group of volunteer hackers who would be provided with access to a part of the military’s unclassified network to look for potential vulnerabilities. The competition cost the Pentagon only $150,000 to accomplish what would have otherwise cost over $1 million through standard contracting processes.

Bug bounties don’t solve everything, but they offer institutions an avenue to receive cybersecurity advice about where to focus limited resources. If the military’s bureaucracy could find a way to let hackers on to their networks to search for vulnerabilities, election officials should be able to do the same. There will be those who point to the risks of authorizing hackers to hack, but that’s why DoD created a process to screen those who would participate in the bounty first.

The hope is that a program like Hack the Election can offer states yet another way to improve their insight into the potential cybersecurity risks that they need to mitigate. Jurisdictions and administrators still must address whatever vulnerabilities the hackers discover. But the ability to take advantage of the collective experience of a vetted set of hackers is one that shouldn’t be passed up, so I am pleased to see that the Election Security Act creates a way forward for states to do so.

Problems Beyond This Legislation

Although I am supportive of this bill, readers should be aware of some remaining issues. To be fair, these are issues that legislation can’t solve, but they will shape the effectiveness of any legislative effort to improve election cybersecurity. First, the bill places almost all of the federal responsibility on the Department of Homeland Security. Having met a few of the administration’s officials who work in the cybersecurity part of the department, I do not doubt that they take election security seriously and are committed to improving it. The concern is that DHS is not the only federal agency that handles threat intelligence: The intelligence community and the FBI need to be committed to this cause as well. If they don’t share relevant information with DHS or are slow to do so, there’s little DHS or the states can do.

Second, for all the bill offers to states and local jurisdictions, they still need to take the initiative to receive the shared information, to apply for grants, and to participate in bug bounties. The federalism issues described in this post’s introduction are, in this regard, a double-edged sword. There would be significant resistance if the federal government attempted to mandate the administration of elections. Indeed, even the offer of voluntary vulnerability scans ahead of the 2016 presidential election provoked cries of federal interference. Time will tell how many states avail themselves of offers of assistance from Washington.

Third, making election infrastructure harder to hack is just one part of improving the integrity of future elections. To take on another part of the challenge, my colleagues at the Belfer Center’s Defending Digital Democracy project wrote a playbook to help political campaigns better protect themselves from hackers. And then there’s the need to hold accountable those that try to hack our elections. So while this bill is a necessary component of election security, more work obviously needs to be done.

Finally, this bill only contains what federal budget geeks call an “authorization” for funding. For federal money to change hands, a separate “appropriation” bill has to pass. Authorizations tend to lay out the broad strokes of how Congress wants to spend money, whereas appropriations are more specific (think prose vs. line-items). Your guess is as good as mine if companion legislation appropriating hundreds of millions of dollars for better election security will pass. Fortunately, other initiatives in the bill, like improving information sharing, do not require funding and so can commence if the bill becomes law. But with this Election Security Act off to a strong bipartisan start, maybe it won’t take something as big as a Christmas miracle to protect our future elections.