There is much, of course, to be said about the reported Russian intrusion into various aspects of our electoral system. From the hack of the DNC and DCCC to the apparent intrusion into state electoral databases to a broad disinformation campaign to disrupt the election and call its integrity into question, there are many reasons to be dismayed at Russian activity. And there are many questions worth asking, ranging from an appropriate response to how to prevent the next iteration.
a birthday gift!
But what is especially depressing is when a certain portion of the commentariat rush to amplify the problem with conspiracy theories of their own. In one possible response to the Russian intrusion, Secretary of DHS Jeh Johnson has suggested that the Department will consider identifying the electoral system as part of the nation's critical infrastructure (CI). In an overwrought reaction to that suggestion, some have characterized this as a rush by President Obama to "take over" the security of elections with a sinister cry of alarm, suggesting a nefarious motive to Federalize a State responsibility (with the motive of throwing the election to Democrats, I suppose). Sadly, that claim has begun to echo in the conservative blogosphere, becoming a new reality that itself feeds into the perception that the electoral system is "rigged."
But the claim itself is nonsense—plain and simple. Designating a system as critical infrastructure does not mean that the Federal government "takes over." Not of the sector generally, and not even of the security of the systems within the sector of the economy that is designated.
To begin with, the reality is that the CI designation hasn't worked that way in the past. Here are some of the things that are already critical infrastructure designated sectors—Food and Agriculture; Dams; Transportation Systems. The operaters of systems in those sectors would be shocked ... just shocked ... to hear that the Feds had taken over their operations. Far from it. Why one supposes that this particular designation will have a different result is beyond me. In fact there are already 16 seperate critical infrastructure sectors that cover more or less all of the critical aspects of the American economy. Everything from manufacturing to agriculture to health to waste water treatment is part of the system. None of them are under Federal control today. The fear-mongering is really just that ... fear mongering.
So ... what does it actually mean in practice to be designated as CI? It means that a sector of the economy is so important that the Federal government will work to provide as much support as it can to the sector through cooperative public-private interactions. The overall structure of the CI program is governed by Presidential Policy Directive-21. As the policy puts it, the main role of DHS is coordination and assessment, not direction and control:
[The] Secretary of Homeland Security evaluates national capabilities, opportunities, and challenges in protecting critical infrastructure; analyzes threats to, vulnerabilities of, and potential consequences from all hazards on critical infrastructure; identifies security and resilience functions that are necessary for effective public-private engagement with all critical infrastructure sectors; develops a national plan and metrics, in coordination with [Sector Specific Agencies] SSAs and other critical infrastructure partners; integrates and coordinates Federal cross-sector security and resilience activities; identifies and analyzes key interdependencies among critical infrastructure sectors; and reports on the effectiveness of national efforts to strengthen the Nation's security and resilience posture for critical infrastructure.
Two further quick notes about the PPD—the SSAs are, as the name implies, the regulatory agencies of the Federal government with primary responsibility for a sector. Thus, most of the work in the financial sector is coordinated by the Department of Treasury, the energy sector is led by DOE, and so on. Second, PPD-21 is not some new innovation of President Obama. It is directly derived, from and a follow on to, Homeland Security Presidential Directive-7 issued by President Bush.
The result of a designation as CI is that the Federal government will provide assistance in coordination and assessment functions to members of the sector. For example, DHS conducts assessments on infrastructure and communities to help businesses and local government officials make decisions about where to put resources to enhance security before an event and improve recovery after an event. In the context of elections, DHS (along with other Federal agencies involved in elections and/or cybersecurity) might help state and local election officials with an assessment of whether or not they are actually vulnerable to attack and if so, offer advice on how best to mitigate that vulnerability.
When attacks do occur, the Federal goverment also plays a role in sharing information between the public sector and the private sector and between private sector actors, so that the nature and scope of the threat is communicated as quickly as possible. This typically happens through ISACs—Information Sharing and Analysis Centers that bring together sector members to coordinate information and assessments. The ISACs are sector specific because threats to one sector (say, energy) look very different from those that threaten another (say, agriculture). Typical is the FS-ISAC for the financial sector which provides sector-specific alerts to its members. Today, the "Elections Sector" doesn't have a means of coordination and information sharing. Designation as CI would lead to the creation of an ES-ISAC and improved security overall.
Finally, for CI sectors, DHS works with all stakeholders (state, local, and private sector) to provide training and other tools and resources to help critical infrastructure develop plans to enhance security and resilience. Public-private partnerships, in particular, are central since almost none of the CI in America is controlled by the Federal government. As a result, the main effort by DHS is to support partners and stakeholders to help them accomplish the mission of ensuring critical infrastructure security and resilience.
There are plenty of things to critque in the CI protection effort—but most of the criticism is that it is too slow, and ineffective and doesn't work as well as it might to create greater security and resiliency. Information sharing, in particular, has been a constant source of complaint from the private sector, who want more of it, more quickly, not less. In ten years of following the area, I've never heard anyone say that it was a surreptitious effort by the Federal government to take over—until now.
The only even barely plausible argument against the designation of the electoral system is the suggestion that it would contravene the Constitutional delegation to the states of control over the "time, place and manner" of elections. While I understand the argument, it misunderstands the nature of the CI designation. That designation does not, by itself, bring with it regulatory authority over the sector designated. When, and if, Congress wants to extend regulatory authority to enhance infrastructure security it does so by seperate express legislation. The Chemical Facility Anti-Terrorism Standards (CFATS), are a case in point—Congress passed a seperate law in 2007 and DHS proceeded to define the security requirements by regulation.
Nothing like that has happened for the Electoral System. When (and if) it does, then it will be appropriate to ask whether the resulting regulations infringe upon the Constitutional delegation. I can certainly imagine many security regulations that would seem to improperly regulate the manner of elections (requiring, for example, that all states maintain paper records of ballots—a good idea, but one that seems to limit a state's Constitutuional authority), but there are many others (reporting requirements, for example) that might not. All of that, however, is immaterial—because whatever the scope of the Constitution's "time, place and manner" delegation, the designation of the electoral system as critical infrastructure imposes no obligation whatsoever in derogation of that delegation.
One final point: The way the system of designation works, none of this, NONE, will happen before the next election. Not the designation; not the formation of the ES-ISAC and not the training, assessment or review.
In short, the Obama "takeover" of the electoral system is just another bug-a-boo scare tactic unworthy of serious consideration. Worse yet, the myth's propogation is itself a further cause of eroding confidence in our electoral system. The only appropriate response is to drive a stake through its heart as quickly and thoroughly as possible—an endeaver to which I hope this blog post contributes.