Senate Intelligence Committee Announces Election Security Recommendations

The Senate Select Committee on Intelligence (SSCI) offered up its first set of draft recommendations today (Tuesday) from its on-going investigation of foreign intervention in American sovereignty—specifically our election processes including both campaigns and electioneering, and the actual process of election administration. Those draft SSCI recommendations are as follows, provided to the Institute early this morning contemporaneous with public announcement and press conference.  Specifically, the Committee recommends the following steps to better defend against a hostile nation-state who may seek to undermine our democracy:

1. Reinforce States’ Primacy in Running Elections

• States should remain firmly in the lead on running elections, and the Federal government should ensure they receive the necessary resources and information.

2. Build a Stronger Defense, Part I: Create Effective Deterrence

• The U.S. Government should clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.
• The Federal government, in particular, the State Department and Defense Department, should engage allies and partners to establish new international cyber norms.

3. Build a Stronger Defense, Part II: Improve Information Sharing on Threats

• The Intelligence Community should put a high priority on attributing cyber attacks both quickly and accurately. Similarly, policymakers should make plans to operate prior to attribution.
• DHS must create clear channels of communication between the Federal government and appropriate officials at the state and local levels. We recommend that state and local governments reciprocate that communication.
• Election experts, security officials, cyber security experts, and the media should develop a common set of precise and well-defined election security terms to improve communication.
• DHS should expedite security clearances for appropriate state and local officials.
• The Intelligence Community should work to declassify information quickly, whenever possible, to provide warning to appropriate state and local officials.

4. Build a Stronger Defense, Part III: Secure Election-Related Systems

• Cyber security should be a high priority for those managing election-related systems. Basic but crucial security steps like two-factor authentication for those logging into voter databases can improve the overall election security posture. States and localities should also take advantage of DHS offerings, to include DHS’s network monitoring capabilities.
• The Committee recommends DHS take the following steps:

1. Working closely with election experts, develop a risk management framework that can be used in engagements with state and local election infrastructure owners to document and mitigate risks to all components of the electoral process.

2. Create voluntary guidelines on cyber security best practices and a public awareness campaign to promote election security awareness, working through the U.S. Election Assistance Commission (EAC), the National Association of Secretaries of State (NASS), and the National Association of State Election Directors (NASED).

3. Expand capacity to reduce wait times for DHS cyber security services.

4. Work with GSA to establish a list of credible private sector vendors who can provide services similar to those provided by DHS.

5. Build a Stronger Defense, Part IV: Take Steps to Secure the Vote Itself

• States should rapidly replace outdated and vulnerable voting systems. At a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability. If use of paper ballots becomes more widespread, election officials should re-examine current practices for securing the chain of custody of all paper ballots and verify no opportunities exist for the introduction of fraudulent votes.
• States should consider implementing more widespread, statistically sound audits of election results.
• DHS should work with vendors to educate them about the vulnerabilities of both the machines and the supply chains.

6. Assistance for the States

• The Committee recommends Congress urgently pass legislation increasing assistance and establishing a voluntary grant program for the states.

1.   States should use grant funds to improve cyber-security by hiring additional Information Technology staff, updating software, and contracting vendors to provide cyber-security services, among other steps.

2.   Funds should also be available to defray the costs of instituting audits.

In addition, to effect most of the recommendation, the SSCI noted Congress must "urgently pass legislation" to get grant money for States.  This requires pushing—as many of us have—for such a bill which appears to now have the endorsement, as least tacitly from Senate Intelligence Chairman Richard Burr (R-N.C.).  During their press conference on this, Burr noted: "We need to be more effective at deterring our adversaries; the federal government should partner with the States to truly secure their systems."

The timing of this release is critical as the committee recognizes that the 2018 primary season is already underway and the November midterm now 231 days away. Mark Warner (D-VA), the ranking member of SSCI observed, "There's still much more to do to secure America's elections."

Many of the ideas expressed in their list align with what the Institute and other cyber security experts have long been calling for States to adopt, but it’s helpful to have senior Congressional leadership now calling for the same things.  “To be sure, some of these items, while obvious, do not garner the attention and credibility coming just from us, as they do coming from more authoritative voices such as the SSCI,” said Gregory Miller, co-founder of the OSET Institute.

John Sebes, OSET Institute CTO added, “The thing is now, while States are likely to agree with these recommendations given their guarded attitude toward any federal proclamations let alone involvement, I think the real action item here is funding to pay for implementing these recommendations.  I more or less ranted about this recently. Congress needs to do more than recommend; they need to put money where their proclamations are.”

OSET Institute’s senior election technology policy analyst and associate general counsel, Joy London, noted, “the SSCI’s main advice was improving information sharing with States’ officials.  That’s great, and they’re already doing that as we noted yesterday in social media. And calling for paper ballots of record or paper backup is a well settled requirement, but we understand and appreciate that having the voice of authority in Congress may give it the necessary gravitas.”

On the other hand, noted Sebes, “SSCI made a strong statement about rapidly replacing outdated and vulnerable voting systems, which is fine except it raises is my main gripe: this implies throwing more money at the same bad solution. The problem is replacing outdated and vulnerable machinery — except for the mandatory retirement of paperless DREs — amounts to updating the same vulnerability; its the lipstick-on-the-pig problem." John continued, "Until government realizes the vital importance of instituting a substantial research and development effort to bring about an entirely new innovative, higher integrity, lower cost, and easier to use architecture—in other words totally rethink election technology infrastructure, we’re going to just be patching things rather than performing security-centric re-engineering.” 

Indeed, the machinery of elections is now the machinery of critical infrastructure and national security assets.

And consistent with what the Institute has been encouraging Congressional members for some time, the SSCI wants Congress to pass legislation establishing a voluntary grant program for the states to hire cyber security staffers, update software, bring in outside digital security firms, and implement new election auditing procedures.  From a 2018 mitigation effort, this is spot-on and cannot happen quickly enough.  Actually, it's frustrating to see how long it has taken to move forward this much.

That observed, we also laud the DHS for their efforts to provide assistance to willing States and for the efforts of several States to take action on their own wherever possible.  The largely hands-off tone of these recommendations likely reflects the majority’s concerns about the federal government wading into a province of States’ rights. We respect their concerns and strongly support the clear constitutionally delineated separation of powers regarding election administration.  And that’s reflected early on in SSCI recommendations.  At the same time, we hope the States and the Federal government can quickly determine how to collaborate for the common interest of securing our sovereign right to free and fair elections, unfettered by foreign interests.

We look forward to tomorrow’s full SSCI hearing to discuss these recommendations.  That hearing could help a stalled bipartisan election security bill that already has the backing of several of the SSCI members including: Susan Collins (R-ME); Lindsey Graham (S.C.); Kamala Harris (D-CA.), Martin Heinrich (D-N.M.) and James Lankford (R-Okla.).

This is all good news, and points to the necessary scramble to prepare for the midterms in 230 days. What remains, however, are the larger more systemic architectural issues of election technology infrastructure over the longer-term and certainly in light of the 2020 national election.  That remains the primary focus of our tax-exempt nonprofit work here at the Institute, which we deeply appreciate the on-going public’s support in order to continue.