So, here’s an interesting potential development.
By way of background, on January 3, 2019, the first day of the 116th session of Congress, Rep. John Sarbanes (D-MD-3), the Chair of the Democracy Reform Task Force, introduced the much-publicized House Resolution #1 (H.R.1), a 571-page election reform bill. H.R.1 contemplates a far less publicized matter — protecting critical democracy infrastructure as a matter of national security. Sec. 3201(b)(1) of H.R.1. reads:
The national strategy required under subsection (a) shall include consideration of the following: (1) The threat of a foreign state actor, foreign terrorist organization (as designated pursuant to section 219 of the Immigration and Nationality Act 10 (8 U.S.C. 1189), or a domestic actor carrying out a cyber-attack, influence operation, disinformation campaign, or other activity aimed at undermining the security and integrity of United States democratic institutions. (Sec. 3201(b)(1) of H.R.1).
Pay attention to (1) in that excerpt. Here what’s interesting. On the same day H.R.1 was introduced by Sarbanes, Rep. Sheila Jackson Lee (D-TX-18) introduced H.R.52 – SAFETI Act - the Security for the Administration of Federal Election from Terrorists Intervention Act of 2019. Unlike H.R.1, H.R.52 is short — just two pages. Section 2 of H.R.52 reads:
Not later than 180 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the Comptroller General of the United States and Congress a report on actions taken by the Department of Homeland Security relating to terrorist threats to the integrity of elections for Federal office held in 2016.
Wait; what? Is Rep. Jackson Lee’s intent to elevate “terrorist threats” to something akin to kinetic attacks or cyber-attacks on election systems by Al-Qaeda, ISIS or other groups known for their terrorist attacks worldwide? How should we think about a cyberterrorist attack on our election infrastructure?
Cyber-terrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyber-terrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyber-terrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.
According to Denning’s definition of cyber-terrorism, would a cyber-attack on our election systems anywhere — now designated “critical infrastructure” — be considered an act of cyber-terrorism? Are election (and voting) systems “nonessential services?” The OSET Institute has made arguments since its beginning, that an election system, when at least in operation (perhaps versus in a “stored” or “dormant” state), is clearly an “essential service” to sustaining the operational continuity of our democracy in furtherance of the American sovereign act of free and fair elections. Moreover, if we consider the objective of attacks on our election infrastructure—generally to sow distrust in, or call into question an election and its outcome, then given the constitutional constraints placed on federal elections, it can be argued that attempts to derail a national election (let alone successfully doing so) could sow seeds of terror.
its worth noting the Merriam-Webster definition of “terror” is “a state of intense fear; a frightening aspect; a cause of anxiety; worry” and so on. The “frightening aspect” or cause of anxiety in this case would be the potential civil unrest over the uncertainty of the outcome of a Presidential election, especially when that election must be certified and power must be orderly transferred by a date certain (and there are essentially no do-overs; no “mulligans.”)
To put a fine point on it, the U.S. Code of Federal Regulations defines terrorism as
the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives (28 C.F.R. Section 0.85 (l))
Thus, a decent argument can be made that cyber-terrorism is a threat to elections and perhaps a better way to describe election cyber-attacks. Yet, we acknowledge, of course, these questions and positions are nevertheless debatable.
In a recent brief published by the Ukrainian Election Task Force, a body established by the Atlantic Council, the Victor Pinchuk Foundation, and the Transatlantic Commission on Election Integrity, the task force predicts:
Moscow is expected to use kinetic means to influence Ukraine’s March 2019 election by . . . continuing and increasing acts of sabotage and terrorism, such as . . . attacks on . . . and interference against critical civilian infrastructure . . .
Meanwhile, in April 2018, Ted Piccone, a senior fellow at Brookings stated:
Non-state actors from the radical right and the left, and those engaged in terrorism, are also exploiting the open nature of the Internet for multiple purposes, including influencing public opinion before and during elections.
To be careful here, the OSET Institute does not believe the Internet is a component of election systems for purposes of critical infrastructure definition, although the Internet (like electricity) certainly can play a role in the availability of election administration services (just not, in our opinion, actual voting). So, as to exploitation of the open public Internet on the aspect of campaigns and electioneering, to the extent such acts amount to “terrorism,” such is covered by the definitions above. However, merely attempting a propaganda or influence operation is one thing (what we refer to as Type-I attacks in our CDI Briefing), whereas efforts amounting to disrupting or compromising the process of voting (Type-II or Type-III attacks) is quite another matter. The interesting membrane of these two classes of attacks is where a Type-I (disinformation or defamation attack) is focused not on an issue or candidate, but on the election process or related equipment itself. We see this in the weaponized words of “hacked,” “rigged,” and “tampered.” But, I digress.
Notwithstanding the discussion above, thus far, policy considerations have focused on ways to deter cyber-terrorist attacks on other specific sectors of US critical infrastructure (e.g., dams, energy, nuclear reactors, water, etc.), but little, if any, attention has been paid to “terrorist threats” against election systems.
Does H.R.52 leave open the possibility that the Department of Homeland Security has information about terrorist threats to the integrity of elections for Federal office held in 2016? As it turns out, in my conversation with Lillie Coney, Policy Director for Rep. Sheila Jackson Lee, it should not. H.R.52 is actually an effort to address prospective cyber-terrorist attacks on voting systems in federal elections in 2020 and beyond.
Yet, given the Congresswoman’s important roles on Judiciary and Homeland Security committees — the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies and the Subcommittee on Counterterrorism and Intelligence, one cannot help but wonder what she may know and/or what she may be anticipating. Regardless, while we’re all in a holding pattern with individual federal workers’ lives and livelihoods held hostage by a government shutdown (on-going at this writing), one message remains clear: Congress has a lot of work to do, beyond H.R.1 and H.R. 52 to protect our elections and election infrastructure in time for 2020.
There are 660 days left until November 3rd, 2020.