With contributions from Abraham Friedman
Ed Note: This is the first of a two-part article by our Associate General Counsel and Director for International Development, Joy London, that considers a local, state-based strategy for improving the nation’s election security rather than purely a top-down federal approach.
In its Foresights 2018 Report, consulting firm Booz Allen forecast that the US or Europe might experience in 2018 “the first confirmed instance of an election being directly manipulated at the voting machine or election infrastructure levels.” As 2018 comes to an end, there are no confirmed reports of tampering in the US, with either election infrastructure or voting machines and systems.
On December 21, 2018, Dan Coats, Director of the Office of National Intelligence (“ODNI”), stated, in part:
“[A]t this time, the Intelligence Community does not have intelligence reporting that indicates any compromise of our nation’s election infrastructure that would have prevented voting, changed vote counts, or disrupted the ability to tally votes.”
“The activity we did see was consistent with what we shared in the weeks leading up to the election. Russia, and other foreign countries, including China and Iran, conducted influence activities and messaging campaigns targeted at the United States to promote their strategic interests.”
The absence of intelligence indicating vote-count tampering is very good news. However, Coats’ report should not lull us into a false sense of security. The need to protect US election systems from future interference by adversarial nation-states like Russia, China and Iran has never been greater.
J. Alex Halderman, a computer science professor and electronic voting machine security expert, said we haven’t seen the last of foreign intervenors in our democratic process. According to Halderman, election hackers are “waiting for the bigger prize in 2020 when we’re likely once again to have a close and divisive presidential contest”— a prediction the OSET Institute has also made. Yet, uncertainties persist. If indeed 2020 is to be the year that Russian agents or its proxies hack vote totals, will the intervention come under a united flag or acting in concert with a foreign adversary? Will it come as an attack on election technology infrastructure, in what we refer to as a “Type-III” subversive attack? Or less severely, as an attempt by malicious actors to manipulate voters’ behavior through disinformation campaigns — what OSET calls a “Type-I” disinformation attack? We don't have definitive answers to these questions and the answers to these questions may remain unanswered long after Election Day in 2020. However, at least one question remains at the forefront of every discussion involving a strategy for improving election security — what are the best ways to protect the critical infrastructure of our democracy. Any consensus on best practices in defense of the nation’s election infrastructure will be complicated by our competing notions of federalism.
A Question of Federalism
The Russia-attributed cyber-attacks on US election systems in 2016 revealed the security weaknesses of states’ online voter registration systems (in Illinois and Arizona, to name two impacted states). Since then, hours of heated debate have focused on which body of government—the federal government or the states’ governments (i.e., state, local, and municipal election boards) — has the responsibility and the proper authority to protect our state-administered elections for the federal offices of President and Vice President, the House of Representatives, and the Senate. The thorny national-territorial quandary over federalism will undoubtedly cost legislators, regulators, academics, and politicians many sleepless nights of formulating persuasive arguments — up to and well past the next US federal election on Tuesday, November 3, 2020.
Constitutional and partisan arguments notwithstanding, I propose that election decision-makers within the triad of federal, state and local governments continue to do what each division of government does best. That is, the US Congress should continue to appropriate general block grants to states, which state and local election administrators should, in turn, use to purchase the affordable solutions that best fortify unique election systems within the nation’s highly decentralized networks. This proposal comfortably accommodates the public policy maxim, “think globally while acting locally,” although I suggest one practical variation on the theme. “Think and act locally, for the nation’s sake.” By thinking and acting locally, election stakeholders, whether national, state, or local, may avoid accusations of “federalizing” elections. US Secretary of Homeland Security Kirstjen Nielsen, for example, referred to states’ use of “organic capability.” And what better way to launch further discussion about the importance of avoiding a federalism debate?
A Ground-up State Approach — Use “Organic Capability”
In an October, 2018, interview at the Washington Post’s Cybersecurity Summit, expressing the uniqueness of each state’s election infrastructure, Nielsen said, “You’ve seen one, you’ve seen one,” further describing how state and local election officials are “choosing to use organic capability” to meet their particular cybersecurity needs in protecting their systems. By “organic capability,” Nielsen seems to mean something akin to “homegrown ability.” Nielsen noted “[e]ach state is doing it a little bit differently.” Some states have opted to work with the US Department of Homeland Security, which offers a broad range of services — all free, voluntary and provided upon request. Other states have opted for other measures, like activating the US National Guard, conducting penetration testing, and holding training programs. In some cases, states have outsourced their cyber needs to third parties doing business both in-state and out-of-state. Or, maybe “organic capability” requires election officials embrace the expertise of a state or local Chief Information Officer and/or a Chief Information Security Officer. And maybe she meant state and local legislators should pass laws to protect their own election infrastructure. This last capability makes good policy sense because the US Congress has failed to act.
The legislators in the upper and lower chambers of Congress have made little progress to defend the country’s critical democracy infrastructure, and the organic capability of which Nielsen speaks is less reality than distant goal, and recklessly underfunded by the latest Help America Vote Act (HAVA) infusion of $380 million in block grants to states.
A Top-down Federal Legislative Approach — Appropriate More Federal Funds to States
With only days until the convocation of the 116th Congress, it’s worth a reminder that the 115th Congress fell flat on election security. Since the Office of the Director of National Intelligence concluded, in 2016, that Russian intelligence agents had interfered with state voter registration systems, more than 60 bills have been introduced having provisions related to election security. The 115th Congress failed to pass a single measure to secure the country’s voting systems. Will incoming federal lawmakers enact adequate statutory safeguards to protect the administration of federal elections? Will a new Congress appropriate more HAVA money to states?
On January 3, 2019, the 116th Congress will open with a newly elected Democratic majority in the House, led by Speaker-designate Rep. Nancy Pelosi (D-CA-12). Its first order of legislative business — House Resolution #1 (H.R.1) — is a comprehensive election reform bill, sponsored by Rep. John Sarbanes (D-MD-3), Chairman of the Democracy Reform Task Force. H.R.1 includes, among many legislative reforms, a provision seeking funding for enhanced election security, and Senate Democrats are expected to introduce a near-companion version of H.R.1. Democrats are making an early push to pass election security legislation in the next two years. Meanwhile, however, in the absence of federal legislation, state lawmakers and election administrators will have to continue to pick up the slack — which should in turn drive initiative toward legislative action and administrative solutions at the federal level.
States as “Laboratories” of Election Security
And why shouldn’t state legislatures experiment with strategies to secure elections? States have historically shifted to a 50-state strategy for impact litigation to protect the ideal of free and fair elections whenever the federal courts have not. As US Supreme Court Justice Louis D. Brandeis famously observed, in his 1932 dissenting opinion in New State Ice Co. v. Liebmann (285 U.S. 262):
“It is one of the happy incidents of the federal system that a single courageous state may if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”
I argue that a better way to advance toward an effective national framework for secure federal elections is to encourage novel, targeted experiments in enhanced infrastructure security among the states, created and tested at the level of Justice Brandeis’ “laboratories of democracy.” Many courageous state lawmakers and citizens are already taking such initiatives, and in so doing, protecting free and fair federal elections, “without risk to the rest of the country.”
My next installment will explore some of the ways that election stakeholders are thinking and acting locally for the nation’s sake.