That foreign actors seek to undermine our elections is an indisputable fact. U.S. Director of National Intelligence Dan Coats said in February, "Persistent and disruptive cyber operations will continue against the United States and our European allies using elections as opportunities to undermine democracy." Be it by compromising voter databases, waging information warfare campaigns, or breaching campaign communications systems, the potential power of digital subversion of our elections integrity is only beginning to be understood.
In March, former Secretary of Homeland Security Jeh Johnson said, "There is a lot of work to do, and the 2018 midterm election season is now." Campaigns and election officials, under-resourced and out-gunned, cannot combat sophisticated attacks without help. By joining together, we can harness collective resources to shift the balance of power in favor of defending modern democracy. Federal agencies, state governments, and the domestic security industry must accept joint responsibility to collaborate on developing new communications paths and defenses to aid local campaigns and public officials.
To start, the U.S. government needs to enhance its threat sharing capabilities to more quickly push vital information into the public domain. While the Federal focus of election security tends to fall on the Department of Homeland Security (DHS), cyber-intelligence functions within the National Security Agency (NSA), the Department of Justice (FBI), the Department of Defense (US Cyber Command) are critical to defending election integrity. Each has sophisticated capabilities to detect foreign threats but are stymied by "default-to-withhold" cultures that prevent the timely sharing of critical information with non-Federal entities. Michael Sulmeyer, the Cyber Security Project Director at Harvard's Belfre Center, recently said of the broader intelligence community, "if they don't share relevant information with DHS or are slow to do so, there's little DHS or the states can do."
This systemic weakness stems from the need for threat receivers to have Federal security clearances to access the shared information, dependent on an approval process Senate Intelligence Committee member Mark Warner recently described as "broken." Even with the proper credentials, cleared responders cannot share what they know with local officials and campaigns due to the legal constraints over the distribution of classified information. Short of reforming the security clearance system, the U.S. government should, either through legislative action or executive order, establish a new "default-to-share" mandate to empower the rapid declassification and sharing of election integrity threats to recognized state and local officials. The Secure Elections Act attempts to address some of the concerns, but its focus on election systems disregards the fact that election day only represents the endpoint of a lengthy process. The result is irrelevant if the process leading up to it has been subverted.
Next, states must build capacity to distribute and respond to election threat intelligence. Quickly gearing up a robust information sharing system to alert officials and decrease response time would help protect our election processes. While information sharing organizations such as Multi-State Information Sharing and Analysis Center (MS-ISAC) exist, we conduct elections locally, where they are run by officials least prepared to defend against sophisticated foreign actors. States need to include election integrity threats in the same emergency response plans that account for more conventional threats. Rather than force individual municipalities to recruit and retain cybersecurity specialists, states should create or leverage existing local threat sharing communications channels and form security first-responder teams to quickly support local officials responding to the threats. Deploying inclusive communications capabilities also establishes a pathway for building and maintaining cross-municipality trust, improves the timeliness of threat response, and lays the foundation for a stronger election integrity community within the states.
Finally, the security industry must make building effective defenses easier for less sophisticated users. Election and campaign officials do not have the experiences nor the resources to filter through cyber defense options themselves. The Defending Digital Democracy Project at Harvard's Belfer Center recently published playbooks for campaigns and local election officials, key starting resources for building secure election capabilities. By working with public officials, the industry can help support the building of "minimum viable security" models that states can negotiate as bundled offerings for municipal benefit.
Social and traditional media organizations also should make resources available for officials to quickly report unattributable and abusive information attacks. Leading companies could jointly establish and fund an independent research and investigation center charged with evaluating media threats and timely reporting to all associated media organizations. The information sharing and analysis organization (ISAO) model established by executive order provides a suitable initial baseline for building such public/private security collaboration communities.
While there is a lot for us to learn, we will achieve much greater success by working together than we could ever accomplish by continuing to work in isolation. The time is now to begin building new resources, communications paths, and information sharing protoccols that will enable us to correct past mistakes before it's too late and prepare us to overcome new digital threats to our democracy as they arise.
Michael Figueroa is executive director of the Advanced Cyber Security Center, a regional collaborative building a stronger community defense to solve common cyber security problems across Massachusetts and New England.
If you're near the Boston area, we invite you to join our Campaign Cyber Defense Workshop, on June 4th at the Federal Reserve Bank of Boston.