On election security, U.S. government leaving much on the table
- By Derek B. Johnson
- Nov 20, 2019
Expert witnesses warned Congress that the U.S. government has largely failed to address known security shortfalls leading up to 2020 and future elections.
Much of the election security debate in Washington since 2016 has focused on improving baseline protections for voting machines, but witnesses at a Nov. 19 House Homeland Security Committee hearing noted that similar deficiencies also exist when it comes to protecting political campaigns from compromise by foreign intelligence services and preventing foreign and domestic disinformation.
In his opening statement, Georgetown University professor Matthew Blaze noted that the current generation of voting machines used in U.S. elections were never designed to combat attacks or threats from adversarial foreign governments with the resources to penetrate the global supply chain or obtain software source code before it's even shipped to election officials.
"The intelligence services of even small nations can marshal far greater financial, technical and operational resources than would be available to even highly sophisticated criminal conspiracies," Blaze said.
The same asymmetry also applies to political campaigns, where information security protocols are typically weak and underfunded for all but the most sophisticated and well-funded presidential campaigns. In addition to the federal government, a number of new and existing groups have stepped up over the past three years with programs in an effort to change that.
The Harvard Belfer Center teamed up with Hillary Clinton's 2016 campaign manager Robby Mook and Mitt Romney's 2012 campaign manager Matt Rhoades to develop a comprehensive playbook for protecting political campaigns from foreign intelligence operations. An offshoot organization has since been formed, Defending Digital Campaigns, that partners with IT companies to provide free or low-cost cybersecurity products to many political campaigns.
Companies like Microsoft and Google have also rolled out their out programs to assist campaigns. Ginny Badanes, director of strategic projects for the Defending Democracy Program at Microsoft, told lawmakers that her company provides custom email protection tools to campaigns for their official and personal email accounts as well as other resources. Of the more than 10,000 notifications the program has provided to customers who have been targeted or compromised since launching the service, she said the company has "uncovered attacks specifically targeting organizations that are fundamental to democracy."
One recent campaign tracked by Microsoft involved a foreign group linked to Iran that targeted 241 personal email accounts belonging to a number of U.S. government officials and other individuals.
"They were current and former government officials, members of the media and … a staffer for a presidential campaign," said Badanes.
Reuters later reported that the presidential campaign targeted in the campaign was the Trump 2020 campaign.
One witness expressed concern that local groups are increasingly mimicking Russia, Iran and other foreign countries online. Richard Stengel, a former State Department official during the Obama administration and a current fellow at the Atlantic Council's Digital Forensics Research Lab, which tracks disinformation campaigns online, noted that while foreign disinformation poses a real and unique threat to U.S. interests, it is "dwarfed" by the threat posed when the same tactics and strategies are leveraged by domestic actors.
"It's easier and more comfortable for us to see this problem as a threat from the outside, from foreign influence operations. And, indeed, they remain a grave national security threat," he wrote in his opening statement. "But the scale and range of domestic disinformation -- created and spread by Americans to other Americans -- dwarfs any foreign threat or troll factory. Our foreign adversaries seek to engage Americans and do so, but our homegrown disinformation overwhelms what our adversaries produce."
While Congress has done virtually nothing since 2016 to address or mitigate online disinformation, the hearings and legislation that have been proposed tend to focus almost exclusively on foreign-directed campaigns.
Asked by Rep. Jim Langevin (D-R.I.) to elaborate, Stengel said his lab has been tracking "a very large increase" in domestic disinformation recently, both in terms of American users who amplify content that is traced to foreign campaigns and from fringe groups on the right and left that are increasingly running their own operations.
Despite that, Stengel said the U.S. government was "not the answer" to the problem and in fact could be counterproductive by creating an air of censorship that might only further fuel online conspiracy theories, a sentiment shared by a number of government officials who work on disinformation. Instead, he put the onus on social media platforms and their algorithms to do a better job designing their products to prevent manipulation and fund media literacy and awareness campaigns among the general population.
"While you can harden election voting systems, it's very hard to harden anything to prevent disinformation in part because people welcome it, it's part of confirmation bias," Stengel said.
Despite the increased public attention, Congress has done very little on election security beyond holding hearings. Members of Congress from both parties have proposed legislation or funding increases, but Majority Leader Mitch McConnell (R-Ky.) has thus far refused to consider them in the Senate. While he did change course earlier this year to advocate sending additional federal funding to states, the Senate proposal for $250 million is less than half of what the House is asking for and contains virtually no limits on how the money can be spent.
At one point, Subcommittee chair Cedric Richmond (D-La.) asked if everyone on the panel agreed "that the federal government has not put the resources to … protect our very democracy that depends on fair and free elections where every vote matters?"
Every witness agreed.
"More could certainly be done," said Badanes.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.