Senator presses White House to improve election cyber protections

On the day that a special election in Alabama captured national attention, Sen. Ron Wyden (D-Ore.) sent a letter urging National Security Advisor H.R. McMaster to take additional steps to secure the nation’s election infrastructure and provide support to state and local governments ahead of next year's mid-term elections.

Specifically, Wyden asked McMaster to designate a senior White House election security czar to brief Congress of executive branch election security efforts, direct the National Institute for Standards and Technology and the Department of Homeland Security to grade states on their election infrastructure and designate political campaigns as critical infrastructure. Wyden, who has been one of Congress' most vocal advocates of increased election security, also is asking that the U.S. Secret Service expand its presidential candidate security detail to include cybersecurity.

In the Dec. 12 letter, Wyden noted that 14 states still use direct-recording electronic, or DRE, voting machines that don’t allow for paper-based election audits and rely on outdated operating systems with known vulnerabilities.

“While some states have taken the threats seriously, others are seriously lagging behind and remain woefully vulnerable to foreign government cyberattacks,” Wyden wrote. “As such, the federal government must take action: leaving federal election cybersecurity to the states is irresponsible and a total abdication of the federal government’s primary role in matters of national security.”

Legislators have been pushing for the executive branch to take a more proactive role in securing the nation’s election systems and infrastructure. In October 2017, Attorney General Jeff Sessions told the Senate Judiciary Committee that the Justice Department had not taken any formal steps to adequately prevent foreign meddling in elections. He echoed those comments in November 2017, telling the House Judiciary Committee, “we are not anywhere near where I would like us to be” in updating laws to protect election security, but he later acknowledged he had yet to look into the matter to “see where we are on that.”

Such answers concern Wyden.

“Attorney General Sessions’ testimony suggests that the Administration is not taking this issue seriously or dedicating sufficient resources to fixing it,” Wyden wrote. “That must change. ”

During Dec. 13 testimony on Capitol Hill, Deputy Attorney General Rod Rosenstein did not directly answer whether the DOJ had ordered any review of election security laws. Instead, Rosenstein said the department “has a lot of ongoing work related to protection of elections,” and cited meetings with FBI Director Christopher Wray and staff to discuss the issue.

As the topic of election security has gained prominence over the past year, an underlying debate has cropped up around whether cybersecurity of election infrastructure and cybersecurity efforts should be led by the federal government or states and localities. Section four of the U.S. Constitution gives somewhat contradictory guidance, explicitly vesting states with authority over “the times, places and manner of holding elections” but also specifying that “Congress may at any time make or alter such regulations.”

In practice, the federal government historically has left states and localities to run their own elections, with limited exceptions related to equal protection under the 14^th Amendment. Powerful members of Congress have telegraphed little desire to alter that balance of power, and states have reacted harshly to federal overreach on their turf in the past. There also are questions about the federal government’s ability to effectively manage an election system that is fragmented and spread across more than 8,000 different jurisdictions.

However, others have argued that state and local governments lack the funding, resources, threat intelligence and qualified personnel to adequately defend their infrastructure against sophisticated cyber attacks carried out by nation-states hacking groups. Joe Kiniry, CEO of the election systems and services company Free and Fair, said he believes the federal government has ultimate authority to stipulate how elections are run.

“Imagine if we had this same conversation about federal cybersecurity standards for national security, ” Kiniry said.  “Do we really think that New Hampshire can certify equipment for national security for systems that run in that state?”