DHS move on election security unlikely to survive transition
The controversial decision by the Department of Homeland Security to designate the nation’s election system as “critical infrastructure” has touched off a firestorm of opposition, and the incoming Trump administration has all but promised to overturn it.
The designation adds the physical and digital property of countless countless state and county government offices to a special list of 16 categories of vital national industry — ranging from banking and telephones to water and sewage systems.
Defenders of the decision say it doesn’t give federal authorities any power over elections, and will put vital election machinery under the protective umbrella of the international norms the U.S. is promoting for cyberspace — which prohibit cyberattacks on critical infrastructure in peacetime. Critics — numbering many of the state officials, including Democrats, who organize elections — say they were already getting assistance from DHS and question why so many offline elements of election infrastructure were included in the designation.
The row highlights the difficulties inherent in mobilizing the U.S. government to defend cyber-infrastructure, when almost all of it is in private-sector or other non-federal hands, and when trust in government is at historic lows.
“What it does not do is put the federal government in any way shape or form in any oversight or directional capacity with regard to election systems,” said White House homeland security advisor Lisa Monaco of the designation.
She said it didn’t give the department authority over the conduct of elections “any more than the designation of the electrical grid as critical infrastructure puts DHS in charge of managing the nation’s power supply.”
But, she told the Aspen Institute last week, it will allow federal authorities to “prioritize the sharing of certain critical … intelligence” from federal agencies with election officials.
“It also puts election infrastructure in that [critical infrastructure] category we talk about in the international cyber norms,” one of which is a prohibition on peacetime cyberattacks against another nation’s critical infrastructure.
“We want to be clear that our electoral systems are part of that” critical infrastructure, she said.
But in fact, legal experts say, there is no need for the designation — attempts to influence the outcome of an election would be illegal under international law anyway.
Does information equal coercion?
The conduct of elections is a “classic example of the domaine réservée” — an area where a state can legitimately expect other states to respect its sovereignty — said Michael Schmitt, a law professor and the lead author of the Tallinn Manual, widely regarded as the most authoritative practitioner’s guide to the application of international law in cyber conflict.
Therefore, he explained at the recent Suits & Spooks event in northern Virginia, the legal status of the recent actions of Russian hackers depends, not on the way the U.S. government defines its election system, but rather on whether those actions count as coercion.
“Clearly if, in the DNC hack, the Russians had manipulated election returns, if they had made the [voting] machines work like they weren’t supposed to work, clearly that would have been an internationally wrongful act, a violation of international law,” a coercive intervention into the U.S. domaine réservée.
But “whether the activity of releasing information that was in fact truthful [like the Podesta emails, for instance] was a violation … the lawyers are violently divided, even in my office, split down the middle,” he said.
There’s no such division among opponents of the designation, which was announced on a recent Friday afternoon as D.C. was roiled by the declassified U.S. intelligence report that charged Russian President Vladimir Putin with personally ordering information and cyber operations aimed at the U.S. elections.
Technically, the designation made election systems — including “storage facilities, polling places, and centralized vote-tabulation locations used to support the election process; and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments” — a subsector of the existing government facilities critical infrastructure sector, alongside the two current subsectors: National monuments and icons and education facilities.
“In addition to the international norms,” a DHS official told CyberScoop on background via email. “The designation formalizes or institutionalizes the availability of services and assistance DHS offers to states, including cyber hygiene scans, risk and vulnerability scans, and onsite assistance in remedying an incident. These services remain voluntary.”
Despite these reassurances, state election officials greeted the news with a range of reactions from anger to bewilderment.
“The election machinery is not connected to the internet … Much of it is paper-based and it … can’t be hacked,” Connecticut Secretary of State Denise Merrill told CyberScoop, questioning the need for the designation. And, she added, it worked well on polling day. “The process of the election actually went smoothly,” she said, and the election system is secure. Even the associated infrastructure, like voter registration databases was only penetrated in one state.
That being so, she added, “We are wondering why this [designation] was necessary and what it entails,” especially in regards to the offline infrastructure, like polling places, voting machines and storage facilities. “What do they have in mind?” she asked.
No guarantees after Jan. 20
A DHS official, speaking on background, told CyberScoop that Homeland Security Secretary Jeh Johnson held a 45-minute call with secretaries of state the day prior to the announcement, “to discuss the implications such a designation would have and to answer their questions.”
“Prior to reaching this determination, my staff and I consulted many state and local election officials,” Johnson himself explained in a statement, “I am aware that many of them are opposed to this designation.”
“There is virtually no support from any quarter,” David Dove, chief of staff to Georgia Secretary of State Brian Kemp, told CyberScoop.
“We will seek repeal of it from the incoming Trump administration,” he added.
They will find a receptive audience, said Republican former senior DHS official James Norton.
“The outgoing administration [made the designation and then] dropped the mic,” Norton told CyberScoop. “It’s yet another unclear, unfunded mandate from DHS that state and local governments have to figure out how to deal with.”
In prepared answers to a pre-hearing confirmation questionnaire earlier this month, the man tapped by President-elect Donald Trump to head DHS, retired Marine Gen. John Kelly, made clear his unease about the decision.
“The notion that DHS can or should exercise some degree of influence over state voting systems is highly controversial and appears to be a political question beyond the scope of DHS’ current legislative cyber mandates,” Kelly wrote.
“The voting infrastructure of the U.S. is owned and operated by individual states. The number of independent and disparate systems along with local, distributed control makes it much more difficult for systemic cyberattacks during national, state, or local elections. DHS can assist state entities by providing technical assistance and risk management advice, and it is my understanding that the Department recently offered such support during the last election cycle.”
The Trump transition team did not respond to requests for comment on this issue and Kelly was not asked about the designation at his confirmation hearing last week.