Revelations regarding top-level inquiries into a cyberattack launched by Russian military intelligence agents on an American voting-systems manufacturer, and of an apparently related attempt to hack the e-mail accounts of local election officials around the United States shortly before the 2016 presidential election, should turn the attention of Congress toward the need to secure this country’s extraordinarily vulnerable electoral processes.
According to a highly classified intelligence report obtained by The Intercept, the National Security Agency has been examining “a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light.”
Despite denials by Russian President Vladimir Putin of any formal Russian efforts to interfere with foreign elections, The Intercept says the report reveals that “Russian hacking may have penetrated further into U.S. voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyber attacks described in the document.” A quote pulled from the report described how “Russian General Staff Main Intelligence Directorate actors…executed cyber espionage operations against a named US company in August 2016, evidently to obtain information on elections-related software and hardware solutions.… The actors likely used data obtained from that operation to…launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.”
A US intelligence officer cautioned The Intercept reporters—and the rest of us—against what the website described as “drawing too big a conclusion from the document because a single analysis is not necessarily definitive.” That’s wise counsel. There will be more inquiries, and potentially more revelations, regarding Russian interference.
But regardless of what anyone thinks about what may or may not have happened in 2016, the intensifying discussion about last year’s election reminds Americans of the extent to which officials have failed to assure that elections in the United States are conducted openly, honestly, and without interference by domestic or foreign partisans. There is an urgent need to protect voting and elections and democracy itself—officially and permanently.
To that end, Congressmen Mark Pocan of Wisconsin, Keith Ellison of Minnesota, and Hank Johnson of Georgia have introduced groundbreaking legislation—the Securing America’s Future Elections (SAFE) Act—that proposes to safeguard US elections from cyber threats and interference by permanently classifying the integrity and security of elections as a component of the country’s critical infrastructure.
Arguing that that the United States needs “a comprehensive approach to secure our election process from start to finish,” Congressman Pocan, the co-chair of the Congressional Progressive Caucus, says that “By making our elections a top national security priority, we can ensure cybersecurity standards for voting systems are upgraded and require paper ballots with all electronic voting machines. One thing Democrats and Republicans should agree on is that we should be doing everything in our power to guarantee the sovereignty of our county and the integrity of our elections. This bill will do just that.”
The changes that Pocan and his fellow House members propose would place elections systems in the same category as other critical infrastructure such as the power grid, the banking system, and essential utilities. At the same time, the SAFE Act protects against cyber threats by requiring the use of better voting machines that provide paper ballots. And it requires random audits of ballots to thwart wrongdoing and to assure against malfunctions.
This is not the final answer to concerns about election integrity and the many challenges facing American democracy. But it is a practical and consequential beginning. The SAFE Act legislation was introduced in March as a response to reports that circulated prior to The Intercept revelation regarding Russia’s aggressive cyber tactics during the 2016 election—one of many concerns related to the ongoing FBI investigation into whether members of President Trump’s campaign colluded with Russians to influence that election. But this legislation is about more than that. It is, as well, a response to a wrongheaded vote by the Republicans on the House Administration Committee voted to shut down the Election Administration Committee (EAC), a federal agency created to help states update election systems and security. The SAFE Act reauthorizes the EAC for a period of 10 years and requires a random audit of precincts/wards in each state to ensure there are no discrepancies between paper ballots and electronic ballots.
“Few things are as critical as the integrity of our elections, which is why we must protect one of our most sacred institutions from foreign powers and domestic hackers who seek to undermine and influence our democratic process,” says Congressman Ellison. “The SAFE Act makes our elections a top national security priority, creates cybersecurity standards to protect our voting systems, and ensures accountability to voters. The American people must have full confidence that their votes are protected and counted.”
To create that confidence the SAFE Act would:
1. Permanently classify the security and integrity of our elections as essential to the United States’s national security interests and allow the Department of Homeland Security (DHS) to designate election infrastructure as critical infrastructure. This includes storage facilities, polling places, vote tabulation locations, voter databases, voting machines, and other systems that manage the election process. This important classification would place elections systems in the same category as other critical infrastructure including the power grid, the banking system, and other utilities.
2. Authorize the necessary funding for upgrading cybersecurity standards of voting systems, including the software used to operate such systems, and to ensure the security of the manufacturing processes for such components through collaboration with the National Institute for Standards in Technology (NIST) and the Department of Homeland Security. The bill will also ensure cybersecurity for all voter registration databases.
3. Require NIST and DHS to create basic cybersecurity standards for private companies contracted to work on elections systems in the US.
4. Require all electronic voting machines to have a corresponding paper ballot. The EAC would be required to randomly audit 5 percent of wards/precincts in each state to ensure that there are no discrepancies between paper ballots and electronic ballots.
5. Reauthorize the EAC (Election Assistance Commission) for a period of 10 years. The EAC is the most well-equipped agency to deal with election technology issues, such as software patches, for voting machines from private vendors. Eliminating this crucial agency would create an easily exploitable opportunity to hackers.
6. Require the DHS to conduct a review of elections systems yearly beginning in 2018.
“As a fundamental tenet of our democracy, our voting systems are a matter of national security and we must make sure they are not compromised or disrupted by outside parties,” says Congressman Johnson, who noted recent reports of an alleged data breach at Georgia’s Center For Elections Systems—involving as many as 7.5 million voter records. “Expressing Congress’ support to designate our voting systems as critical infrastructure will encourage the Department of Homeland Security and the states to better coordinate, engage, and share resources that will improve the security of our electoral process. The SAFE Act will help ensure the security of our voting systems and preserve public faith in the integrity of our electoral process.”