The federal-state disconnect in securing the 2016 election and how not to repeat it

The U.S. federal government is not the leading actor in the administration of elections—the Constitution gives that role to the states. But the federal government is the leading actor in protecting the country from foreign attack. Thus when America’s election infrastructure is attacked by a foreign entity, responsibility for election cybersecurity falls to (or in between) both. In the federal government the two biggest players are the Department of Defense (DOD) and the Department of Homeland Security (DHS), and within them the U.S. Cybercommand (created in 2010) and the Cybersecurity and Infrastructure Security Agency (CSIA), respectively. But there are other actors as well. The intelligence services, especially the ODNI (Office of the Director of National Intelligence) NSA (National Security Agency) and, of course, the CIA (Central Intelligence Agency) have a large role to play in identifying threats abroad. (The detailed indictments of Russian individuals involved in hacking operations in the 2016 elections would not have been possible without a certain amount of old-fashioned spying.) The FBI also has a role to play in tracking down those who commit crimes here. And NIST (the National Institute of Standards and Technology) has a role in cybersecurity through its mission of promoting U.S. competitiveness and innovation.

The disconnect

As we discovered post 9/11, the federal government has huge capabilities which are spread over many different parts of the government. In the aftermath of the 9/11 attacks, high-level commissions were formed and studies were conducted to figure out what went wrong. It became clear that one of the biggest problems with these huge capabilities was the inability of people in different agencies to share information in a timely and effective fashion. Pieces of information that, had they been put together, may have prevented 9/11 were spread over a wide variety of agencies who didn’t talk to each other. Thus “connecting the dots” became the catchphrase of the post-9/11 efforts at reform as the federal government’s domestic and international capabilities were encouraged to share information to better cooperate in the war on terror.

An analogous problem occurred in 2016. This time the federal government, especially DHS and FBI, had to interact with state governments in order to advise them that their election systems were under attack. According to the Report of the Select Committee on Intelligence, the communication and cooperation went badly. The interface between the federal government and the state governments was not seamless; confronted with a new and poorly understood threat, there were missed signals on all sides. To begin with, CSIA was founded to provide cyber protection to all forms of infrastructure, from power plants to elections. But, as one state official told the Senate Committee “DHS didn’t recognize that securing an election process is not the same as securing a power grid.”

That gap led to a variety of problems with federal government attempts to help the states. For instance, the federal government alerted the states to attempted intrusions in the summer of 2016 but failed to tell them that the intrusions were attempts by a hostile foreign power. Since election infrastructure, like the infrastructure in other sectors, is under constant attack, many of the officials alerted didn’t regard the notice as particularly important and in some instances state IT directors failed to alert elections officials about anything unusual. Both sides had problems understanding each other. Since responsibility for elections is dispersed among and within states, federal officials often spoke to the wrong people. And on the other side, since very few election officials had security clearances, federal officials didn’t feel they could “read in” officials to the true nature and thus severity of the attempts on the state election’s infrastructure. The Senate Intelligence Committee concluded:

“The disconnect between DHS and state election officials became clear during Committee interactions with the states throughout 2017. In many cases, DHS had notified state officials responsible for network security, but not election officials, of the threat. Further, the IT professionals contacted did not have the context to know that this threat was different than any other scanning or hacking attempt, and they had not thought it necessary to elevate the warning to election officials.”

The clearance problem

Much of the disconnect that occurred in 2016 was the inevitable consequence of the unprecedented attack by Russia on America’s elections. In the intervening years, all the players, from the federal level to the local level have gotten more sophisticated and more attuned to the new threat. Just as 9/11 opened America’s eyes to the threat of terrorists using airplanes as bombs, 2016 opened America’s eyes to the threat aimed at the very heart of our democracy. Three years later all the agencies with a piece of cyber security were alerted to the threat; training, war gaming and the use of “red teaming” were all part of the federal government’s operations.[1]

But one essential element to getting the federal government’s vast resources to the states was the issue of security clearances. In order for state election officials to hear and understand the full potential impact of the threats they are under, they need to have security clearances. According to the Senate Intelligence committee “… the story of Russian attempts to hack state infrastructure was one of confusion and a lack of information. …At no time did MS-ISAC or DHS identify the IP addresses as associated with a nation-state actor.” The lack of information flow in 2016 is largely due to the fact that at that time almost no state election officials had security clearances and were thus not privy to understanding the full extent of the threat posed by the Russians.

The timely issuance of security clearances is a long-standing and thorny problem for the federal government. It has gotten so bad that in January 2018, the Government Accounting Office (GAO) placed the National Background Investigations Bureau on its infamous “High Risk List,” meaning that the agency was not doing its job well. “The backlog of people awaiting clearances ballooned from 190,700 in August 2014, to 581,200 in April 2017 and more than 700,000 in September that year. The Office of Personnel Management’s goal for a stable backlog is 180,000 cases.”

Without a rapid increase in the issuance of clearances, the missed signals and incomplete information that characterized the federal-state relationship in 2016 is apt to happen again. Important, malicious intrusions are likely to be missed, while intrusions from a 14-year-old with a laptop are likely to be paid inordinate attention.

The old saying goes “Fool me once, shame on you; fool me twice, shame on me.” The 2020 federal government is likely to be better prepared and more sophisticated than they were in 2016. But they will still need the ability to communicate threats in a comprehensive manner and getting state and local officials the proper clearances is central to that task.

[1] According to an NPR analysis, the DefCon conference, which started August 8, was once focused on hacker culture but is now filled with officials eager to work with the hacking community. This is the first year that DefCon has volunteers specifically to help politicians integrate with hackers and learn about issues in cybersecurity. At DefCon 2017, hackers found many vulnerabilities in current voting machines.