Introduction: With election season upon us, election security is a topic of much debate and utmost importance. I recently had the opportunity to sit down with Drew Bagley and Robert Sheldon, two thought leaders at the leading cybersecurity firm CrowdStrike to discuss some of the issues facing cybersecurity in U.S. elections, and the challenges involved with correcting these problems.
GLTR: Thank you both for meeting with me today. Can you provide a little bit of background about what each of you do at CrowdStrike?
Drew: My name is Drew Bagley and I am Vice President and Counsel for Privacy and Cyber Policy. I focus on privacy strategy regarding our products and offerings, and I provide internal guidance on all matters related to data protection. I also lead our global policy team.
Rob: My name is Rob Sheldon, Head of Technology Strategy for Public Sector. I work on federal, state, and local cyber security policy issues and run programs for CrowdStrike involving election security, as well as state and local cybersecurity.
GLTR: Election security is a very broad term, covering many entities including campaigns, parties, news media, candidates, etc. Cybersecurity is just one aspect of that, can you explain in broad terms what cybersecurity means regarding United States elections?
Rob: There has been a popular conception that election security is about hackable voting machines, yet that is something that is really only one part of the problem. Other election security issues include hacking and leaking of information from campaigns or election administration entities, third-party or supply chain security issues for voting machines or tally devices, social media manipulation, and election night reporting issues, and so on. It is a very broad problem. So, people who want secure elections should look at threats across all of those areas.
Drew: I would add that security should always be looked at holistically regardless of the topic; election security is no different. There are many different aspects of election security including physical security, supply chain, and cybersecurity. The problem in cybersecurity alone is ubiquitous, and there is no one magic solution that makes elections secure. There is a huge difference, for example, between how to secure the many different types of voting machines, and how to provide cybersecurity when tabulating and reporting results or even in protecting the integrity of the voter registration data.
GLTR: Is this a problem the federal government can resolve on its own, if not, what role can it play in improving election security?
Drew: Not on its own. Historically, elections in this country have been locally run rather than federalized. However, there is a strong precedent for the federal government playing roles in specific parts of overall election integrity. For example, the Voting Rights Act, Help America Vote Act, and campaign finance laws provide various agencies specific powers related to voting, campaigning, and election administration. Election security requires a multi-stakeholder approach, which includes private sector cybersecurity expertise and capabilities. However, the federal government has an important role to play in incentivizing the adoption of cybersecurity best practices, communicating threats to implicated parties, and providing resources to enhance security.
GLTR: This is more of a comment than a question I guess, but I am having trouble understanding how voting machines that leave no paper trails are still an issue in 2020.
Rob: From a historical perspective, if you go back to 2000, the best practice was increasing digitization. At that time, elections administrators were more concerned with the efficiency and accuracy of tabulating votes than attempts to manipulate elections. Now, the best practice very much entails using machines that create an auditable record. Looking ahead, several entities are experimenting with more exotic, app-based vote casting options. This represents a different set of problems, and potentially new vulnerabilities or risks. We must be careful here.
GLTR: The Federal Election Commission (FEC) recently released updated guidelines that campaigns can accept discounted cybersecurity software without violating in-kind contribution laws, how does this address some of the concerns we have discussed?
Rob: In the case of campaign cybersecurity, you have entities that are essentially ephemeral by design, which makes cybersecurity difficult in various ways. The security community has tried to address this at various levels, including pursuing changes in FEC guidance.
Drew: Previous restrictions were intended to ensure campaign finance regulations were not side-stepped by donating something else of value to a campaign. Cybersecurity protection, like other exemptions such as for accounting services, are distinct from traditional “things of value.” It is no longer a “nice to have” for a campaign, but because of what we have seen in recent years and continue to anticipate, cybersecurity is an integral component of modern campaigns. This new exception recognizes that security should be part of all campaigns and incentivizes better resourced entities to provide cybersecurity protection to those with fewer resources.
Ultimately, this exception is a recognition that cyber-attacks are not merely an IT risk, but instead a risk to the integrity of elections. Stopping breaches is a top priority and board-level issue for sophisticated private sector organizations. So, this is a very positive development in the campaign realm because it incentivizes the adoption of security measures and makes it more difficult to have an excuse to do nothing because of a lack of resources. Many mature private sector organizations are already protecting themselves against sophisticated adversaries by adopting proven cybersecurity technologies and best practices, such as metrics. Although cybersecurity is only one component to election security, this is an encouraging development for a fundamental pillar.