T Fes Report

CONGRESSIONAL TASK FORCE ON
ELECTION
SECURITY
FINAL REPORT
January 2018
CONGRESSIONAL TASK FORCE ON
ELECTION SECURITY
CO-CHAIR BENNIE G. THOMPSON CO-CHAIR ROBERT BRADY
MISSISSIPPI PENNSYLVANIA
REP. ZOE LOFGREN REP. JAMES R. LANGEVIN

CALIFORNIA RHODE ISLAND
REP. CEDRIC L. RICHMOND REP. VAL DEMINGS

LOUISIANA FLORIDA
Special thanks to staff who contributed to this final report:

Arlet Abrahamian, Collen Altstock, Moira Bergin, Rosaline Cohen, Adam Comis, Jamie Fleet, Hope Goins, Imani
Gunn, Zj Hull, Peter Hunter, Nick Leiserson, Brittany Lynch, Kerry Mckittrick, Alison Northrop, Elise Phillips,
Tanya Sehgal, Alicia Smith, Nicole Tisdale, Chris Wilcox, and the Democratic Staff of the House Committees on
Homeland Security and Administration.
TABLE OF CONTENTS
INTRODUCTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
UNDERSTANDING THE THREAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
ADMINISTERING ELECTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
RECOMMENDATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
TASK FORCE ACTIVITY APPENDIX . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ENDNOTES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
INTRODUCTION
The Russian interference in the 2016 presidential Richmond (D-LA), and Rep. Val Demings (D-FL), was
election called for swift and robust action by the United established to serve as a forum for Members from the
States government. While the Obama Administration House Administration and House Homeland Security
acted with great urgency and determination to assess Committees to engage with election stakeholders as well
and address the Russian attacks on the 2016 U.S. as cybersecurity and election infrastructure experts to
election, the Trump Administration and Republican ensure the health and security of our nation’s
Members of Congress still refuse – a year later – to election systems.
pursue the facts and defend our democracy.
The six Members of Congress worked together over a
As a result, House Democratic Leader Nancy Pelosi, period of six months with the mission to help maintain
Committee on Homeland Security Ranking Member free, fair, and secure elections and prevent future
Bennie G. Thompson (D-MS), and Committee on damage to our democracy. Over the past six months,
House Administration Ranking Member Robert Brady the Task Force met with over twenty experts and
(D-PA) announced the formation of the Congressional stakeholders and held two public forums featuring state
Task Force on Election Security (the Task Force). The election officials and former national security officials.
Task Force, consisting of Rep. Bennie G. Thompson Members identified policy recommendations to fortify
(D-MS), Rep. Robert Brady (D-PA), Rep. Zoe Lofgren our election systems, guard against future attacks, and
(D-CA), Rep. James R. Langevin (D-RI), Rep. Cedric L. restore voter confidence in our democratic institutions.
2
EXECUTIVE SUMMARY
In November 2016, 139 million Americans cast efforts worldwide, including against US allies and their
their votes in the wake of a massive Russian cyber- election processes.”2
enabled influence operation designed to undermine
One year following the attacks, we have a better
faith in American democracy. The Kremlin spread
understanding of the threat to our elections. The
misinformation and disinformation to the American
Russian government directed efforts to target voting
electorate through more than 1,000 YouTube videos,
systems in 21 states prior to the 2016 election.3
130,000 tweets, and 80,000 Facebook posts. The latter
Although there is no evidence of the attacks altering the
were viewed by approximately 126 million people on
vote count, Kremlin hackers were able to breach at least
Facebook platforms alone. Russian agents also hacked
two states’ voter registration databases.4 Russia’s appetite
into U.S. political organizations and selectively exposed
for undermining confidence in western democratic
sensitive information through third-party intermediaries
institutions – by disenfranchising voters or calling into
like WikiLeaks. Finally, Russia targeted voting systems in
question the integrity of election administration by
at least 21 states and sought to infiltrate the networks of
altering voter information – is only growing stronger.
voting equipment vendors, political parties, and at least
In fact, during a hearing before the House Permanent
one local election board.
Select Committee on Intelligence, then FBI Director
The unprecedented attack by Russia exposed serious James Comey warned that Russia will be back as it
national security vulnerabilities in our election may draw from its intrusions that they were successful
infrastructure. “because they introduced chaos and division and
discord and sowed doubt about the nature of this
On January 6, 2017 then-Department of Homeland amazing country of ours and our democratic process.”5
Security (DHS) Secretary Jeh Johnson designated In addition to Russia, China, Iran, and North Korea
election infrastructure as a critical infrastructure remain cybersecurity threats, and we should prepare for
subsector, citing the importance of the infrastructure to the emboldening and response of other nation states.
our national interests and the “more sophisticated and
dangerous” risks to the systems.1 The designation came State and local election officials are acutely aware of
the same day the Office of the Director of National the threats they are facing, but they lack the necessary
Intelligence (ODNI) released a declassified report, funds to safeguard their voting infrastructure.6 In most
in coordination with the Central Intelligence Agency states, legislatures are not increasing their election
(CIA), Federal Bureau of Investigation (FBI), and security budgets.7 In some cases, Governors are actively
National Security Agency (NSA), entitled Background undermining election security efforts.8 Moreover, state
to Assessing Russian Activities and Intentions in Recent US and local officials have expressed a desire for Congress
Elections: The Analytic Process and Cyber Incident Attribution. to step in. The majority of state election officials
The report found that “Russian intelligence obtained surveyed by Politico in late 2017 indicated that they
and maintained access to elements of multiple US state needed additional funding from the federal government
or local electoral boards,” and that the Kremlin “will to replace obsolete election systems and technology
apply lessons learned…to future election influence and to bolster election security.9 Indeed, the National
3
EXECUTIVE SUMMARY
Association of Secretaries of State made clear to the Federal Funds Should Be Provided to Help
Task Force that “[s]tates would clearly benefit from the States Upgrade and Maintain IT Infrastructure,
appropriation of the outstanding balance of federal Including Voter Registration Databases
HAVA [Help America Vote Act] funds to aid them in States need money to replace outdated technology
ensuring that they have sufficient equipment, technical and hire IT support. It is important to note that cyber
support, and resources to maintain a sound security threats evolve at a rapid pace, and a one-time lump sum
posture for their computer-based systems.”10 investment is not enough. States also need resources for
maintenance and periodic upgrades, and cybersecurity
This issue is simply too important to sit back and training for poll workers and other election officials.
watch state governments and the federal government Congress must establish a mechanism to provide
pass responsibility back and forth. In late December, ongoing support to state and local governments.
a bipartisan group of Senators introduced the “Secure
Elections Act” that would strengthen our elections Election Technology Vendors
and provide states with the resources they need. With Must Secure Their Voting Systems
the 2018 midterm elections rapidly approaching, it is Many states purchase their voting systems from
imperative that the House of Representatives also act third-party vendors who have little financial incentive
to secure our elections and protect the integrity of the to prioritize election security, and are not subject to
ballot box. Our investigation has led us to make the regulations requiring them to use cybersecurity best
following recommendations: practices. Election vendors should be required to
inform Election Assistance Commission (EAC) and
Federal Funds Should Be Provided to Help DHS officials in the event of a cyberattack. In addition,
States Replace Aging, Vulnerable Voting state contracts should require vendors to: 1) secure their
Machines with Paper Ballots systems, and 2) notify state and local officials in the case
The Brennan Center estimates that the cost to replace of a cyber security incident.
paperless direct-recording electronic voting machine
(DREs) would be between $130 and $400 million, and The Federal Government Should
Congress could authorize this money right now. The Develop a National Strategy to Counter
Help America Vote Act (HAVA) authorized $3 billion to Efforts to Undermine Democratic Institutions
meet the statute’s requirements, and over $300 million We need a strong, consistent rebuke from the White
remains to be appropriated.11 Congress should act House. Next, we need the President to acknowledge
immediately to allow states to use this money. that we need a “9/11-style” Commission to help
identify the various ways in which Russia and other
States Should Conduct Risk-Limiting potential threat actors are seeking to undermine
Post-Election Audits democracy and develop a plan to confront them.
A risk-limiting audit involves hand counting a certain
number of ballots to determine whether the reported The Intelligence Community Should
election outcome was correct.12 A statistically sound Conduct Pre-Election Threat Assessments
post-election audit would enable states to determine Well in Advance of Federal Elections
that the original vote count was substantially accurate. The Intelligence Community should complete and
provide to Congress and state and local election officials
an assessment of the full scope of threats to election
infrastructure 180 days prior to a federal election,
together with recommendations provided by DHS and
EAC to address them.
4
EXECUTIVE SUMMARY
DHS Should Maintain the Designation Establish Clear and Effective Channels
of Election Infrastructure as a Critical for Sharing Threat and Intelligence
Infrastructure Subsector Information with Election Officials
Defining election systems as critical infrastructure DHS needs a formalized process to provide real-
means election infrastructure will, on a more formal time appropriate threat information to state and local
and enduring basis, be a priority for DHS cybersecurity election officials to improve information flow and help
services. This is not the time to diminish federal efforts prevent intrusions in our election infrastructure.
or shut down important lines of dialogue between DHS
and election administrators. States Should Prioritize
Cybersecurity Training
Empower Federal Agencies to be Effective States and localities face the daunting task of training
Partners in Pushing out Nationwide hundreds, if not thousands, of election officials,
Security Reforms IT staff, and poll workers on cybersecurity and risk
Congress must act and give DHS the resources it mitigation. It costs money for states to produce
needs to meet its obligations to state and local election training materials, and takes staff time to implement
officials, as well as all critical infrastructure owners and statewide training programs. The federal government
operators. Similarly, Congress should fund the EAC at should provide training support either through the
a level commensurate with its expanded role in election EAC or by provide funding to states to assist with
cybersecurity and confirm a fourth commissioner so their training programs.
the agency is able to continue to serve as a resource on
election administration.
5
UNDERSTANDING THE THREAT
THE FOUR GREATEST STATE-ACTOR THREATS

Before addressing recommendations, this report will Soviet predecessor, has a history of conducting covert
lay out the capabilities of each of the four state actors influence campaigns focused on US presidential
that may pose the greatest threat. Using examples elections that have used intelligence officers and agents
drawn from each of these states’ past cyber activities, and press placements to disparage candidates perceived
this report will also comment briefly on what might as hostile to the Kremlin.”17
motivate each of these four actors to interfere in future
What was new in Russia’s 2016 meddling was not its
U.S. elections
goal of undermining democratic values, or its targeting
Russia of election infrastructure, but rather that Russia’s
In 2016, Russia waged an unprecedented and egregious election interference was conducted on a massive scale
campaign to undermine U.S. democracy. In January and with a high level of technological sophistication.
2017, ODNI released a declassified report on Russian As the January 2017 report noted, “Russian efforts to
activities that stated the U.S. government had “high influence the 2016 US presidential election represent
confidence” that Russian President Vladimir Putin the most recent expression of Moscow’s longstanding
“ordered an influence campaign in 2016 aimed at desire to undermine the US-led liberal democratic order,
the US presidential election” in order to “undermine but these activities demonstrated a significant escalation
public faith in the US democratic process, denigrate in directness, level of activity, and scope of effort
[Hillary] Clinton, and harm her electability and compared to previous operations.”18
potential presidency.”13 The report also assessed that
Russia’s campaign of election interference in 2016
the Russian government “aspired to help President-
included hacked e-mails and their distribution on
elect Trump’s election chances when possible by
WikiLeaks, fake and/or automated social media
discrediting Secretary Clinton and publicly contrasting
accounts, and false news stories. As U.S. intelligence
her unfavorably to him.”14
agencies also reported in January 2017:
The January 2017 ODNI report and numerous rounds
of recent testimony to Congress by experts on Russia
have made clear that Russia’s interference into the
“Russian intelligence obtained
U.S. elections in 2016 was neither its first nor its only
and maintained access to
assault on a country’s electoral system.15 Both prior
elements of multiple…state or
and subsequent to its 2016 assault on the U.S. election
local electoral boards.”19
infrastructure, Russia conducted hybrid assaults on
elections and democratic institutions in Ukraine, the
Balkans and throughout Europe.16 Russia has targeted According to DHS, Russian agents targeted election
the United States in the past as well, as the January systems in at least 21 states, stealing personal voter
2017 ODNI report stated, noting “Russia, like its records and positioning themselves to carry out future
6
attacks.20 In June, media also reported that the Russians North Korea
accessed at least one U.S. voting software supplier and North Korea has also long viewed cyber capabilities as
sent spear-phishing emails to more than 100 local tools to use against its perceived adversaries,27 and could
election officials just days before 2016 November’s potentially launch a cyber operations against the United
presidential election.21 Although in most of the targeted States’ vulnerable election infrastructure. North Korea’s
states officials saw only preparations for hacking, such cyber capabilities have improved steadily over time,28
as scanning of networks in Arizona and Illinois, voter and could inflict significant damage on U.S. private or
registration databases were reportedly breached.22 government networks.29 Although debate continues
about the precise scope and extent of North Korea’s
cyber capabilities, a high-ranking U.S. military official
assessed in April 2014 that North Korea employed
If 2016 was all about preparation,
hackers capable of cyber-espionage and disruptive
what more can they do and when
cyberattacks.30
will they strike?
Experts on the Democratic People’s Republic of
Korea (DPRK) have identified a range of motivations
While it is possible Russia’s interference was a unique for North Korea to conduct cyber operations,
political event, experts warn that Russia and other state including retaliatory attacks.31 A prime example of
actors will almost certainly be back to seek to North Korea’s cyber hacking capabilities is the 2014
undermine our democracy in the future. For instance, hacking of Sony Pictures Entertainment.32 Recently,
when asked in March about the prospects for future North Korean cyber actors appear to have begun
interference by Russia, then-FBI Director James Comey significantly expanding their targeting of entities
testified before Congress that: “[T]hey’ll be back. They’ll and institutions in various countries, including
be back in 2020. They may be back in 2018.”23 broadened attacks against government entities and
Commenting on Russia’s extensive capability to hack private companies from the Republic of Korea33
into county and local databases, former DHS Secretary and financial institutions in the United States. The
Jeh Johnson stated that even during the 2016 election he WannaCry ransomware infected as many as 300,000
had feared Russia’s possible targeting of state voter users worldwide, including hospitals, and were caused
databases.24 Furthermore, numerous security and by a strain of cyber worms that restricted users’ access
intelligence experts have noted that we have significant to a computer.34 Experts have suggested that North
reason to fear such an attack by Russia in the future.25 Korean hackers were almost certainly behind this
Some have even voiced concerns that having suffered attack.35 In a briefing on December 19, 2017, Tom
probing attacks last year, we may face an even more Bossert, President Donald Trump’s homeland security
sophisticated assault next time around.26 Russia retains adviser, officially attributed the WannaCry ransomware
all of the significant cyber capabilities it exhibited in to the North Korean government.36
2016, and experts believe that the Russian government The WannaCry hackers are also said to be part of the
will have learned from its 2016 experience to more “Lazarus Group” that was also behind the February
effectively exploit vulnerabilities going forward. 2016 hacks of the Society for Worldwide Interbank
Financial Telecommunication (SWIFT) messaging
service.37 The SWIFT system is used by some 11,000
banks and companies to transfer money from one
7
country to another and is considered the backbone of Iran

global finance.38 The hacks of these SWIFT financial Iran has long had the United States in its political
terminals resulted in the theft of approximately $81 cross-hairs. Iran has heavily invested in building up the
million from banks in Bangladesh and Southeast Asia.39 cyber capabilities of the Iranian Revolutionary Guard
North Korea is now being linked by a number of cyber Corps (IRGC) and other Iranian government proxies.45
experts to similar attacks on banks in as many as 18 Iran has also been scaling up its cyber capacities since
countries.40 If confirmed, these techniques used would the Stuxnet – a complex piece of malware designed
represent a troubling new capability.41 to interfere with Siemens Industrial Control systems
for nuclear centrifuges – was discovered in Iran46 and
elsewhere.47 Under President Rouhani, Iran increased
its cyber budget twelve-fold, which based on some
North Korea, like Russia, has also assessments makes it a “top five world cyber-power.”48
shown it likely has the capability Experts also point to Iranian cyberattacks on Wall Street
not only to hack and release as an example of the threat Iran poses to the broader
e-mails, but also to U.S. civilian infrastructure. In fact, Fire Eye reported that
alter data.42 of its investigations of attacks on Western companies
and governments, Iran now ranks with China and Russia
in terms of frequency of attack.49
Should the DPRK decide that creating election chaos is
Iran’s most infamous cyber operations include the
worth the risk of potential retaliation from the United
“Shamoon” attack on Saudi giant Aramco50 and several
States, North Korea could use its cyber capabilities
waves of “distributed denial of service” attacks against
to manipulate poll books stored online. If the DPRK
at least 46 major financial institutions and companies
can target financial networks, large corporations like
and critical infrastructure.51 Targets included six leading
Sony, and companies that are part of a country’s
U.S. banks, including J.P. Morgan Chase.52 The Justice
energy network, then smaller, resource-strapped
Department indicted seven Iranian hackers for the
U.S. towns, counties, and states will have difficulty
coordinated financial services attacks, which included
resisting or responding to a targeted attack. Experts
an attempt to interfere in the command and control
assess that as pressure from the West to derail North
system of a New York dam.53 Separately, a September
Korea’s nuclear weapons program increases, DPRK
2017 cyber security firm report identified a new Iranian-
leader Kim Jong Un will likely continue to develop
sponsored hacking group, nicknamed APT33, which has
cyber capabilities in response.43 Additionally, while
been targeting organizations in the aviation and energy
experts have suggested that traditionally China could
industries in the United States, South Korea, and Saudi
exert some degree of control over North Korean
Arabia.54
hackers’ access to the internet, North Korea is actively
exploring ways to circumvent such restrictions. A As a result of the 2015 nuclear deal, Iran appears to
senior technology officer at a leading cybersecurity have cut back on cyberattacks aimed at U.S. banks and
firm noted the DPRK’s new connection to the outside government agencies.55 However, prominent experts
world via Russia would enhance North Korea’s ability warn that Iran may decide to interfere in future U.S.
to command future cyber operations.44 elections as retribution for U.S. actions, particularly
if Iran assesses there would be no significant U.S.
response.56 Moreover, in an example of Iran’s ongoing
8
malicious activity, a Forbes investigation revealed that United States filed criminal charges in May 2014 over a
an employee at a major U.S. accounting firm, Deloitte, set of computer intrusions and indicted five members
allegedly fell victim to a sophisticated fake Facebook of China’s People’s Liberation Army (PLA).63 Also, in
account operated by Iranian hackers in late 2016.57 May 2013, Chinese hackers reportedly compromised
This same Iranian hacker group’s recent activities have the computer systems of at least nine U.S. agencies,
provoked increased concern about Iran’s possibility including the Department of Labor and the Army
of ramping up its cyberattacks on the United States in Corps of Engineers’ National Inventory of Dams.64
response to the Trump Administration’s stance on the Also in 2013, a China-linked threat actor known
regime.58 Experts have raised concerns that rather than as Deep Panda reportedly compromised high-tech
acting wholly on their own, hackers from the Iranian sector companies, the U.S. defense industrial base,
cyber army could team up with the Russians or other nongovernmental organizations, and state and federal
actors to pool capacity and resources to target the U.S. government entities for espionage purposes.65
electoral system.59
The debate about the threat China poses is not
only about its capabilities, but also its motivations.
In September 2015, China and the United States
Experts have warned that Iranian reached an agreement on refraining from conducting
hackers have relationships with economic cyber-espionage. It is still too early to reach
the Russians, Chinese, and North conclusions about China’s activities, post-agreement.
Koreans, and have exchanged Nonetheless, experts have noted that, China unlike
tactics, tools, and procedures for Russia, has to-date largely restricted its activities to
cyber warfare with at least Russia espionage rather than interfering in U.S. elections on a
and North Korea.60 grand scale.66 Experts assess that China is also deeply
concerned about and intent on preserving plausible
deniability related to its cyber actions.67 Therefore,
China China may not follow the Russian model of unabashed
China has consistently been identified, along with interference in the U.S. elections beyond hacking
Russia, as one of the most persistent and advanced campaigns for espionage purposes.
cyber actors threatening the United States today. China

has engaged in various cyber operations either for
espionage or political motivations. Furthermore, China, The most concerning issue is
together with Russia, tops the list of state actors that China’s advanced cyber warfare
possess the most sophisticated capabilities and have capabilities could be rapidly
also integrated their cyber tactics into their warfighting deployed and used against the
strategies and doctrines.61 U.S. and our interests should
their political motivations and
Among the most infamous cyber intrusions commonly calculations change.
attributed to China are the hacks of the U.S. Office of
Personnel Management (OPM).62 China had previously
been identified by the U.S. government as one of the
most active state actors in cyberspace. For example, the
9
ADMINISTERING ELECTIONS
FEDERAL AGENCIES
Although state and local officials are primarily Election Assistance Commission
responsible for administering and securing elections,
certain federal agencies play a supporting role by setting
security standards, administering grants for equipment “The EAC was instrumental in
upgrades, providing technical guidance and other providing us with key advice and
resources, and promoting partnerships and information counsel in the development of
sharing among stakeholders. the Request for Proposals for new
voting equipment and electronic
The EAC is an independent, bipartisan commission poll books. The assistance
that serves as a national clearinghouse of information ensured Rhode Island entered the
on election administration. The EAC provides a vital 2016 election with state-of-the-art
link between state and local election administrators voting equipment.”
and the federal government by providing three main
services: 1) testing and certifying voting machines; - Nellie Gorbea,
2) assisting states with the management of election Rhode Island Secretary of State78
technology and 3) helping state and local officials
prepare for elections.
BACKGROUND AND ROLE
DHS coordinates the overarching federal effort to In the wake of the chaotic 2000 presidential election,
promote the security, including cybersecurity, of the Congress passed the Help America Vote Act of
nation’s critical infrastructure, defined as systems 2002 (HAVA). HAVA sought to improve election
and assets for which “incapacity or destruction … administration by instituting numerous reforms. Some of
would have a debilitating impact on security, national the most notable include: 1) providing funds to replace
economic security, national public health or safety,” or antiquated voting machines, 2) requiring states to create
any combination thereof.68 DHS also plays a key role in a computerized, statewide voter registration list, and 3)
facilitating information sharing between federal, state, promoting accessibility for people with disabilities.
and local officials. Specifically, DHS is charged with
analyzing and integrating law enforcement, intelligence, HAVA created the EAC to administer the newly
and other threat information, then disseminating such created grant program, to develop guidance to assist
information, as appropriate, to federal, state, and local states in meeting HAVA requirements, and to serve as
government officials with “responsibilities related to a national clearinghouse of information on election
homeland security.”69 administration. In addition, the EAC tests and certifies
voting machines, provides guidance on managing
These agencies have resources, expertise, and election technology, and works with state and local
stakeholder relationships that can assist state and local officials to assist them in preparing for elections.
election officials in securing their elections.
10
Administering Elections
Testing and Certifying Voting Machines 22 instructional and facilitative videos, nearly 100 blog
The EAC tests, certifies, and decertifies voting machines posts, and ten public meetings, summits and round tables.
to help states better navigate the voting machine
In 2016, as discussions concerning the security of
procurement process. The voting machines are tested
elections and potential foreign interference became
against a set of standards, the Voluntary Voting System
increasingly common, the EAC leveraged its existing
Guidelines (VVSG), put together by the EAC in
relationships with election administration officials to
conjunction with the National Institute of Standards
facilitate communication between state election officials
and Technology (NIST) as well as experts from the
and the DHS.75 EAC Commissioner Tom Hicks, when
public and private sectors. The most recent VVSG
appearing before the Task Force at a public forum in
were adopted in 2015. Currently, the VVSG are in the
October stated that, “The EAC has been a key player
process of being updated, and the EAC anticipates
in helping election officials understand and leverage
adopting revised guidelines in the first half of 2018.70
the Department of Homeland Security designation
Though states are not required to participate in the
of elections infrastructure as critical infrastructure.”76
EAC’s testing and certification program, over 40 states
The EAC has facilitated, mediated, and participated
currently require either certification or some component
in meetings between elections officials and DHS,
of the Commission’s testing and certification program
and produced educational materials to help states
for the voting systems used in their jurisdictions.71 Of
understand and utilize the critical infrastructure
the states that do not use any part of the EAC’s testing
designation. In addition, the EAC served as a resource
or certification program, three (Florida, Oklahoma, and
to DHS to help the agency understand election
Oregon) were targeted by Russian hackers in 2016.72
administration.77
Managing Election Technology
Over the past 15 years, the EAC has proven itself an
In addition to testing and certifying voting machines,
important partner to state and local election officials.
the EAC has sought to assist election officials with the
According to Rhode Island Secretary of State Nellie
rest of the technology involved in running an election.
Gorbea, “The EAC was instrumental in providing us
In 2016, the EAC launched a video series that featured
with key advice and counsel in the development of the
election officials, advocacy groups, and academics and
Request for Proposals for new voting equipment and
offered guidance on how to leverage high and low-tech
electronic poll books. The assistance ensured Rhode
tools in administering elections.73 The Commission
Island entered the 2016 election with state-of-the-art
also provides easy-to-follow cybersecurity guidance on
voting equipment.78
protecting voter registration data and securing election
night reporting systems.74
PATH FORWARD
Helping State and Local Officials
Since 2011, Republicans have made several attempts to
Prepare for Elections
eliminate the EAC. In June 2011, a bill to terminate the
The EAC seeks to be a useful resource to election
Commission reached the House floor, but failed to gain
administrators across the country. In anticipation
enough votes to pass under suspension of the rules.79 In
of the 2016 election, the EAC launched an election
addition, Congress has often stalled in confirming a full
preparedness campaign that provided guidance and
set of commissioners to the EAC. Between 2011 and
materials to states on topics such as poll worker
2015, the EAC did not have any commissioners as the
management, serving military voters, and running
Republican-lead Senate would not confirm nominees.80
vote by mail programs. In 2016, the EAC produced
During this time, the EAC was unable to approve new
11
voting machine guidelines as three commissioners are security issues. In February 2017, Rep. Robert Brady
required to act. As a result, some states were forced introduced legislation to reauthorize the Election
to delay purchasing new voting machines. Three Assistance Commission and to provide funds for the
commissioners were approved in 2015; however, the EAC to assist states with security upgrades for the voter
Commission still lacks a fourth commissioner. registration systems.83
The EAC operates on a small budget, spending

between eight and ten million dollars in recent years. Department of Homeland Securit y
Given the vital role the agency plays in ensuring the
integrity of our elections, Congress should be working
to provide more resources. Not only does the agency In the years following DHS’
provide the only federal voting machine testing and formation, security experts warned
certification program, but it was also vital in protecting that the “invisible enemy” could
our elections in the face of foreign interference in the manifest as a major cyberattack
2016 election. Former FBI Director James Comey, that disrupts the networks we rely
testifying before the Senate Judiciary Committee in on for clean water, electricity, food,
May 2017, stated the following: or medical care. Few anticipated
that the looming “Cyber Pearl
In short, what we’ve done with DHS is share
Harbor,” would take the shape
the tools, tactics, and techniques we see hackers,
of a foreign adversary targeting
especially from the 2016 election season, using
U.S. election systems.
to attack voter registration databases and try and
engage in other hacks. And we’ve pushed that out
to all the states and to the Election Assistance In its 2002 proposal to stand up the Department
Commission so they harden their networks. That’s of Homeland Security, the Bush White House
one of the most important things we can do.81 warned of “invisible enemies that can strike with
a wide variety of weapons” and advocated for “a
The EAC is in the unique position of being a federal single, unified homeland security structure that will
agency with relationships with state and local election improve protection against today’s threats and be
officials, and with an expertise in election administration. flexible enough to help meet the unknown threats
The Commission has been vital to helping states work of the future.”84 The Homeland Security Act of 2002
with DHS to understand and take advantage of the established the Department of Homeland Security,
“critical infrastructure” designation. Since the designation in part, to centralize national efforts to harden the
was made in January 2017, the EAC has worked diligently defenses of vulnerable U.S. infrastructure and assets
to build trust between state election officials and DHS by that could be exploited by our enemies and to help
facilitating dialogue and drafting a white paper on critical create a robust information sharing environment to
infrastructure for state officials.82 remedy the shortfalls exposed in the 9/11 attacks.85
For the 16 sectors of the U.S. economy designated
Instead of attempting to terminate the agency, the
‘critical infrastructure,’ DHS is authorized to provide
President should nominate and the Senate should
priority access to technical assistance, vulnerability
confirm a fourth commissioner, and Congress should
assessments, access to information sharing centers and
work to provide the EAC with more resources so it can
classified threat intelligence, incident response, and
provide more robust assistance to states on election
12
other resources.86 stakeholders, and sectors and subsectors may establish

Sector Coordinating Councils (SCCs) for private entities.
In the years following DHS’ formation, security experts Although DHS may offer support upon request, SCCs
warned that the “invisible enemy” could manifest as a are self-organized, self-run, and self-governed.
major cyberattack that disrupts the networks we rely
on for clean water, electricity, food, or medical care.87 Information Sharing
DHS organized its cybersecurity programs accordingly, To promote frank conversations between DHS, SSAs,
focusing its limited resources on tools, technologies, and critical infrastructure owners and operators, federal
and relationships that would help ensure continuity law protects information on critical infrastructure
of operations for hospitals, telecommunications, vulnerabilities, or Protected Critical Infrastructure
and the electrical grid.88 It primarily provides these Information (PCII), from disclosure under the Freedom
services through its National Protection and Programs of Information Act and similar state statutes.95 The
Directorate (NPPD). Few anticipated that the looming designation also makes it easier for critical infrastructure
“Cyber Pearl Harbor,” would take the shape of a stakeholders to share threat intelligence through
foreign adversary targeting U.S. election systems.89 platforms like the NPPD’s National Cybersecurity
Communications and Integration Center (NCCIC),
Critical Infrastructure a 24/7 watch center that collects, analyzes, and
Critical infrastructure owners and operators enjoy disseminates indicators of concern.96 This information
priority access to a number of DHS cybersecurity flows to critical infrastructure sectors through
programs and services, including cyber hygiene scans Information Sharing and Analysis Centers (ISACs),
for Internet-facing systems, Risk and Vulnerability central nodes within each sector for communicating
Assessments, and incident response assistance.90 about cyber threats.97 The Multi-State ISAC (MS-ISAC)
Owners and operators are also eligible to apply for performs this function for state, local, tribal, and
security clearances, tap into classified information territorial governments.98
sharing exchanges, and participate in collaborative
councils designed to foster a more enduring, consistent It should be noted that DHS is not a regulator.99
dialogue with other security stakeholders.91 The Participation in DHS’ programs is voluntary, and
designation also carries international significance. A their success relies on stakeholders choosing to
2015 United Nations agreement signed by 20 nations, participate both for their own benefit and the greater
including Russia, to refrain from conducting or good of the sector. DHS brings to bear an ability
supporting cyber-activity that intentionally damages to build and convene a robust network of critical
or impairs the operation of critical infrastructure in infrastructure security stakeholders and provide an
providing services to the public.92 The agreement also apparatus for sharing threat intelligence, candidly
calls on nations to assist one another in defending their discussing vulnerabilities, and fostering public-private
critical infrastructure against cyberattacks.93 cooperation.100 When DHS detects malicious activity or
learns of a breach, it may notify the owner or operator
Each sector has an assigned Sector Specific Agency of the affected system.101 However, owners and
(SSA) responsible for developing and implementing operators are ultimately responsible for securing their
a Sector Specific Plan, a component of the National systems and assets.
Infrastructure Protection Plan (NIPP) maintained by
DHS.94 DHS establishes a Government Coordinating
Council (GCC) comprised of relevant public sector DHS EFFORTS IN THE 2016 ELECTION
13
stand up an Election Infrastructure Cybersecurity

Working Group.107 Despite some initial criticism for not
“Time is a factor…”123
including representatives from the tech community, this
working group served as a focal point for coordination
DHS entered the election security arena in the summer between DHS and election administrators in the lead-up
of 2016 when, in the wake of the cybersecurity to Election Day and thereafter.108
breaches targeting political candidates and institutions,
the NCCIC began receiving reports of cyber-enabled Secretary Johnson made another push to state officials to
scanning and probing of state election-related implement cybersecurity recommendations from NIST
infrastructure, some of which appeared to originate and EAC and invited them to take advantage of DHS’
from a server operated by a Russian company.102 suite of free, voluntary cybersecurity tools and services.109
Around this time, DHS also began fielding inquiries Some of the most relevant services included:110
from Members of Congress, including Rep. Bennie G.
Cyber Hygiene Scans, which can be conducted
Thompson, who wrote to DHS in early August to urge
remotely and, therefore, more quickly than other
the Secretary to “act swiftly” to “defend the integrity,
services. Through these scans, DHS is able to generate
reliability, and validity of our free and democratic
a report for state and local officials identifying
elections.” The letter went on to note that “DHS, as the
vulnerabilities and recommend security measures for
federal government lead for working with State, local,
online voter registration, election night reporting, and
tribal, and territorial governments to secure critical
other Internet-connected systems.
infrastructure and information systems, is the natural
partner for efforts to address cyber vulnerabilities in the Risk & Vulnerability Assessments, a more thorough,
nation’s electoral system.”103 on-site review conducted by DHS cybersecurity experts.
RVAs typically require two to three weeks and include a
On August 3, 2016, DHS made its cybersecurity and
wide range of internal and external vulnerability testing
infrastructure protection capabilities available to state
services, concluding with a full report on vulnerabilities
and local election officials and engaged in an outreach
and recommended mitigation measures.
campaign to persuade stakeholders to use them.104
Specifically, DHS contacted election community Incident Response Assistance in the event of
stakeholders like the EAC and the National Association suspected malicious cyber activity. State and local
of Secretaries of State (NASS) to offer cybersecurity election officials were advised to report such activity
assistance, make them aware of an FBI alert related to to the NCCIC, which could, upon request, provide
breaches into two state election boards, and urge them on-site assistance in identifying and remediating a cyber
to check their systems for similar activity.105 In order to incident. This information could then be shared with
facilitate the delivery of DHS’ voluntary cybersecurity other states to help them defend their own systems.
services, Secretary Johnson began considering
designating election systems as critical infrastructure.106 Information sharing, primarily through the MS-ISAC,
a platform for sharing threat intelligence with state
On August 15, 2016, Secretary Johnson brought the officials, usually the state Chief Information Officers
EAC, NIST, and DOJ together for a conference call (CIOs). Cleared stakeholders could receive classified
with NASS and other organizations representing briefings upon request.
state chief election officials. Recognizing the need
to streamline information sharing with the elections Field-based cybersecurity and protective security
community, Secretary Johnson announced plans to advisors who can provide actionable information
14
and connect election officials to a range of tools recapitalize voting technology.118

and resources available to improve the cybersecurity
DHS was slow to gain the trust and buy-in of its state
preparedness of election systems and the physical site
partners. On September 28, 2016, with the election
security of voting machine storage and polling places.
nearing and fewer than half the states requesting
These advisors are also available to assist with planning
assistance from DHS, bipartisan Congressional
and incident management assistance for both cyber and
leadership wrote to state election officials to urge them
physical incidents.
to take advantage of resources to secure their network
Physical and protective security tools, training, infrastructure, including those offered by DHS.119 At
and resources to improve security at polling sites the same time Congressional leadership promised
and other physical election infrastructure. At the time, to “oppose any effort by the federal government
DHS provided specific guidance for administrative to exercise any degree of control over the states’
and volunteer staff to identify and report suspicious administration of elections by designating these systems
activities, active shooter scenarios, and other threats. as critical infrastructure.”120
Secretary Johnson also discussed ongoing deliberations

about whether to designate election systems as critical “Some states have also recently
infrastructure.111 Reactions varied, particularly because seen scanning and probing of their
DHS did not suggest additional funding would election-related systems, which
accompany the critical infrastructure designation.112 in most cases originated from
DHS also struggled to combat the perception that servers operated by a Russian
requesting DHS cybersecurity assistance amounted to a company.”121
federal takeover of elections. In any event, by that point
there was insufficient time for state election officials
On October 7, 2016, one month before Election Day,
to make any significant changes to elections systems
Secretary Johnson again urged state officials to take
to resolve any new vulnerabilities identified113 and
advantage of DHS cybersecurity assistance to secure
states were increasingly concerned about undermining
their election systems in light of intelligence related
confidence in the election process.114
to Russian efforts to meddle in the 2016 presidential
On August 5, 2016, NASS issued a statement election. That day, DHS and ODNI released a Joint
confirming that state officials would be vigilant in their Statement announcing with confidence that the Russian
efforts to secure election infrastructure, but that “there government was behind “compromises of emails from
has been no indication from national security agencies US persons and institutions, including from US political
to states that any specific or credible threat exists when organizations.” Additionally, the statement revealed that
it comes to cyber security and the November 2016 some states had “seen scanning and probing of their
general election.”115 Ultimately, it deemed “hacking of election-related systems, which in most cases originated
the election is highly improbable due to [the] unique, from servers operated by a Russian company.”122
decentralized process.”116 Nevertheless, NASS said its
On October 10, DHS once again warned election
members would engage in ongoing information sharing
officials that: “[T]ime is a factor… There are only 29
with the federal government related to cybersecurity
days until Election Day.”123 Although cyber hygiene
risks and how to address them,117 while working to
scans can be performed quickly and remotely, “it can
educate Congress and the public about its ongoing
take up to two weeks…to run the scans and identify
election security efforts and the need to invest and
15
vulnerabilities. It can then take at least an additional desire to undermine the US-led liberal democratic
week for state and local election officials to mitigate any order, but these activities demonstrated a significant
vulnerabilities on systems that we may find.”124 With escalation in directness, level of activity, and scope of
consistent prodding, DHS provided cyber hygiene scans effort compared to previous operations.”130 Russia’s
to election officials in 33 states and 36 local jurisdictions long-standing, multi-faceted strategy “blends covert
and shared over 800 cyber threat indicators officials intelligence operations—such as cyber activity—with
could use to identify attempted intrusions, as well as overt efforts by Russian Government agencies, state-
other tactics, techniques and best practices, with officials funded media, third-party intermediaries, and paid
in thousands of jurisdictions across the country.125 social media users or ‘trolls’ in order to cripple its
adversaries.”131
CRITICAL INFRASTRUCTURE DESIGNATION
That same day, then-Secretary Jeh Johnson designated
“We should carefully consider election infrastructure as critical infrastructure.132 In
whether our election system, making the designation, then-Secretary Johnson stated:
our election process is critical
infrastructure, like the financial I have determined that election infrastructure in
sector, like the power grid…There’s this country should be designated as a subsector
a vital national interest in our of the existing Government Facilities critical
electoral process.” infrastructure sector. Given the vital role elections
- Jeh Johnson, play in this country, it is clear that certain systems
Former Secretary of the and assets of election infrastructure meet the
Department of Homeland Security126 definition of critical infrastructure, in fact and
in law.
After Election Day, evidence continued to surface about
I have reached this determination so that election
the extent of Russian interference. DHS worked with the
infrastructure will, on a more formal and enduring
Intelligence Community to carry out a broad review of
basis, be a priority for cybersecurity assistance and
all election-related hacking incidents before the end of
protections that the Department of Homeland
the Obama Administration.127 On December 29, the day
Security provides to a range of private and public
President Obama announced sanctions against Russia,
sector entities.133
DHS, ODNI, and the FBI released a Joint Analysis
Report (JAR) titled Grizzly Steppe – Russian Malicious Importantly, then-Secretary Johnson made clear
Cyber Activity offering greater detail about Russian that a State or local election board’s decision to avail
targeting and urging owners and operators to look back itself of DHS’ cybersecurity resources is voluntary:
at their network traffic for signs of malicious activity.128 “This designation does not mean a federal takeover,
regulation, oversight or intrusion concerning elections
On January 6, 2017, the U.S. Intelligence Community
in this country.”134 The designation requires the
reported that “Russian President Vladimir Putin
Department “to prioritize our cybersecurity assistance
ordered an influence campaign in 2016 aimed at the
to state and local election officials, but only for those
US presidential election” and Russian intelligence
who request it.”135
attempted to breach multiple state or local election
boards.129 According to the report, “Russian efforts to Regardless, the announcement escalated tensions
influence the 2016 US presidential election represent between DHS and the elections community and re-
the most recent expression of Moscow’s longstanding
16
Former Secretary of Homeland Security Jeh Johnson and former Under Secretary for the DHS National Protection and Programs
Directorate Suzanne Spaulding testifying before the Task Force on September 28, 2017. Both officials warned that Russia will
continue to target western democratic elections and urged swift action to secure U.S. voting systems.
ignited concerns about federal overreach. NASS issued After the conference, state officials said they were
a resolution opposing the designation, describing it as “disappointed” that DHS officials “weren’t prepared to
“legally and historically unprecedented, raising many answer our questions” and frustrated that DHS was still
questions and concerns for states and localities.”136 only able to have surface-level conversations about the
designation.139
Since January 2016, DHS has worked with election
officials to help them understand and take advantage Specifically, election officials expressed great frustration
of the designation. However, the reception within the with DHS’ information sharing practices.140 Although
election community has continued to be mixed. In DHS officials testified in June 2017 that Russia targeted
June, DHS announced it was “beginning the formal voting systems in 21 states, for example, it did not notify
process of engaging election officials on an ongoing state election officials whether their election systems
basis around the country” by participating, alongside were targeted until late September, almost a year after
the FBI and EAC, in the NASS annual conference.137 the election.141
At that conference, DHS sought to provide clarity
In part, DHS attributed these information sharing
about the designation and announced that DHS
challenges to the nature of its existing information
was “expanding its efforts to ensure state and local
sharing channels and reporting structures within each
election officials can access the sensitive data, cyber
state.142 As a general rule, DHS shares threat information
tools and threat assessments they need to lock down
at the state level through state Homeland Security
their voting systems prior to the 2018 elections.”138
Advisors, Fusion Centers, CIOs and other agents of the
17
state Governor.143 Each state government is organized and Vulnerability Assessments.147 These delays render
differently but, for the most part, Secretaries of State the benefit useless in light of the compressed time
and other chief election officials are independently- frame of an election cycle.
elected officials who do not report to the Governor and
DHS has also struggled to build relationships with and
exist outside the executive branch chain-of-command.
communicate information to the close-knit elections
As a result, information shared by DHS did not
community.148 For instance, despite DHS being fairly
automatically flow to them under existing information-
open that it is not the subject matter expert on election
sharing relationships.144
administration, it is currently serving as the SSA for
The separation of voting systems from state networks the Elections Subsector. Although EAC has a breadth
that operate within a governor’s chain-of-command of expertise and long-standing relationships within
has another important implication. Because of their the elections community, DHS has historically selected
political independence, Secretaries of State and election executive agencies to serve as SSAs because it preserves
directors often maintain their own networks, instead of the executive prerogative to direct and guide the SSAs
relying on the statewide networks that support other activities. The EAC is an independent agency and,
state agencies. These statewide networks are generally accordingly, does not operate under direction from the
protected by DHS-provided sensors, known as Albert president. This is a challenge for DHS, which lacks both
sensors, which are deployed to entities that participate institutional knowledge about election administration
in the MS-ISAC to monitor web traffic and detect and connections within the small, close-knit elections
malicious activity. As a consequence, depending on the community. As a result, DHS has leaned heavily on
governance model in a given state, these DHS sensors EAC for technical expertise and goodwill with elections
may not have been monitoring the state’s election- stakeholders and is working with EAC to finalize the
related networks. Traffic from Albert sensors feeds into terms of a Memorandum of Understanding or other
the MS-ISAC, giving DHS some visibility into malicious instrument that would formalize the agency’s role in
activity on the statewide network – but not necessarily subsector activities.
the separate networks that support voting systems.
Compounding existing challenges related to its election
The elections community also struggled to reconcile infrastructure responsibilities, DHS officials have
the benefits DHS promoted as part of the critical testified that they are struggling to meet the surge in
infrastructure designation and the timeliness with demand for these services since the designation, and
which these services could be delivered. For instance, the Office of Cybersecurity and Communications
although DHS promised access to classified intelligence is diverting resources from other programs to meet
and other information about threats, election officials demand.149 Additionally, although DHS’ September
quickly learned that they would first need to undergo 2017 outreach effort to provide state election officials
a lengthy security clearance process.145 Although DHS information regarding whether their infrastructure
assured state representatives that the clearance issue was targeted appeared to be well-executed, some states
was being worked out internally, DHS has only begun ultimately questioned the veracity of the information
the clearance process for state election officials and DHS provided.150 The following week at least two
was slow to communicate the process for requesting states reported that DHS had clarified that the targeting
a clearance.146 Election officials also had difficulty occurred against other state networks, not elections
squaring DHS’ offer of ‘priority access’ to services with systems. DHS maintained that Russian actors could
the nine month waiting list for certain services like Risk have scanned other state systems in an effort to find
18
vulnerabilities that could be used to breach election Council (EGCC) held its first meeting in October and
systems.151 Whatever the reason, these communications plans to use the forum to address governance and
hiccups undermined DHS’ efforts to build trust within information-sharing protocols.155 The Subsector plans
the elections community. to begin convened the first Sector Coordinating Council
in December 2017, and will meet again in January 2018.
To address these deficiencies, DHS officials say
they are engaging in “unprecedented outreach” to The Department has also acknowledged the urgency of
“[enhance] awareness among election officials, [educate] addressing information sharing challenges and, although
the American public…develop information sharing they have not committed to a specific strategy for
protocols and establish key working groups to address disseminating information to election officials, they are
these challenges.”152 DHS is also reportedly planning conducting a pilot with the MS-ISAC and a sample of
to dedicate more resources to election cybersecurity by states. DHS also hopes the elevation of election security
elevating DHS’ elections work out of the NPPD and operations to a Department-wide task force will make
into a new Department-wide Task Force.153 it easier to dedicate resources and expedite access to
cybersecurity services.
PATH FORWARD
Overall, DHS officials have emphasized the
Department’s commitment to the election security
“[Election security] is my top
mission. Testifying before a Congressional
priority at the Department. [If ]
Subcommittee, the Senior Official Performing the
we can’t do this right, if we can’t
Duties of the Under Secretary of NPPD stated
dedicate every single asset we
that: “[Election security] is my top priority at the
have to assisting our state and
Department. [If] we can’t do this right, if we can’t
local partners, then frankly…I
dedicate every single asset we have to assisting our state
am not sure what we are doing
and local partners, then frankly…I am not sure what
day-to-day…we are prioritizing
we are doing day-to-day…we are prioritizing delivery
delivery of those briefings,
of those briefings, information sharing to our state
information sharing to our state
and local partners…That for me is the No. 1 priority
and local partners…That for me
for NPPD from a critical infrastructure perspective…
is the No. 1 priority for NPPD
We cannot fail there.”156 DHS should continue to
from a critical infrastructure
partner with the EAC, an agency that has longstanding
perspective…We cannot fail
relationships with state and local officials, to work to
there.”
build trust with state and local election officials.
-Christopher C. Krebs,
Senior Official Performing the Duties
of the Under Secretary of NPPD154
Although DHS has struggled to build trust with

Secretaries of State and other entities within the
close-knit election administration community, the
Department is beginning to make progress executing its
responsibilities associated with the critical infrastructure
designation. The Elections Government Coordinating
19
STATE AND LOCAL GOVERNMENT
States and localities have taken a variety of steps to

There are nearly 7,000 election
secure their elections – many states have replaced
jurisdictions and over 100,000
paperless voting machines, hired IT staff, and regularly
polling places in the United States.
backup their voter registration databases.161 States and
localities expend significant resources to make sure that
The Constitution gives states broad authority to eligible voters are able to exercise their fundamental
determine the “times, places, and manner of holding right to vote. The CalTech/MIT Voting Technology
elections” and gives Congress the authority to “make or project estimated that the 2000 election cost states
alter” state election regulations.157 In practice, election and localities $1 billion dollars to administer, or
administration in the United States is decentralized. approximately $10 for each ballot cast.162 The federal
States and localities are in charge of running elections, government should protect this investment, and help
although Congress has passed legislation setting states ensure that our elections are secure.
guidelines on voter registration and voting systems
Respecting that states run their own elections, the co-
through the National Voter Registration Act of 1993
chairs of the Congressional Task Force on Election
and the Help America Vote Act of 2002 respectively.
Security sent a letter on August 1, 2017 to the NASS,
Each state has a chief election official, and elections the National Association of State Election Directors,
are often further decentralized with counties and and the chief election official in each state, seeking
localities administering the election. There are nearly information on where states could use assistance
7,000 election jurisdictions and over 100,000 polling securing their elections. The letter solicited input from
places in the United States.158 States, and sometimes the Secretary of State or chief election official on the
localities, purchase their own voting equipment and set state’s: 1) top five goals and priorities for the federal
their own rules on registering voters, counting ballots, government with respect to election security; 2) the
and conducting recounts.159 In addition, states are challenges encountered in updating and securing
responsible for recruiting and training poll workers. election systems; 3) how to make existing voluntary
Poll workers are on the front lines of elections, and partnerships with DHS and the EAC most useful; and
serve as the link between election officials and voters. 4) what role Congress can play in securing elections. A
They often receive low pay and limited training, but summary of the key findings from our survey and other
they are vital in ensuring that Election Day runs conversations with election officials follows:
smoothly.160 States also devise and implement their own
security measures.
20
States Need Federal Funding There is still over $300 million of HAVA funding that
to Bolster Security Efforts remains to be appropriated, and Congress should act to
make those funds available to states. In a letter to the
Task Force, NASS has emphasized this point, “States
“Congress needs to ensure that would clearly benefit from the appropriation of the
sufficient federal funding is outstanding balance of federal HAVA funds to aid
available for states to procure and them in ensuring that they have sufficient equipment,
maintain secure voting equipment technical support, and resources to maintain a sound
and increased security of all security posture for their computer-based systems.”168
election systems. That needs to The Task Force recommends that the remaining HAVA
be an ongoing commitment, and funding be used for states to replace paperless machines
not the one-time infusions of with paper-based voting systems.
resources.”
-Edgardo Cortés,
Congress Should Support
Virginia Election Commissioner 167
the EAC and DHS
State election officials report that the EAC has been
The National Association of Secretaries of States, as a valuable partner, and urged Congress to continue
well as every state that responded, highlighted the need supporting the agency’s work.169 Though Republicans
for federal funds to assist states with safeguarding their in Congress have made efforts to terminate the EAC,
election infrastructure. Specifically, most states indicated state election officials in traditionally Republican states
that federal funds were needed to replace aging voting have offered support for the Commission. Secretary
machines.163 In addition, respondents proposed several Gale of Nebraska suggests “retaining the [EAC] to
other ways that additional funding could help improve continue to provide election-related guidance and
their state’s election security including hiring an election information to state and county election officials”
technology security officer,164 bringing in third party and Marci Andino, the Executive Director of the
security firms to conduct vulnerability assessments,165 South Carolina Elections Commission recommends
and upgrading voter registration and election night expanding the role of the EAC.
reporting systems.166
States also indicated that they found DHS’ services
Often, states and localities are unwilling or unable to to be helpful, particularly the Risk and Vulnerability
provide funds for election infrastructure. Commissioner Assessments offered by the agency. However, several
Edgardo Cortés told the Task Force of his experience respondents indicated that it would be helpful if DHS
in Virginia where he tried unsuccessfully to get state or could reduce the amount of time states must wait to
local funding for the replacement of paperless voting receive an assessment.170 In addition, states suggested that
machines that he knew to be error prone and vulnerable the partnership between DHS and election officials could
to cyberattack. He went on to say, “Congress needs to be improved by providing security clearances in a timely
ensure that sufficient federal funding is available for manner to at least one election official in each state.171
states to procure and maintain secure voting equipment
Finally, several states told us that it would be useful for
and increased security of all election systems. That
the federal government to provide more guidance on
needs to be an ongoing commitment, and not the one-
voting system standards and best practices for securing
time infusions of resources.”167
and auditing both cyber and physical assets.
21
The Task Force has seen a great deal of support for provide vital and necessary resources for states and
these recommendations beyond the responses we counties to meet the growing security demands of
received from state election officials. administering elections.”172 The letter went on to say that
NACO also strongly supports the work of the EAC.
The National Association of Counties (NACO) wrote
a letter to Senator Mitch McConnell, Senator Chuck In addition, ten Secretaries of State wrote to Senator
Schumer, Senator John McCain, and Senator Jack John McCain and Senator Jack Reed in support of
Reed, urging that they support S.A. 656 (“Klobuchar- Klobuchar-Graham. The letter was signed by both
Graham”) that would have provided funding to states Republican and Democratic Secretaries who wrote,
and localities for election security. NACO writes, “This amendment would provide vital and necessary
“Counties are on the front lines of administering the resources to support the growing technology and
nation’s elections, and county election officials must infrastructure security demands of our nation’s
address security issues daily. This amendment would elections.”173
Paper Ballot
All Vote By Mail
Paper Ballot and

Punch Card
VT
Mixed Paper Ballot and
NH DREs with VVPAT
CT Mixed Paper Ballot and

DREs with and without
RI VVPAT
NJ Mixed Paper Ballot and

DREs without VVPAT
DE
MD DREs with VVPAT
DC
DREs with and without
VVPAT
DRE: Direct Recording Electronic Voting Machines

VVPAT: Voter Verified Paper Audit Trail Printers DREs without VVPAT
BMD: Ballot-Marking Device or System
This map shows the types of polling place equipment used across the country as of November 2016. Many states continue to use
DRE and VVPAT technology that does not leave a reliable, auditable paper trail.
Verified Voting. “The Verifier – Polling Place Equipment – November 2016.” Verified Voting, https://www.verifiedvoting.org/verifier/
22
FINDINGS
OUR ELECTION INFRASTRUCTURE IS VULNERABLE

The Help America Vote Act (HAVA) gave states over $3 machines begin to break down, election officials are
billion dollars to upgrade and modernize their election sometimes unable to find replacement parts as some
infrastructure in the wake of the 2000 presidential parts are no longer manufactured.179 As a result,
election. Because of this investment in our election election officials are turning to stop-gap measures like
infrastructure, over 850 million ballots have been cast stockpiling replacement parts or buying necessary parts
in federal elections since 2000.174 For $3.50 per ballot, from eBay.180
the federal government was able to ensure that eligible
In addition to the hardware vulnerabilities, many of
citizens could exercise their right to vote.
these aging machines are running unsupported software.
However, the lifespan of much of the hardware and These machines rely on operating systems like Windows
software that was purchased with HAVA funding is XP or Windows 2000 which pose a particularly
between ten and fifteen years, and many jurisdictions significant security risk as those operating systems either
are now using equipment that is nearing or past its do not receive regular security patches, or have stopped
useful life.175 States and localities need federal assistance receiving support altogether.181
to invest in modern, secure election infrastructure.
Some will defend the security of election systems by
Congress should help immediately. HAVA authorized
arguing that voting systems are secure because they are
$3 billion to be spent on election infrastructure, and
not connected to the internet. However, many voting
approximately $300 million remains to be appropriated.
machines contain software or hardware that could be
Those funds should be appropriated so states can begin
used to connect to the internet.182 In addition, many
to replace their most vulnerable voting systems.
machines use removable memory cards or USB sticks
to program their machines with ballot data, and it is
Voting Machines possible to infect a memory card with malware that
could crash a machine or alter vote totals.183 A hacker
The Task Force’s research and interviews unequivocally
could exploit the memory card vulnerability in a few
show that many jurisdictions are using voting machines
different ways. First, an attacker could physically access
that are highly vulnerable to an outside attack. Forty-
the machines. While this may seem unlikely, voting
two states are using voting machines purchased more
machines are sometimes left unattended in polling
than ten years ago.176 Old machines are susceptible to
stations in the days leading up to an election.184 A
“vote-flipping” (i.e., when a voter presses Candidate A’s
greater threat, however, comes from outside vendors.
name, but Candidate B’s name is selected on screen)
The Brennan Center reports that a relatively small
and crashing which can sow doubt in voters’ minds and
number of outside vendors can be responsible for
give the impression that an election is being rigged.177
programming the memory cards for multiple counties
Though many election officials would like to replace
in a state.185 For example, according to Professor
these machines, few have the money in their budgets
J. Alex Halderman, Director of the University of
to purchase new machines.178 At the same time, when
23
Findings
Michigan’s Center for Computer Security and Society, tabulating correctly.192 Moreover, in the process of
“In Michigan, 75% of counties use just two 20-person implementing risk-limiting audits (described below),
companies to do that programming.”186 As discussed Colorado has found that VVPAT systems create
below, outside vendors are not subject to any federal significant logistical hurdles and are much harder to
regulatory requirements that would ensure they use audit than paper ballots.193 As a result, several experts
cybersecurity best practices. we spoke to believe that the VVPAT machines should
be phased out as well.194
Given the breadth of security risks facing voting
machines, it is especially problematic that The ease with which our voting machines can be
approximately 20% of voters are casting their ballots hacked was demonstrated in July at DefCon, one
on machines that do not have any paper backup.187 of the world’s largest, longest-running, and best-
These voters are using paperless Direct Recording known hacker conferences. DefCon featured a Voting
Electronic (DRE) machines that have been shown over Machine Hacking Village (“Voting Village”) which
and again to be highly vulnerable to attack. Because made 25 pieces of election equipment, including
these machines record votes on the internal memory paperless electronic voting machines, available
of the machine, and do not leave any paper backup, it to hackers. The organizers of the Voting Village
is near impossible to detect whether results have been report, “By the end of the conference, every piece
tampered with.188 In fact, in September of this year, of equipment in the Voting Village was effectively
Virginia decertified its DRE machines because of the breached in some manner. Participants with little
security risks they present.188 In addition, a group of prior knowledge and only limited tools and resources
over 100 computer scientists and cyber experts wrote were quite capable of undermining the confidentiality,
to Congress asking that paperless DRE machines be integrity, and availability of these systems.”195
phased out of use.190 Paperless DRE machines are
The best way to determine whether a machine has been
still in use in thirteen states, and the Brennan Center
hacked, or mis-programmed, is to conduct a post-
estimates that the cost to replace these machines
election, risk-limiting audit. Currently, 33 states and the
would be between $130 and $400 million.191 This
District of Columbia require post-election audits of
estimate would only cover paperless DRE machines
paper records; however, many experts note that many
and does not include the cost of replacement of the
of those audits are insufficient to determine whether
DREs with a voter-verified paper audit trail (VVPAT)
election results were tampered with.196 Instead, experts
described below.
recommend that states implement risk-limiting audits.
Some DRE machines have a VVPAT that allows voters A risk-limiting audit is a process that involves hand
the opportunity to review a printout of their selections counting a certain number of ballots, using advanced
before casting a ballot. However, the VVPAT system statistical methods, to determine with a high degree of
has two flaws. First, voters are unlikely to actually review certainty that the reported election outcome is accurate.
the paper record to make sure it is accurate. Second, The number of ballots that are counted by hand is
votes are still recorded on the internal memory of the determined by many factors, including the margin of
machine. That means a hacker could infect the machine victory in the election. If the initial count determines that
in a way where the paper printout reflects the voter’s the election results are accurate, the audit stops. If the
actual preference, but the machine’s internal memory initial count is insufficient to confirm the election result,
records a different vote. In other words, the printout a larger sample of ballots is hand counted. This process
does not necessarily verify whether the machine is continues until the election results can be confirmed. If
24
Findings
there is never enough evidence to confirm the election attackers successfully changed voting records in Illinois,
results, a full hand count would be conducted.197 voters would have arrived at the polls on Election Day
to discover that they were not registered. This could
Robust, statistically sound, post-election audits would lead “scores of voters to cast provisional ballots, leading
enable election officials to detect any incorrect election to long lines, undermining faith in the fairness of an
outcomes.198 When testifying before the Senate election, and creating a major administrative headache
Intelligence Committee earlier this year, Professor to accurately count votes after the polls closed.”208
Halderman stated that, “By manually checking a relatively Alternatively, an attacker could add fake voters to the
small random sample of the ballots, officials can quickly rolls, allowing for fraudulent votes to be cast.
and affordably provide high assurance that the election
outcome was correct.”199 According to Professor States take many steps to secure their voter registration
Halderman, currently only New Mexico and Colorado systems. Almost all states make a daily, offline copy of
are conducting such audits,200 though Rhode Island the statewide voter registration database.209 In addition,
recently passed legislation providing for post-election states and counties each keep lists that can be used
risk-limiting audits beginning in 2018 and requiring post- as backup for one another in the event of a breach.
election risk-limiting audits beginning in 2020.201 Numerous states took advantage of DHS “computer
hygiene” screenings in advance of the 2016 election,
and states are continuing to work with DHS and utilize
Voter Registration Databases the Department’s services as election infrastructure is
HAVA requires states to create and maintain a statewide, now a “critical infrastructure” sector.
computerized voter registration database.202 According
to the Brennan Center, in at least 41 states, these
systems were created at least ten years ago.203 The 2016 Decentralization
election has shown us that these systems are vulnerable The decentralization of American elections is both
to attack. The Department of Homeland Security a strength and a challenge in this space. Because of
found that Russian hackers targeted these systems in the decentralization, some argue that a hacker cannot
21 states.204 In Illinois, Russian hackers successfully have one successful breach and then access the entire
breached the databases and attempted, but failed, to country’s voting records. While there is certainly
alter and delete voting records.205 In Arizona, hackers truth to that contention, there are ways in which our
were able to successfully install malware on a county system is less decentralized than commonly thought.
election official’s computer. That gave the hackers First, the election technology industry is increasingly
access to the official’s credentials which could have then consolidated with just a few firms serving most of
been used to get into the county’s voter registration the country.210 Second, there are considerable supply
database.206 In addition, hackers targeted at least one chain vulnerabilities as many machines have foreign-
election vendor with the hope of ultimately obtaining made internal parts.211 A report on the DefCon Voting
access into voter registration databases.207 Machine Hacking Village states, “[A] hacker’s point-of-
entry into an entire make or model of voting machine
The most significant threat posed by vulnerable voter could happen well before that voting machine rolls off
registration databases is that an attacker could alter, the production line. With an ability to infiltrate voting
delete, or add voter registration records which would infrastructure at any point in the supply chain process,
then cause profound chaos on Election Day and then the ability to synchronize and inflict large-scale
potentially change the results of the election. Had the damage becomes a real possibility.”212
25
Findings
Having nearly 7,000 election jurisdictions means that strengthening their networks. While some election
each of those needs to have strong IT support to officials are able to use state IT security experts to
prevent against attack. Several election officials told harden their systems,221 in many other states, elections
the Task Force that they would greatly benefit from are run off of a different network than the state
the federal government providing a centralized set of a network, and state chief information officers are
guidance documents on cybersecurity best practices.213 reluctant to assist the elections officials if they are not
While the EAC provides guidelines for voting machines, already existing customers of state IT.222 This means
they do not provide a similarly comprehensive set of that election officials will need to hire their own IT staff,
guidance for voter registration systems. and many simply do not have the money. 223
In addition, states need better IT support and resources While some in Congress may argue that states and
to help improve their cybersecurity infrastructure, localities should fund these improvements, states
though several states have been able to make progress are struggling to find that funding. In most states,
in these areas.214 In California, Governor Jerry Brown legislatures are not increasing their election security
signed a law that will alert voters when their registration budgets.224 In some cases, Governors are actively
has been changed.215 Colorado has added national undermining election security efforts. In Florida,
guard security experts to its election team,216 and Governor Scott’s budget proposed reducing the funding
Virginia recently created a digital security position.217 In for the Division of Elections by almost one million
June, Governor Cuomo directed the New York State dollars.225 In July, Governor Kasich vetoed a provision
Cyber Security Advisory Board to review the security in Ohio’s budget that would have allocated one million
of New York’s election infrastructure.218 For the first dollars towards voting equipment.226 Governor Walker
time, Arizona has updated its election official training issued a partial veto to the state’s budget, and in doing
to include cybersecurity.219 In October, Rhode Island so, eliminated five jobs from the Wisconsin Elections
Secretary of State Nellie Gorbea told the Task Force: Commission.227 This issue is simply too important to
“In Rhode Island, I have increased my office’s IT staff sit back and watch state governments and the federal
by 40% to ensure that we have the technical expertise government pass responsibility back and forth. A
in-house necessary to respond to the ever-shifting sovereign nation attacked 21 states, and the federal
landscape that technology presents.”220 government should provide the funds necessary for
states to defend themselves.
However, states still face several challenges when
it comes to hiring the necessary IT staff and
26
Findings
STATE AND LOCAL GOVERNMENTS NEED FEDERAL SUPPORT

TO REPLACE OBSOLETE ELECTION SYSTEMS
There is no question that securing election The crisis-to-crisis model of federal investment in
infrastructure and preserving public confidence in election infrastructure and security capabilities has
election outcomes are the top priorities of state and resulted in avoidable vulnerabilities in our elections
local elections officials. It is also clear that these officials systems. Despite being well-aware that outdated election
are aware that much of the technology upon which systems must be replaced, state and local budgets are
they rely to administer elections is outdated or obsolete already stretched thin. If Congress expects State and
and must be replaced. That much has been made clear local election officials to replace, maintain, and secure
by the NASS, former federal officials, and individual election systems, it must help absorb both immediate
Secretaries of State. Moreover, it is similarly clear that and long-term costs. This includes providing money for
the ability of state and local election offices to maintain innovation grants that will help keep our election system
staff with relevant expertise to develop and implement secure in the face of evolving threats.
cybersecurity programs necessary to secure election
systems is inconsistent across the nation.
27
Findings
FEDERAL AGENCIES LIKE DHS AND EAC NEED RESOURCES

AND CONSISTENT SUPPORT FROM CONGRESS
Election Assistance Commission election night reporting systems.230 These documents

are easy to follow and great resources for state and local
The EAC provides a valuable service in issuing the
election officials. The EAC should work with experts
VVSG and in testing and certifying voting machines.
in cybersecurity and election administration to ensure
Despite these services being voluntary, nine states and
that these documents are up to date, and should work to
the District of Columbia require that voting machines
publicize the availability of these documents.
be tested to federal standards, seventeen states require
testing by a federally accredited lab, eleven require full While many election officials we spoke with commented
federal certification, and four additional states refer to on the EAC’s testing and certification program, the
standards set by federal agencies or standards.228 The EAC can and should provide additional cybersecurity
most recent guidelines were adopted on March 31, resources to states.231 Rhode Island Secretary of State
2015, and they are currently in the process of being Nellie Gorbea emphasized that states are already in
updated. The updates currently under consideration the habit of turning to the EAC for election related
would greatly improve election security by requiring resources, “Every single time that we are looking
that machines have an auditable paper trail and that at doing something in cybersecurity, in elections
voting machines provide mechanisms to detect administration, and improving things, we look at the
malicious activity. EAC. Because they have all this information about what
is happening at the national level. We absolutely need
These security updates are sorely needed and will greatly
those resources there at the state and local level.”232 The
assist in safeguarding our voting machines. The EAC
existing relationship between the EAC and state and
has indicated that they plan to adopt these guidelines
local election officials has led some officials to indicate
in the first half of 2018, but given the urgency of the
that they would like more guidance from the EAC.
issue, every effort should be made to expedite this
Virginia Elections Commissioner, Edgardo Cortés said,
process. However, it is important to note that these
“At a minimum Congress should empower and fund the
guidelines are prospective and will only affect machines
EAC to expand their current voluntary voting system
that are acquired after the guidelines are adopted.229 The
guidelines to include guidelines applicable to electronic
best way to ensure that states are using safe, reliable
poll books.”233 In addition, the EAC can provide request
voting machines is for Congress to provide funding to
for proposal (RFP) templates to help states ensure
help states replace old equipment with new machines
that their election technology vendors are prioritizing
that conform to the latest guidelines.
cybersecurity, and the EAC could create training
Creating standards for voting machines is a good modules to assist states in providing cybersecurity
start, but it is not enough. As discussed elsewhere education to election officials, IT staff, and poll workers.
in this report, the vulnerability of voter registration
databases and other election administration software
also present a significant threat, and it would be useful Department of Homeland Security
if the EAC would provide assistance in these areas DHS has resources it can bring to bear on securing
as well. The EAC makes available on its website a elections, but there are some roadblocks to
checklist for securing voter registration databases and overcome. As one DHS official noted before the
28
Findings
Senate Intelligence Committee in June, “Addressing deepening those relationships, identifying requirements,
cybersecurity challenges and helping our customers and educating on our capabilities.”
assess their cybersecurity risk is not new for DHS.”234
Representatives from the elections community readily
Through NPPD, DHS can provide election officials
acknowledge how unique, small, and close-knit their
with cyber threat intelligence, vulnerability assessments,
stakeholder group is – and many aspects of the
penetration testing, scanning of databases and operating
environment they operate in do not apply in other
systems, and other cybersecurity services at no cost.
critical infrastructure sectors. For instance, election
Through these services, state and local election officials
officials operate on a strict timeline, and often cannot
can learn how to practice better cyber hygiene, make
make updates to voter registration databases and other
sure voting systems are operating securely and kept
systems for some window of time prior to an election.
offline and carry out routine vulnerability assessments
In addition, officials are frustrated by the fact that they
on voter registration databases. DHS can also help
have to wait nine months to receive a service for which
states carry out comprehensive risk assessments on a
they are entitled ‘priority access.’
regular basis.
Where DHS has rendered assistance, officials report
Some of the hurdles DHS experienced before and
that cyber hygiene scans and other services are valuable;
after the 2016 election are inherent in the challenge of
however, because these services are voluntary, DHS’
standing up a new sector and learning to communicate
ultimate success depends on its ability to build trusted
with a new stakeholder community. As the DHS
partnerships with state and local election officials.
Assistant Secretary for Cybersecurity & Communications
Elections are cyclical, and DHS needs adequate
testified in June, “[H]istorically, DHS has not had active
resources to carry out its election security activities
engagement directly with the state and local election
without further depleting the goodwill it has in the
community, so we’re working on broadening and
elections community.
29
Findings
ELECTION VENDORS ARE UNREGULATED TARGETS

Many states utilize third party vendors to provide their House Permanent Select Committee on Intelligence
election technology software and hardware. States in November, the propaganda was far-reaching –social
utilize vendors to create and maintain the statewide media companies revealed that Russian agents spread
voter registration database that they were required to Facebook posts that reached 126 million people,
create under HAVA, and they purchase voting machines uploaded more than 1,000 videos to YouTube, and
and accompanying software from outside companies sent more than 131,000 tweets. If the attack against
as well. Local election offices are unlikely to have any election vendors had been successful and the hackers
internal IT staff, so election vendors often end up were able to infect the computers of the local election
providing IT support as well.235 As demonstrated in the officials, hackers may have been able to access state
2016 election, these vendors are a tempting target for voter registration databases and alter or delete voter
hackers as breaching an election technology vendor has registration records. At the very least, this could have
the potential to provide a hacker access to numerous caused a great deal of chaos on election day. At worst,
election jurisdictions. Despite the risks associated with hackers could have deleted registration records of
these third-party vendors, they are unregulated at the voters inclined to voter for a certain candidate thereby
federal level. swaying the results of the election.
A NSA document leaked to The Intercept highlights There is no federal law that governs what steps election
the vulnerability presented by election technology vendors must take to safeguard their systems from
vendors.236 The Intercept reports that Russia’s plan in attack. Instead, any obligations that vendors are subject
2016 was to pose as an election vendor and email to stem from the terms of their contracts with states
local election officials with the hope that the officials and localities. The chief executives of VR Systems
would open an attachment containing malware.237 told the Task Force that their contracts did not have
In order to execute this plan, Russian hackers sent any specific requirements on: 1) what cybersecurity
spear-phishing emails to an election software vendor. practices must be followed and 2) when state and local
The NSA report indicates that at least one employee election officials needed to be notified in the event of a
account was compromised, though the targeted vendor, cyberattack.241 Nevertheless, before they were targeted
VR Systems, says that no employee accounts were by the Russians, VR Systems did expend resources on
compromised.238 Russian hackers went on to pose as VR cybersecurity. Once the company became aware of
Systems employees and send over 100 emails to local the suspicious activity, they notified the FBI and their
government email addresses. clients. Since the election, the company has redoubled
their efforts, enlisting a private security firm to help
This was one of several tactics used by the Russians them harden their systems.242 However, absent any
in their multifaceted campaign to sow doubt about regulation in this area, there is no way to know whether
the democratic process.239 In addition to attempting other third-party vendors would also have notified
to hack in state and local election systems, the election officials and clients about a cyberattack.
Russians also conducted cyber espionage against the More importantly, instead of approaching election
Democratic National Committee and key personnel
technology vulnerabilities as a national security issue,
in the Clinton campaign, and launched a propaganda we are allowing companies to determine for themselves
campaign utilizing Facebook, Twitter and other social whether it is in their financial best interest to be
media to exacerbate divisions and undermine faith concerned with cybersecurity.
in democracy.240 According to testimony before the
30
Findings
According to a recent study put out by the Penn technology industry means that “there is no meaningful
Wharton Public Policy Initiative, the election competitive pressure from the suppliers to the
technology industry is dominated by three firms whose vendors.”247 In other words, there is no incentive for
products cover approximately 92% of the total eligible election technology vendors to prioritize security. This
voter population.243 These firms are neither publicly nor problem is compounded by the lack of regulation in this
independently held which limits the amount of publicly area. These vendors are not required to make financial
available information available about their operations.244 disclosures to the Securities and Exchange Commission.
Smaller companies routinely get bought out and merged The executives are not required to disclose political
with one of the three larger companies, and biggest contributions to the Federal Elections Commission.
tech companies, including Apple, Dell, IBM, HP, and State and local contracts do not necessarily require
Microsoft have chosen to stay out of the election vendors to notify election officials in the event of
technology business.245 This may in part be because the a cyberattack. Under current law, there is no way to
sector generates approximately $300 million in annual ensure that vendors are doing everything possible to
revenue, a relatively modest amount when compared to keep their systems secure.
the revenue of the largest technology companies. For
The Task Force believes this must change. States and
example, Apple generates about $300 million in revenue
counties must hold vendors accountable and ensure
every 12 hours.246
that they are prioritizing election security. The EAC
Currently, election technology vendors present serious should provide RFP templates that include language
security risks. The consolidation in the election on cybersecurity practices and incident notification.
31
Findings
States and localities should include such language in efforts to meddle in the 2016 elections, re-opening
their RFPs, and seek to include security provisions in questions about the validity of their assessment as
their existing contracts. Alternatively, the EAC could recently as November 2017.248 These actions indicate
put forth a set of standards for election vendors to the Trump Administration is failing to take the threat
follow and then certify vendors who are following to election infrastructure and democratic institutions
best practices, similar to the testing and certification seriously. Moreover, although the recently-released
program the Commission administers in the voting National Security Strategy refers to Russia’s influence
machine context. operations, it is unclear how the Administration plans
to ensure the security of U.S. election infrastructure
going forward.
Election Security is National Security
Russian interference in the 2016 Presidential election was
a watershed moment in our democracy. By weaponizing Election Infrastructure is
the information we consume, eroding confidence in our Critical Infrastructure
political institutions, and pressure-testing the equipment Federal law defines critical infrastructure as systems
we use to cast our ballots on Election Day, the Kremlin and assets for which “incapacity or destruction …
was able to use the democratic process as an attack would have a debilitating impact on security, national
vector. Securing this new and novel attack vector will economic security, national public health or safety,” or
require a novel approach. any combination thereof. For infrastructure designated
critical, DHS offers priority access to cyber threat
After the 9/11 terrorist attacks, the nation had to
intelligence, incident response, technical assistance,
confront the difficult reality that the attacks might have
and other products and services to help owners and
been prevented with better information sharing and
operators harden their defenses.
more robust interagency collaboration. We struggled
to balance the need to protect information while also It is hard to imagine a system failure that would inflict
empowering the right agencies to act in the face of more damage than a foreign adversary infiltrating
threats. We had to overcome an initial reluctance to our voting systems to hijack our democratic process.
share turf with new partners and move past fears of However, the decision to designate a critical
reputational damage. It was nevertheless clear that infrastructure sector or subsector ultimately falls to the
the threat landscape had changed, and our security Secretary of Homeland Security. This summer, former
framework needed to change with it. Secretary of Homeland Security John Kelly wavered
on his earlier commitment to honor his predecessor’s
The threat landscape has once again shifted, exposing
designation. Although Secretary Kirstjen Nielsen
new cracks in our existing security framework
has said she will maintain the designation, she is not
and causing another set of turf wars. The Obama
obligated to do so.
Administration worked proactively to assist state and
local governments secure their election systems and, Defining election systems as critical infrastructure
in January, declared election infrastructure a critical means these systems will, on a more formal and
infrastructure subsector. Unfortunately, the Trump enduring basis, be a priority for DHS cybersecurity
Administration’s commitment to election security is assistance. These services are an important force
less clear. The President continues to waffle on the multiplier, especially at the state and local level, where
Intelligence Community’s conclusions regarding Russian resources are scarce.
32
Findings
Russia Will Continue its Efforts to U.S. election, these efforts by Russian hackers were
Undermine Western Democracies, and aimed at skewing the results, sowing discord, and
undermining public faith in the media, government
Sophisticated, State-sponsored Actors
institutions and the democratic process itself. Russia has
Will Continue to Pursue Cyberattacks
established a consistent pattern of conducting new and
As former Under Secretary for NPPD Suzanne aggressive attacks on election infrastructure, particularly
Spaulding observed: “Russia is engaged in a long- in the United States and Europe.254 These efforts are
term effort to undermine democracy both tactically part of Russia’s larger strategy to undermine trust in
to weaken the west and strategically to reduce liberal our democracies, and are also likely part of a broader
democracy’s appeal not just in the United States but. . . attempt to divide Europe from America, and to weaken
around the world where Russia competes for influence both NATO and the European Union.255 There is no
and power.”249 evidence that Russia will forfeit the capabilities they
have spent decades crafting and cease these efforts.
Russia has a long history of using cyberattacks and
Moreover, security experts are warning that Russia may
cyber-enabled disinformation campaigns to target
turn to new frontiers like Mexico, which will elect more
political processes in other nations, adhering to a
than 3,000 government officials in July 2018.256
foreign policy built to leverage “the force of politics
as opposed to the politics of force.”250 By carrying out In addition, other adversaries hostile to western
advanced influence operations, Russia is able to “punch democracies could seek to replicate its election
above their weight” by “provid[ing] their relatively interference campaign, many well-respected security
weak economy and insecure political institutions with experts have warned.257 Possible nation-states that
a strategic and tactical advantage to affect significant could exploit vulnerabilities in our elections also include
political outcomes abroad.”251 The advent of social North Korea, Iran, and China.258 Any of these scenarios
media and data analytics have allowed Russia a new would be catastrophic – if only for the damage it would
forum to alter the course of events by manipulating do to public confidence.
public opinion.252
The federal government needs a better understanding
The United States is also not Russia’s only target. Russia of how Russian efforts to interfere in the 2016
orchestrated politically-motivated cyber campaigns in Presidential election fit into its larger global agenda, and
the Netherlands, France, Germany, Bulgaria, Estonia, a strategy to protect our democratic institutions from all
Austria, and two Ukrainian presidential elections in hostile actors going forward.
2004 and 2014, a decade apart.253 Similar to the 2016
33
RECOMMENDATIONS
Federal Funds Should be Provided to Help Of the voting systems in use today, experts agree that
States Replace Aging, Vulnerable Voting the most secure voting system is one where a voter
Machines with Paper Ballots marks a paper ballot, and the ballots are then counted
The most urgent need is to replace all DRE machines. by an optical scanner machine. Though optical scanner
There are two types of DRE machines in use: 1) machines are not wholly immune from cyberattacks, a
paperless machines and 2) those equipped with a paper ballot filled out by a voter produces an auditable
VVPAT. Both types of machines present significant paper trail that can easily detect attacks.263
security risks as the DRE systems store voting records
in the machine’s internal memory. Paperless systems Jurisdictions must also be sure to comply with HAVA
make it impossible to practically detect whether there and ensure that disabled voters have access to voting
has been tampering with an election’s results. Though systems that enable them to vote privately and
the VVPAT systems purport to leave a paper audit independently. For example, some states use ballot-
trail by providing a receipt or printout of a voter’s marking devices to ensure that their voting systems
selections, the voter record that gets tabulated still lives are accessible. A ballot-marking device is a tablet or
in the machine’s internal memory. This means that the laptop that does not have internet connectivity and is
printout the voter receives does not necessarily indicate hardwired to an off-the-shelf printer and produces a
whether the vote will be tabulated correctly. Thus, the paper ballot. In New Hampshire, these ballot-marking
auditability provided by the voter-verified receipt is of devices are being used along with software that has been
little value. Twenty-four states use DRE machines – tested by voters who cannot see or hear and by voters
fourteen use paperless DREs and an additional ten use who cannot use their hands.264 Such a device allows
VVPAT systems.259 voters to cast their ballot privately and independently
while also producing an auditable paper record.
There is widespread consensus that these machines
need to be replaced, with emphasis on the need to Election administrators agree that they need to replace
replace paperless DREs, and that they should be their aging voting machines, but many say they cannot
replaced with paper ballots. A letter from over 100 act because they do not have the necessary funds.
computer science and cybersecurity experts was sent South Carolina is one of the five states that relies
to every Member of Congress in June 2017 with exclusively on paperless DREs, and a spokesman for
recommendations on securing election systems. The the South Carolina Election Commission recently
first recommendation was to phase out paperless DRE told the New York Times, “We’re using the same
machines.260 If there was any remaining doubt, DefCon’s equipment we’ve used since 2004. If $40 million
voting village showed the country just how easy it is to dropped into our hands today, we’d have a paper ballot
breach paperless DRE machines.261 In interviews with trail, too.”265 In a recent Politico survey, 21 of 33
the Task Force, many election cybersecurity experts respondents want the federal government to authorize
stated that VVPAT systems pose significant security risks funds for states to spend on replacing voting machines
and should be replaced as well.262 or otherwise strengthening election security.266 In
response to the letter sent out by the Task Force to
34
Recommendations
the chief election official in each state, four states of ballots. This goes on until the auditor can determine
(Minnesota, Nebraska, Illinois, and Pennsylvania) with certainty that the election result was accurate. If
of the National Association of Secretaries of States the evidence never becomes strong enough to support
expressed a desire for Congress to appropriate funds that conclusion, a full hand count will be conducted.271
to help states replace aging voting equipment.267
Because of the use of sophisticated statistical methods
The Brennan Center estimates that the cost to replace and the iterative process, risk-limiting audits provide an
paperless DREs would be between $130 and $400 efficient and cost-effective way to verify election results.
million. However, that figure does not include the Professor Halderman estimates that the cost of running
additional cost associated with replacing VVPAT systems. risk-limiting audits nationally for federal elections would
be less than $20 million a year.272
Congress has money available that they could use to
help states replace their old machines. HAVA authorized According to Professor Halderman, currently, only
$3 billion to meet the statute’s requirements, and over two states, New Mexico and Colorado, “conduct audits
$300 million remains to be appropriated.268 Congress that are robust enough to detect cyberattacks.”273
should act immediately to allow states to use this money. Rhode Island recently passed legislation providing for
risk-limiting audits begin in 2018 and post-election
States Should Conduct Risk-Limiting risk-limiting audits in 2020.274 Election security experts
Post-Election Audits agree that all states should be routinely conducting these
While we can and should do everything possible to audits to detect any anomalies in election results and to
prevent an attack from taking place, the best way to increase the public’s confidence in elections.275
determine with a high degree of certainty, whether
an attack has taken place, is for states to conduct Federal Funds Should be Provided to Help
mandatory, routine, risk-limiting post-election audits. States Upgrade and Maintain IT Infrastructure,
A statistically sound post-election audit would enable Including Voter Registration Databases
states to determine that the original vote count was Russia’s targeting of 21 states’ voter registration systems,
substantially accurate. These audits are useful in and the successful breach of the Illinois database, makes
detecting any incorrect election outcomes, whether abundantly clear that our voter registration systems are
they are caused by a cyberattack or something more vulnerable. Fortunately, the hackers’ attempts to alter
mundane like a programming error. Moreover, and delete records were blocked, but they had access
conducting these audits as a matter of course increases to the Illinois voter files for almost three weeks before
public confidence in the election system.269 their activity was detected.276 Russian hackers also came
close to accessing a statewide voter registration database
A risk-limiting audit involves hand counting a certain in Gila County, Arizona where an employee opened an
number of ballots to determine whether the reported infected email attachment that then installed malware on
election outcome was correct.270 The initial number of the employee’s computer.277 If any of these attempts had
ballots is determined by a number of factors, including been successful, voting records could have been added,
the margin of victory in the contest – the larger the altered, or deleted, and Election Day would be filled
margin of victory, the smaller the initial sample. If with chaos. Just as significantly, such an attack would
the audit finds strong evidence that the result was sow deep doubts about the integrity of our elections and
correct, the audit stops. However, if the initial sample is American democracy. These close calls show that it is
insufficient to confirm the election result, there will be crucial that states act now to upgrade and secure their
a second round of hand-counting with a larger sample IT infrastructure.
35
Recommendations
The first steps to securing voter registration databases Congress has a role to play in helping states fund the
and other IT infrastructure is to replace outdated purchase of newer, more secure election systems, and
technology and hire the necessary IT support. In at least requiring such systems adhere to baseline cybersecurity
41 states, databases are at least a decade old, and threats standards. Congress should direct DHS and EAC to
have evolved significantly since then.278 The problem work together to define security standards for election
of an aging system is often compounded because many equipment and appropriate the funding necessary to
jurisdictions relying on older, less secure software and help state and local governments replace outdated
operating systems may also lack IT support. Election voting systems.
administration systems are often run on a different
It is important to note that cyber threats evolve at a rapid
network than the rest of the state, and do not receive
pace, and a one-time lump sum investment is not enough.
support from the office of the Chief Information
States also need resources for maintenance and periodic
Officer.279 Many states report that they are unable to
upgrades, and cybersecurity training for poll workers
get the IT support they need, particularly at the local
and other election officials. Congress must establish a
level.280 Systems that are relying on antiquated software
mechanism to provide ongoing support to state and local
or operating systems should be modernized, and state
governments. One way to do that would be to reimburse
and local election officials should have the IT support
states for part of the cost associated with administering
they need.
federal elections by providing a flat rate per active
In addition, election administrators should follow registered voter, as many states do when counties are
cyber-security best practices, including regular backups. responsible for administering state ballot questions.
Several officials that spoke to the Task Force indicated
In addition, Congress should appropriate funds for
that it would be useful for DHS or the EAC to
innovation grants so that new technology can be
provide guidance documents that outline cybersecurity
developed to respond to the evolving threat landscape.
best practices.281
Many states are already implementing these Election Technology Vendors Must Secure
recommendations, and even more have started in the Their Voting Systems
wake of the 2016 election.282 States are hiring new Many states purchase their voting systems from a
technology support staff and upgrading their voting third-party vendor. Those vendors have little financial
systems wherever possible. However, states need money. incentive to prioritize election security, and there no
After conducting a survey of state election officials, regulations requiring them to use cybersecurity best
where 21 out of 33 states indicated that they need help practices. The Task Force recommends that the EAC
funding security improvements, Politico reported, “States provide RFP templates that would require vendors to:
need money to upgrade digital voter registration systems 1) secure their systems, and 2) notify state and local
that alleged Russian hackers probed and infiltrated officials in the case of a cyberattack. States and localities
in 2016. They need money to provide cybersecurity should use this language in all future contracts, and seek
training to local county officials… And they need to incorporate these requirements into their existing
money to adopt new post-election audit procedures that contracts. In addition, election technology vendors
can detect vote tampering.”283 should be required to inform EAC and DHS officials in
the event of a cyberattack.
We cannot ask our state and local election officials to
take on a state actor like Russia alone. Although states
and counties are largely responsible for elections,
36
Recommendations
The Federal Government Should Develop Accordingly, the Intelligence Community should
a National Strategy to Counter Efforts to complete and provide to Congress and state and
Undermine Democratic Institutions local election officials an assessment of the full scope
The goals of Russian efforts to meddle in the 2016 of threats to election infrastructure 180 days prior
presidential election were not limited to promoting one to federal election, together with recommendations
candidate or damaging another; they were an attempt provided by DHS and EAC to address them. The
to undermine confidence in democratic institutions and assessments should be unclassified, with the option
sow doubt in liberal democracies. As a former Under of adding a classified annex, as necessary. To ensure
Secretary for NPPD warned, “We need to broaden that state and local election officials have access to
our focus to the ways these measures undermine other all information necessary to protect their election
fundamental pillars of democracy, including the press infrastructure, the Department of Homeland Security
and our judicial system.”284 should expedite the clearance process for relevant
officials and/or provide one-day “read-in” clearances.
Past attacks of this magnitude have served as a catalyst
for major strategic changes and a re-orientation of
DHS Should Maintain the Designation of
federal policy. Our starting point is clear – we need a Election Infrastructure as a Critical
strong, consistent rebuke from the White House. Next, Infrastructure Subsector
we need the President to acknowledge that we need a Defining election systems as critical infrastructure
“9/11-style” Commission to help identify the various means election infrastructure will, on a more formal
ways in which the Russians are seeking to undermine and enduring basis, be a priority for DHS cybersecurity
democracy and develop a plan to confront them. services. These services are an important force
After the terrorist attacks of September 11, 2001, the multiplier, especially at the state and local level,
National Commission on Terrorist Attacks Upon the where resources are scarce. We have a rare window
United States (9/11 Commission) undertook this effort of opportunity to promote the widespread adoption
to understand the full impact of this tragic event and of common-sense security measures that protect the
resolve the gaps in our security framework. integrity of the ballot box. This is not the time to
diminish federal efforts or shut down important lines of
The Intelligence Community Should Conduct dialogue between DHS and election administrators.
Pre-Election Threat Assessments Well in
Advance of Federal Elections
Empower Federal Agencies to be
It is clear that efforts to disrupt the administration of Effective Partners in Pushing out
elections are going to continue. To empower state and Nationwide Security Reforms
local governments to secure their election systems and to With midterm elections less than a year away, election
inform federal efforts to support them, there must be a officials cannot afford to wait 9 months for valuable
current, complete understanding of the threat landscape. cybersecurity services like Risk and Vulnerability
At the same time, state and local election officials must Assessments. At the same time, Congress should
know of relevant intelligence related to efforts to target not put DHS in the position of delivering election
elections with an adequate amount of time to assess assistance at the expense of its other critical
vulnerabilities within their systems and networks and infrastructure customers. DHS must conduct a
address them. Moreover, any threat assessment must be comprehensive assessment of the funding, resources,
conducted sufficiently in advance of the election to avoid and personnel it needs to deliver the services state and
the perception of political motivation. local elections officials request to secure their election
37
Recommendations
infrastructure, and make a request to Congress. In States Should Prioritize

turn, Congress must act and give DHS the resources it Cybersecurity Training
needs to meet its obligations to state and local election “Training the trainers” is a crucial component in
officials, as well as all critical infrastructure owners securing elections. The events of 2016 demonstrate
and operators. that human error is a significant vulnerability as it leaves
systems open to spear-phishing and other forms of
Similarly, Congress should fund EAC at a level cyberattack. Election officials have told the Task Force
commensurate with its expanded role in election that building the capacity of local election officials and
cybersecurity and confirm a fourth commissioner so IT staff remains a challenge.285 Secretary Nellie Gorbea
the agency is able to continue to serve as a resource on stated, “Our public sector employees and system at the
election administration. state, county, and municipal level are ill-prepared to
handle the looming threat of cyberattacks.”286 States and
Establish Clear and Effective Channels
localities face the daunting task of training hundreds,
for Sharing Threat and Intelligence
Information with Election Officials if not thousands, of election officials, IT staff, and poll
Effective information sharing is critical to addressing workers on cybersecurity and risk mitigation.
the decentralized threat that our nation faces in
It costs money for states to produce training materials,
terms of securing our elections. We have seen how
and takes staff time to implement statewide training
information sharing failures can cause catastrophic
programs. The federal government should provide
events prior to the 2016 elections. The 9/11 terrorist
training support either through the EAC or by
attacks exposed serious gaps in information sharing
providing funding to states to assist with their training
within the federal government and state and local law
programs. With additional resources, the EAC could
enforcement partners. It is imperative that election
produce templates for states to use, or could assist
officials have access to the most timely and high-
states in reviewing training materials created in-state. In
level security information. Chief election officials in
addition, the EAC is currently working with Harvard’s
each state should have expedited access to security
Belfer Center to develop a tabletop training which could
clearances. DHS needs a formalized process to provide
be useful to states looking to incorporate cybersecurity
real-time appropriate threat information to state and
education into their trainings.287 In the meantime,
local election officials to improve information flow and
states with resources to do so should follow the lead
help prevent intrusions in our election infrastructure.
of Secretaries of State who are taking action to raise
Additionally, DHS has experience helping non-
awareness about how to keep election infrastructure
traditional preparedness and response stakeholders
secure. Rhode Island Secretary of State Nellie Gorbea,
partner together to address evolving threats. The
for example, convened a meeting of federal, state, and
Department should leverage that experience, and
local officials, including more than one hundred of
provide states models for effective information sharing
Rhode Island’s municipal election officials and IT staff,
protocols related to election infrastructure. Finally
for a summit on elections cybersecurity.288
entities involved in administering elections, as well as
political organizations, should consider forming an
information sharing and analysis organization to share
data on cyber threats.
38
CONCLUSION
The attacks in 2016 preview what is yet to come. In When a sovereign nation attempts to meddle in our
March 2017, then-FBI Director James Comey testified elections, it is an attack on our country. We cannot
before the House Permanent Select Committee on leave states to defend against the sophisticated cyber
Intelligence that: “[T]hey’ll be back. They’ll be back in tactics of state actors like Russia on their own. Michael
2020. They may be back in 2018.”289 Just days before Chertoff, former Secretary of Homeland Security wrote
the 2017 elections, Bob Kolasky, the acting Deputy in The Wall Street Journal, “In an age of unprecedented
Undersecretary of the National Protection and cyber risks, these dangers aren’t surprising. But
Programs Directorate at the Department of Homeland lawmakers and election officials’ lackadaisical response
Security said, “We saw in 2016 that Russia had an intent is both staggering and distressing… This is a matter of
to be involved in our elections and some capability to national security, and Congress should treat it as such.”
be active or to attempt to be active in scanning election We urge Congress to act in a bipartisan fashion and
systems. We have not seen any evidence that intent take action – to provide the necessary funding, to take
or capability has changed.”290 The threat remains, and seriously the recommendations of this Task Force, and
Congress must act. to recognize that election security is national security.
39
TASK FORCE ACTIVITY APPENDIX
PUBLIC FORUMS ON-SITE MEMBER AND

STAFF MEETINGS AND BRIEFINGS
Securing America’s Elections:
Understanding the Threat Access Democracy
Witnesses: The Honorable Jeh Johnson, former Mr. Jake Braun, Cambridge Global Advisors
Secretary of Homeland Security, and the Honorable
Dr. Ben Buchanan, Harvard University
Suzanne Spaulding, former Department of Homeland
Security Under Secretary for the National Protection Brennan Center for Justice
and Programs Directorate. Dr. Judd Choate, National Association of State Election
Directors President
Securing America’s Elections:
Preparing for 2018 and Beyond Department of Homeland Security
Witnesses: The Honorable Nellie Gorbea, Rhode Mr. Jim Dickson, National Council on Independent
Island Secretary of State, Mr. Edgardo Cortés, Virginia Living Voting Rights Task Force
Department of Elections Commissioner, and
Election Assistance Commission
Mr. Thomas Hicks, Election Assistance Commission
Commissioner & Vice-Chair. Dr. Edward W. Felten, Princeton University
Free and Fair Election Technologies
OFF-SITE MEMBER AND STAFF BRIEFINGS Dr. Juan Gilbert, University of Florida
Cyber Vulnerabilities in U.S. Voting Infrastructure, Dr. J. Alex Halderman, Michigan State University
presented by DEFCON Hackers and National Security Dr. John Koza, Michigan State University
Leaders at The Atlantic Council
National Association of Secretaries of State
Election Assistance Commission Public Meeting National Association of State Chief Information Officers
National Security Imperative of Addressing Foreign National Governors Association

Cyber Interferences in U.S. Elections, Open Source Election Technology Institute
Brookings Institute
Dr. John Savage, Brown University
Solutions to Secure America’s Elections, Ms. Marian Schneider, former Special Advisor to the
Center for American Progress Governor of Pennsylvania on Election Policy
The Honorable Steve Simon, Minnesota Secretary of

State
Verified Voting
VR Systems
Mr. Luther Weeks, State Auditability Working Group
40
ENDNOTES
1 Official Statement by Secretary Jeh Johnson on the Desig- 11 Burris, A. L., Fischer, E.A. (2016) The Help America Vote
nation of Election Infrastructure as a Critical Infrastructure Sub- Act and Election Administration: Overview and Selected Issues
sector, (Jan. 6, 2017), https://www.dhs.gov/news/2017/01/06/ for the 2016 Election (CRS Report No. RS20898).
statement-secretary-johnson-designation-election-infrastruc-
12 Risk-Limiting Audits Working Group, Risk-Limiting
ture-critical.
Post-Election Audits: Why and How, 5, (Jennie Bretschneider et
2 Office of the Director of National Intelligence Declassi- al. eds., 1.1 version, 2012) https://www.stat.berkeley.edu/~stark/
fied Report, “Background to Assessing Russian Activities and Preprints/RLAwhitepaper12.pdf.
Intentions in Recent US Elections: The Analytic Process and
13 Office of the Director of National Intelligence Declassified
Cyber Incident Attribution,” at iii (Jan. 6, 2017), https://www.dni.
Report, “Background to Assessing Russian Activities and Inten-
gov/files/documents/ICA_2017_01.pdf.
tions in Recent US Elections: The Analytic Process and Cyber
3 Joe Uchill, “DHS tells 21 states they were Russia hack- Incident Attribution,” at iii.
ing targets before 2016 election,” The Hill (Sep. 22, 2017),
14 Id.
http://thehill.com/policy/cybersecurity/351981-dhs-noti-
fies-21-states-of-they-were-targets-russian-hacking. 15 Id. See also Open Hearing on Russian Interference in
European Elections Senate Select Committee on Intelligence,
4 Dustin Volz and Jim Finkle, “Voter Registration Databases
115th Cong. (Jun. 28, 2017), (statement of Ambassador (ret.)
in Arizona and Illinois Were Breached, FBI Says,” TIME (Aug. 29,
Nicholas Burns), available at https://www.intelligence.senate.
2016), http://time.com/4471042/fbi-voter-database-breach-ar-
gov/sites/default/files/documents/sfr-nburns-062817b.pdf.
izona-illinois/.
16 Open Hearing on Russian Interference in European
5 Open Hearing on Russian Active Measures Investigation
Elections Senate Select Committee on Intelligence, 115th Cong.
before the House Permanent Select Committee on Intelligence,
(Jun. 28, 2017), (statement of Ambassador (ret.) Nicholas Burns),
115th Cong. (Mar. 20, 2017), (statement of James Comey, Direc-
available at https://www.intelligence.senate.gov/sites/default/
tor, Federal Bureau of Investigation), available at http://www.
files/documents/sfr-nburns-062817b.pdf. See also Jason Le
cq.com/doc/congressionaltranscripts-5065176?1.
Miere, “Russia Election Hacking: Countries Where the Kremlin
6 Reid Wilson, Election Officials Race to Combat Cyber- Has Allegedly Sought to Sway Votes,” Newsweek (May 9,
attacks, The Hill (Nov. 8, 2017) http://thehill.com/homenews/ 2017), available at http://www.newsweek.com/russia-election-
campaign/359243-election-officials-race-to-combat-cyberat- hacking-france-us-606314; James Ludes and Mark Jacobson,
tacks. “Shatter the House of Mirrors: A Conference Report on Russian
Influence Operations,” Pell Center, (Sept. 26, 2017), available at
7 Cory Bennett et al., Cash-Strapped States Brace for
http://pellcenter.org/wp-content/uploads/2017/09/Shatter-
Russian Hacking Fight, POLITICO (Sept. 3, 2017) http://www.
the-House-of-Mirrors-FINAL-WEB.pdf; Heather Conley and
politico.com/story/2017/09/03/election-hackers-russia-cyber-
Ruslan Stefanov, “The Kremlin Playbook,” CSIS (Oct. 13, 2016),
attack-voting-242266.
available at https://www.csis.org/analysis/welcome-krem-
8 Governor Rick Scott’s 2017-2018 Budget, (last visited, Oct. lin-playbook; Alina Polyakova et al., “The Kremlin’s Trojan
18, 2017) http://fightingforfloridasfuturebudget.com/web%20 Horses,” The Atlantic Council, (Nov. 15, 2016), available at http://
forms/Budget/BudgetService.aspx?rid1=327714&rid2=2989 www.atlanticcouncil.org/images/publications/The_Krem-
15&ai=45000000&title=STATE.; Jackie Borchardt, Ohio Gov. lins_Trojan_Horses_web_0228_third_edition.pdf; Christopher
John Kasich Vetoes Medicaid Freeze, Signs State Budget Bill, Paul and Miriam Matthews, “The Russian Firehose of Propa-
Cleveland.com (Jul. 10, 2017) http://www.cleveland.com/metro/ ganda Model,” RAND, (Dec. 13, 2016), available at https://www.
index.ssf/2017/06/ohio_gov_john_kasich_signs_sta.html; Veto rand.org/content/dam/rand/pubs/perspectives/PE100/PE198/
Message in Brief, Sept. 20, 2017, p. 13. https://walker.wi.gov/ RAND_PE198.pdf; and Minority Staff Report of the House
sites/default/files/09.20.17%20Veto%20Message%20in%20 Committee on Science, Space, and Technology Subcommittee
Brief.pdf. on Oversight, “Old Tactics, New Tools: A Review of Russia’s Soft
9 Bennett, supra n. 7. Cyber Influence Operations,” (Nov. 2017), available at https://
democrats-science.house.gov/sites/democrats.science.house.
10 Letter from Connie Lawson, President, National Associa- gov/files/documents/Russian%20Soft%20Cyber%20Influ-
tion of Secretaries of State, to Congressman Bennie Thompson ence%20Operations%20-%20Minority%20Staff%20Report%20
& Congressman Robert Brady, Co-Chairman, Joint Task Force -%20November%202017_0.pdf.
on Election Security (Aug. 3, 2017) (on file with author).
41
Endnotes
17 Office of the Director of National Intelligence Declassified should-prepare/; The Brookings Institution, “The National
Report, “Background to Assessing Russian Activities and Inten- Security Imperative of Addressing Foreign Cyber Interfer-
tions in Recent US Elections: The Analytic Process and Cyber ence in U.S. Elections,” The Brookings Institution (Sept. 8,
Incident Attribution,” at iii. 2017), available at https://www.brookings.edu/wp-content/
uploads/2017/09/20170908_election_security_transcript.
18 Id.
pdf; and Ian Livingston, “Securing the Vote Is Critical to
19 Id. Preserving American Democracy,” The Brookings Institution
20 Some reports suggest that voting systems in as many as (Sept. 21, 2017), available at https://www.brookings.edu/
39 states were infiltrated by Russian hackers. Michael Riley blog/order-from-chaos/2017/09/21/securing-the-vote-is-crit-
and Jordan Robertson, “Russian Cyber Hacks on U.S. Electoral ical-to-preserving-american-democracy/. See also Reid
System Far Wider Than Previously Known,” Bloomberg (Jun. Standish, “American Elections Remain Unprotected,” The
13, 2017, available at https://www.bloomberg.com/news/arti- Atlantic, (Dec. 28, 2017), available at https://www.theatlantic.
cles/2017-06-13/russian-breach-of-39-states-threatens-future- com/international/archive/2017/12/russia-disinformation-elec-
u-s-elections. tion-trump-putin-hack-cyber-europe/549260/; Michael Morell
and Mike Rogers, “Russia never stopped its cyberattacks
21 Id. on the United States,” The Washington Post, (Dec. 25, 2017),
22 Testimony of Jeh Johnson, former U.S. Secretary of Home- available at https://www.washingtonpost.com/opinions/
land Security, and Suzanne Spaulding, former Under Secretary russia-never-stopped-its-cyberattacks-on-the-united-
for the National Protection and Programs Directorate, U.S. states/2017/12/25/83076f2e-e676-11e7-a65d-1ac0fd7f097e_sto-
Department of Homeland Security, before the Congressional ry.html?utm_term=.802d6d23a2f5; Tom Donilon, “Russia will
Task Force on Election Security Forum entitled Securing Our be back. Here’s how to hack-proof the next election,” The
Elections: Understanding the Threat (Sept. 28, 2017), available Washington Post (Jul. 14, 2017), available at https://www.
at https://democrats-homeland.house.gov/hearings-and-mark- washingtonpost.com/opinions/russia-will-be-back-heres-how-
ups/hearings/task-force-election-security-securing-amer- to-hack-proof-the-next-election/2017/07/14/f085e870-67d5-
icas-elections-understanding. See also Morgan Chalfant, 11e7-a1d7-9a32c91c6f40_story.html?utm_term=.d14edd4000a9;
“Obama DHS officials pitch election cybersecurity fixes to “Russia Election Hacking: Countries Where the Kremlin Has
Congress,” The Hill (Sep. 28, 2017), http://thehill.com/policy/ Allegedly Sought to Sway Votes,” Newsweek (May 9, 2017),
cybersecurity/352919-obama-era-dhs-officials-pitch-elec- available at http://www.newsweek.com/russia-election-hack-
tion-cybersecurity-fixes-to-congress?utm_source=&utm_me- ing-france-us-606314; Elizabeth Weise, “After Russian Election
dium=email&utm_campaign=11067. Hack, U.S. Security Advisers Form Group to Make 2020 Race
Unhackable,” USA Today, (Oct. 10, 2017), available at https://
23 Testimony of James Comey, Federal Bureau of Investi- www.usatoday.com/story/tech/news/2017/10/10/after-russian-
gations, before the House Permanent Select Committee on election-hack-u-s-security-advisers-form-group-make-2020-
Intelligence hearing entitled Open Hearing on Russian Active race-unhackable/747403001/; Robby Mook, “Keep the Hackers
Measures Investigation (Mar. 20, 2017), transcript available Out of Our Elections,” CNN (Aug., 2017), available at http://
at https://www.washingtonpost.com/news/post-politics/ www.cnn.com/2017/08/24/opinions/keep-hackers-out-of-
wp/2017/03/20/full-transcript-fbi-director-james-comey-tes- our-elections-opinion-mook/index.html; Matt Rhoades, “Every
tifies-on-russian-interference-in-2016-election/?utm_term=. Campaign Is Now A Cyberwar Target,” New York Post (Aug. 13,
a3209228adef. 2017), available at http://nypost.com/2017/08/13/every-cam-
24 Testimony of Jeh Johnson, former U.S. Secretary of Home- paign-is-now-a-cyberwar-target/.
land Security, and Suzanne Spaulding, former Under Secretary 26 Edward-Isaac Dovere, “Hacker Study: Russia Could Get
for the National Protection and Programs Directorate, U.S. into U.S. Voting Machines,” Politico (Oct. 9, 2017), available at
Department of Homeland Security, before the Congressional https://www.politico.com/story/2017/10/09/russia-voting-ma-
Task Force on Election Security Forum entitled Securing Our chines-hacking-243603. See also Ian Livingston, “Securing
Elections: Understanding the Threat (Sept. 28, 2017), available the Vote Is Critical to Preserving American Democracy,” The
at https://democrats-homeland.house.gov/hearings-and-mark- Brookings Institution, (Sept. 21, 2017), available at https://www.
ups/hearings/task-force-election-security-securing-amer- brookings.edu/blog/order-from-chaos/2017/09/21/secur-
icas-elections-understanding. See also Morgan Chalfant, ing-the-vote-is-critical-to-preserving-american-democracy/.
“Obama DHS officials pitch election cybersecurity fixes to See also Rachel Ansley, “Russian Hacking: We Must Secure
Congress,” The Hill (Sep. 28, 2017), http://thehill.com/policy/ Our Voting Machines Right Now,” Newsweek (Oct. 13, 2017),
cybersecurity/352919-obama-era-dhs-officials-pitch-elec- available at http://www.newsweek.com/russian-hacking-we-
tion-cybersecurity-fixes-to-congress?utm_source=&utm_me- must-secure-our-voting-machines-right-now-684392; Matt
dium=email&utm_campaign=11067. Blaze, Jake Braun, and Harri Hursti et al., “DEFCON 25 Voting
25 Id. See also Lawrence Norden and Ian Vandewalker, Machine Hacking Village,” DEFCON Communications, Sept.
“Securing Elections From Foreign Interference,” Brennan 2017, available at https://www.defcon.org/images/defcon-25/
Center (Jun. 29, 2017), available at https://www.brennancen- DEF%20CON%2025%20voting%20village%20report.pdf; and
ter.org/publication/securing-elections-foreign-interference; Harvard Kennedy School Belfer Center, “Belfer Center Launch-
Michael O’Hanlon, “Cyber Threats and How the United States es Defending Digital Democracy Project to Fight Cyber Attacks
Should Prepare,” The Brookings Institution (Jun. 14, 2017), and Protect Integrity of Elections,” (Oct. 10, 2017), available at
available at https://www.brookings.edu/blog/order-from-cha- https://www.hks.harvard.edu/announcements/belfer-cen-
os/2017/06/14/cyber-threats-and-how-the-united-states- ter-launches-defending-digital-democracy-project.
42
Endnotes
27 Ju-min Park and James Pearson, “Exclusive: North Ko- 42 Ju-min Park and James Pearson, supra n. 27.
rea’s Unit 180, the Cyber Warfare Cell That Worries the West,”
43 Eric O’Neill, “Nuclear War Isn’t North Korea’s Only
Reuters (May 20, 2017), available at http://www.reuters.com/
Threat,” CNN (Sept. 25, 2017), available at http://www.
article/us-cyber-northkorea-exclusive/exclusive-north-ko-
cnn.com/2017/09/23/opinions/north-korea-cyberat-
reas-unit-180-the-cyber-warfare-cell-that-worries-the-west-
tack-oneill-opinion/index.html.
idUSKCN18H020.
44 “Russian firm provides new internet connection to North
28 Id.
Korea,” Reuters (Oct. 2, 2017), available at https://www.reuters.
29 Id. com/article/us-nkorea-internet/russian-firm-provides-new-in-
ternet-connection-to-north-korea-idUSKCN1C70D2.
30 Testimony of General Curtis M. Scaparrotti, then-Com-
mander U.S.-ROK Combined Forces Command, before the 45 Testimony of Frank Cilluffo, Director of GWU’s Homeland
House Committee on Armed Services, Hearing on the NDAA, Security Policy Institute, House Committee on Homeland Se-
(Apr. 2, 2017), available at https://www.gpo.gov/fdsys/pkg/ curity, 112th Cong. (Apr. 26, 2012) available at https://www.gpo.
CHRG-113hhrg87862/html/CHRG-113hhrg87862.htm. gov/fdsys/pkg/CHRG-112hhrg77381/html/CHRG-112hhrg77381.
htm.
31 Timothy Phelps and Brian Bennett, “FBI Head Details Ev-
idence That North Korea Was Behind Sony Hack,” Los Angeles 46 Testimony of Frank Cilluffo, Director of GWU’s Homeland
Times (Jan. 7, 2015), available at http://www.latimes.com/na- Security Policy Institute, House Committee on Homeland Se-
tion/la-na-comey-sony-north-korea-20150107-story.html. curity, 112th Cong. (Apr. 26, 2012) available at https://www.gpo.
gov/fdsys/pkg/CHRG-112hhrg77381/html/CHRG-112hhrg77381.
32 Id.
htm.
33 Ju-min Park and James Pearson, supra n. 27.
47 Center for Strategic & International Studies, “Significant
34 Emma Chanlett-Avery, et al. “North Korean Cyber Capabil- Cyber Incidents,” CSIS, https://www.csis.org/programs/cyber-
ities: In Brief,” Congressional Research Service (Aug. 3, 2017), security-and-warfare/technology-policy-program/other-proj-
available at https://fas.org/sgp/crs/row/R44912.pdf. See also ects-cybersecurity.
Russell Goldman, “What We Know and Don’t Know About the
48 Eric Auchard, “Once ‘Kittens’ in Cyber Spy World, Iran
International Cyberattack,” New York Times, (May 12, 2017),
Gains Prowess: Security Experts,” Reuters (Sept. 20, 2017),
available at https://www.nytimes.com/2017/05/12/world/eu-
available at http://www.reuters.com/article/us-iran-cyber/
rope/international-cyberattack-ransomware.html.
once-kittens-in-cyber-spy-world-iran-gains-prowess-security-
35 Ellen Nakashima, “The NSA Has Linked the WannaCry experts-idUSKCN1BV1VA?il=0
Computer Work to North Korea,” Washington Post (Jun. 14,
49 Id.
2017), available at https://www.washingtonpost.com/world/
national-security/the-nsa-has-linked-the-wannacry-computer- 50 Id.
worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-
51 Kate Brannen, “Abandoning Iranian nuclear deal could
3a519335381c_story.html?utm_term=.95006ea82f53.
lead to a wave of cyberattacks,” Just Security, (Oct. 2, 2017),
36 Thomas Bossert, “It’s Official: North Korea is behind https://www.justsecurity.org/45549/abandoning-iranian-nucle-
WannaCry,” Wall Street Journal (Dec. 18, 2017), available at ar-deal-lead-wave-cyberattacks.
https://www.wsj.com/articles/its-official-north-korea-is-be-
52 Siobhan Gorman and Danny Yadron, “Banks Seek U.S.
hind-wannacry-1513642537. A recording of the December
Help on Iran Cyberattacks,” The Wall Street Journal, (January 16,
19 briefing by President Donald Trump’s homeland security
2013), available at https://www.wsj.com/articles/SB1000142412
adviser, Tom Bossert, is available at https://www.c-span.org/
7887324734904578244302923178548.
video/?438777-1/homeland-security-officials-blame-north-ko-
rea-wannacry-malware-attack. 53 Kate Brannen, supra n. 51.
37 Joseph Menn, “Symantec Says “Highly Likely’ North 54 Id.
Korea Group Behind Ransomware Attacks,” Reuters (May 23, 55 Id.
2017), available at https://www.reuters.com/article/us-cy-
ber-attack-northkorea/symantec-says-highly-likely-north-ko- 56 Id.
rea-group-behind-ransomware-attacks-idUSKBN18I2SH. 57 Thomas Fox-Brewster, “Iranian Hackers Targeted Deloitte
38 Emma Chanlett-Avery, et al, supra n. 34. Via A Seriously Convincing Facebook Fake” In Homeland
Security, (Oct. 5, 2017), http://inhomelandsecurity.com/
39 Joseph Menn, supra n. 37. iranian-hackers-targeted-deloitte-via-a-seriously-convinc-
40 Jonathan Spicer and Joseph Menn, “U.S. May Accuse ing-facebook-fake/?utm_source=IHS&utm_medium=newslet-
North Korea in Bangladesh Cyber Heist: WSJ,” Reuters (Mar. ter&utm_content=iranian-hackers-targeted-deloitte-via-a-seri-
22, 2017), available at http://www.reuters.com/article/us-cy- ously-convincing-facebook-fake&utm_campaign=20171005IHS.
ber-heist-bangladesh-northkorea-idUSKBN16T2Z3. See also 58 Kate Brannen, supra n. 51. See also Thomas Fox-Brewster,
Council on Foreign Relations, “Cyber Operations Tracker,” supra n. 57.
CFR, https://www.cfr.org/interactive/cyber-operations?utm_
source=&utm_medium=email&utm_campaign=11915. 59 The Brookings Institution, “The National Security Impera-
tive of Addressing Foreign Cyber Interference in U.S. Elections,”
41 Jonathan Spicer and Joseph Menn, supra n. 40. The Brookings Institution (Sept. 8, 2017), available at https://
43
Endnotes
www.brookings.edu/wp-content/uploads/2017/09/20170908_ 296 (Nov. 25, 2002) (6 U.S.C. §121 et seq); Uniting and Strength-
election_security_transcript.pdf. ening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT
60 Thomas Fox-Brewster, supra n. 57.
Act), §1016(e), Pub. L. 107-56 (Oct. 26, 2001) (42 U.S.C. §5195c)
61 Testimony of Frank Cilluffo, Director of GWU’s Homeland (defining critical infrastructure); White House, Presidential
Security Policy Institute, House Committee on Homeland Se- Policy Directive/PPD-21, Critical Infrastructure Security and Re-
curity, 114th Cong. (Feb. 25, 2016) available at https://www.gpo. silience (2013); Exec. Order No. 13691, Promoting Private Sector
gov/fdsys/pkg/CHRG-114hhrg21527/html/CHRG-114hhrg21527. Cybersecurity Information Sharing, 3 C.F.R. 271 (2015).
htm.
69 §201(d), P.L. 107-296 (6 U.S.C. §121(d)).
62 Center for Strategic & International Studies, “Signifi-
70 U.S. Election Assistance Commission, Voluntary Voting
cant Cyber Incidents,” CSIS, https://www.csis.org/programs/
Systems Guidelines, https://www.eac.gov/voting-equipment/
cybersecurity-and-warfare/technology-policy-program/oth-
voluntary-voting-system-guidelines/ (last visited on Oct. 16,
er-projects-cybersecurity. Note: Although the United States
2017).
has not formally attributed the hack to China, then-Director
of National Intelligence James Clapper identified China as 71 U.S. Election Assistance Commission, Frequently Asked
the leading suspect in June 2015 (see David Welna, “In Data Questions, https://www.eac.gov/voting-equipment/frequent-
Breach, Reluctance to Point the Finger at China,” National ly-asked-questions/ (last visited on Oct. 16, 2017).
Public Radio, Jul. 2, 2015). Moreover, a Chinese national was
72 Voting System Standards, Testing and Certification,
arrested in Los Angeles in August 2017 on charges he used a
National Conference of State Legislatures, http://www.ncsl.
rare type of computer malware to access sensitive U.S. records
org/research/elections-and-campaigns/voting-system-stan-
from the Office of Personnel Management. See http://www.cnn.
dards-testing-and-certification.aspx (June 8, 2017).
com/2017/08/24/politics/fbi-arrests-chinese-national-in-opm-
data-breach/index.html https://www.washingtonpost.com/ 73 U.S. Election Assistance Commission, EAC Launches Tech
world/national-security/chinese-national-arrested-for-using- Time Election Video Series, https://www.eac.gov/assets/1/28/
malware-linked-to-opm-hack/2017/08/24/746cbdc2-8931-11e7- EAC.Tech.Time.Videos.8.1.16.pdf (Aug. 1, 2016).
a50f-e0d4e6ec070a_story.html?utm_term=.4cf2b6bdd4f7. For 74 U.S. Election Assistance Commission, Managing Election
more on the OPM hacks unrelated to attribution, please see Technology, https://www.eac.gov/voting-equipment/manag-
Office of Personnel Management, “OPM to Notify Employees of ing-election-technology/ (last visited on Oct. 16, 2017).
Cybersecurity Incident,” Press Release (Jun. 4, 2015) and Office
of Personnel Management, “OPM Announces Steps to Protect 75 U.S. Election Assistance Commission, As Election Threats
Federal Workers and Others from Cyber Threats,” Press Release Persist, Chairman Masterson Affirms EAC Remains Poised
(Jul. 9, 2015.) See also Council on Foreign Relations, “Cyber to Support State and Local Response, https://www.eac.gov/
Operations Tracker,” CFR, https://www.cfr.org/interactive/cy- news/2017/03/20/03/20/2017/ (Mar. 20, 2017).
ber-operations?utm_source=&utm_medium=email&utm_cam- 76 Thomas Hicks, Commissioner and Vice-Chair of the Elec-
paign=11915. tions Assistance Commission, appearing at the Congressional
63 Department of Justice, “U.S. Charges Five Chinese Mili- Task Force on Election Security Forum, “Securing America’s
tary Hackers for Cyber Espionage Against U.S. Corporations Elections: Preparing for 2018 and Beyond,” Oct 24, 2017.
and a Labor Organization for Commercial Advantage,” Press 77 Id.
Release (May 19, 2014), available at https://www.justice.gov/
opa/pr/us-charges-five-chinese-military-hackers-cyber-espio- 78 Nellie Gorbea, Secretary of State, State of Rhode Island,
nage-against-us-corporations-and-labor. appearing at the Congressional Task Force on Election Security
Forum, “Securing America’s Elections: Preparing for 2018 and
64 Center for Strategic & International Studies, “Significant Beyond,” Oct 24, 2017.
Cyber Incidents,” CSIS, available at https://www.csis.org/pro-
grams/cybersecurity-and-warfare/technology-policy-program/ 79 Verified Voting, House Rejects GOP Bill to Terminate
other-projects-cybersecurity. Election Assistance Commission (Jun 23, 2011) https://thevot-
ingnews.com/house-rejects-gop-bill-to-terminate-election-as-
65 Council on Foreign Relations, “Cyber Operations Tracker,” sistance-commission-the-hill/.
CFR, available at https://www.cfr.org/interactive/cyber-op-
erations?utm_source=&utm_medium=email&utm_cam- 80 Burris, A. L., Fischer, E.A. (2016) The Help America Vote
paign=11915. Act and Election Administration: Overview and Selected Issues
for the 2016 Election (CRS Report No. RS20898).
66 Testimony of Jennifer Kolde, Lead Technical Director,
FireEye Threat Intelligence, House Committee on Homeland 81 Oversight of the Federal Bureau of Investigation: Hearing
Security, 114th Cong. (Feb. 25, 2016) available at https:// Before Senate Committee On the Judiciary, 115th Congress
www.gpo.gov/fdsys/pkg/CHRG-114hhrg21527/html/CHRG- (2017) (statement of James Comey, Director, FBI).
114hhrg21527.htm. 82 Election Assistance Commission, Elections – Critical Infra-
67 Tobias Feakin, “Enter the Cyber Dragon,” Australian Stra- structure, https://www.eac.gov/election-officials/elections-criti-
tegic Policy Institute (June 2013), available at https://www.files. cal-infrastructure/ (last visited, Nov. 6, 2017).
ethz.ch/isn/165376/10_42_31_AM_SR50_chinese_cyber.pdf. 83 EAC Reauthorization Act of 2017, H.R. 794, 115th Cong.
68 Homeland Security Act of 2002, §201 et seq, Pub. L. 107- (2017).
84 Message to the Congress of the United States from
44
Endnotes
President George W. Bush, proposal for The Department of and Telecommunications in the Context of International
Homeland Security (Jun. 18, 2002), https://georgewbush-white- Security, A/70/174 (Jul. 22, 2015), available at http://undocs.
house.archives.gov/news/releases/2002/06/20020618-5.html org/A/70/174.
and https://www.dhs.gov/sites/default/files/publications/
93 Id.
book_0.pdf.
94 U.S. Department of Homeland Security, “National Infra-
85 See House Committee on Homeland Security, Report
structure Protection Plan 2013: Partnering for Critical Infrastruc-
on the Homeland Security Act of 2002, 107th Congress, H.
ture Security and Resilience,” available at https://www.dhs.gov/
Report 107-609, at 63-7 (2002). The Report accompanying
sites/default/files/publications/national-infrastructure-protec-
the Homeland Security Act of 2002 observed, “The changing
tion-plan-2013-508.pdf.
nature of the threats facing the United States requires a new
government structure to protect against invisible enemies that 95 Critical Infrastructure Information Act of 2002, Pub. L. 107-
can strike with a wide variety of weapons” and “[a] single, 296, §211 et seq (Nov 25, 2002) (6 U.S.C. §131 et seq). See also,
unified homeland security structure will improve protection Freedom of Information Act, Pub. L. 89-487, §3 (5 U.S.C. §552).
against today’s threats and be flexible enough to help meet 96 National Cybersecurity Protection Act of 2014, Pub. L. 113-
the unknown threats of the future all the while protecting the 282 (Dec. 18, 2014); Cybersecurity Act of 2015, Div. N. Consoli-
freedom and liberty upon which this nation was founded.” Id at dated Appropriations Act of 2016, Pub. L. 114-113 (Dec. 18, 2015).
67. Related to emerging cyber threats against critical infra-
structure, the Report predicted that “[i]n addition to physical 97 Presidential Decision Directive/PPD-63, Protecting
destruction, terrorists may also seek to develop powerful forms America’s Critical Infrastructures (May 22, 1998) (introducing
of cyber attack against our critical infrastructures” and that “[w] the ISAC model and calling on each critical infrastructure sector
hile there has been no ‘electronic Pearl Harbor,’ attacks of this to establish sector-specific organizations to share information
nature will become an increasingly viable option for terrorists as about threats and vulnerabilities).
they and other foreign adversaries become more familiar with 98 See “Cybersecurity Information Sharing: Information
these targets, and the technologies required to attack them.” Id. Sharing and Analysis Centers (ISACs),” U.S. Department of
at 65-6. See also, U.S. National Commission on Terrorist Attacks Homeland Security, available at https://www.dhs.gov/topic/
upon the United States. 9/11 Commission Report: The Official cybersecurity-information-sharing.
Report of the 9/11 Commission and Related Publications, by
Thomas H. Kean and Lee Hamilton, Washington, D.C. (2004) 99 DHS does exercise limited regulatory authority over cer-
(citing inadequate information sharing and collaboration among tain critical infrastructure sectors, see e.g., the Protecting and
the intelligence failures that led to the events of September 11, Securing Chemical Facilities from Terrorist Attacks Act of 2014,
2001), https://www.9-11commission.gov/report/911Report.pdf. Pub. L. 113-254 (Dec. 18, 2014) (authorizing DHS to regulate
high risk chemical facilities against the threat of terrorist attack).
86 The full list of critical infrastructure sectors can be found
in PPD-21: Chemical; Commercial Facilities; Communica- 100 Presidential Policy Directive/PPD-21, Critical Infrastructure
tions; Critical Manufacturing; Dams; Defense Industrial Base; Security and Resilience (Feb. 13, 2013).
Emergency Services; Energy; Financial Services; Food and 101 Testimony of Jeanette Manfra, Under Secretary for
Agriculture; Government Facilities; Healthcare and Public Cyber Security and Communications, National Protection and
Health; Information Technology; Nuclear Reactors, Materials, Programs Directorate, U.S. Department of Homeland Security,
and Waste; Transportation Systems; Water and Wastewater before the Select Committee on Intelligence, U.S. Senate (June
Systems. Available at https://obamawhitehouse.archives.gov/ 21, 2017), available at https://www.intelligence.senate.gov/sites/
the-press-office/2013/02/12/presidential-policy-directive-criti- default/files/documents/os-jmanfra-062117.PDF.
cal-infrastructure-security-and-resil.
102 Testimony of Jeh Johnson, former U.S. Secretary of Home-
87 See, e.g., “Panetta Warns of Dire Threat of Cyberattack land Security, and Suzanne Spaulding, former Under Secretary
on U.S.,” The New York Times (Oct. 11, 2012), available at http:// for the National Protection and Programs Directorate, U.S.
www.nytimes.com/2012/10/12/world/panetta-warns-of-dire- Department of Homeland Security, before the Congressional
threat-of-cyberattack.html. Task Force on Election Security Forum entitled Securing Our
88 See generally, Chris Jaikaran, Cong. Research Serv., Elections: Understanding the Threat (Sept. 28, 2017), available
IF10683, DHS’s Cybersecurity Mission – An Overview (Jun. 26, at https://democrats-homeland.house.gov/hearings-and-mark-
2017). ups/hearings/task-force-election-security-securing-ameri-
cas-elections-understanding. See also Testimony of Jeanette
89 See, e.g., “The Perfect Weapon: How Russian Cyberpower Manfra, before the Select Committee on Intelligence, U.S. Sen-
Invaded the U.S.,” The New York Times (Dec. 13, 2016), available ate (June 21, 2017), available at https://www.intelligence.senate.
at https://www.nytimes.com/2016/12/13/us/politics/russia- gov/sites/default/files/documents/os-jmanfra-062117.PDF.
hack-election-dnc.html?_r=0.
103 Letter from the Hon. Bennie G. Thompson, Ranking
90 See generally, “Critical Infrastructure Resources,” U.S. Member of the Committee on Homeland Security, U.S. House
Department of Homeland Security, available at https://www. of Representatives to U.S. Secretary of Homeland Security Jeh
dhs.gov/critical-infrastructure-resources. Johnson, Department of Homeland Security (Aug. 8, 2016) (on
91 Id. file with Committee staff ).
92 United Nations General Assembly, Group of Govern- 104 Id.

mental Experts on Developments in the Field of Information 105 Id.
45
Endnotes
106 See, e.g., “U.S. Seeks to Protect Voting System From Cy- 115 “NASS Statement on Cyber Security and Election Read-
berattacks,” New York Times (Aug. 3, 2016), available at https:// iness,” National Association of Secretaries of State (Aug. 5,
www.nytimes.com/2016/08/04/us/politics/us-seeks-to-pro- 2016), available at http://nass.org/node/239.
tect-voting-system-against-cyberattacks.html?_r=1.
116 Id.
107 Readout of U.S. Department of Homeland Security
117 “NASS Statement on Cyber Security and Election Read-
Secretary Jeh Johnson’s Call with State Election Officials on
iness,” National Association of Secretaries of State (Aug. 5,
Cybersecurity, U.S. Department of Homeland Security (Aug.
2016), available at http://nass.org/node/239.
15, 2016), available at https://www.dhs.gov/news/2016/08/15/
readout-secretary-johnsons-call-state-election-officials-cyber- 118 Open Letter from the Nation’s Secretaries of State to Con-
security. On August 31, 2016, NASS named four Secretaries of gress, National Association of Secretaries of State, Let’s Work
State to serve on the panel: Connecticut State Secretary Denise Together to Share Facts About Cybersecurity and Our Elections
Merill, Indiana State Secretary Connie Lawson, who also serves (Sept. 26, 2016), available at http://www.nass.org/node/236.
as the NASS President of and NASS Elections Committee Co- 119 Letter from U.S. House of Representatives Speaker Paul
Chairs Alex Padilla (California) and Brian Kemp (Georgia). See D. Ryan and Democratic Leader Nancy Pelosi, and U.S. Senate
Press Release from the National Association of Secretaries of Majority Leader Mitch McConnell and Democratic Leader
States, NASS Appoints Secretaries of State to Federal Election Harry Reid to Hon. Todd Valentine, President of the National
Infrastructure Cybersecurity Working Group (Aug. 31, 2016), Association of State Election Directors (Sept. 28, 2016), avail-
available at http://www.nass.org/node/238. able at https://www.politico.com/f/?id=00000157-7606-d0b2-
108 See, e.g., “DHS’s New Election Cybersecurity Com- a35f-7e1f2aac0001. See also, “States Urged to Bolster Election
mittee Has No Cybersecurity Experts,” Techdirt (Sept. Security,” The Hill (Sept. 30, 2016), available at http://thehill.
2, 2016), available at https://www.techdirt.com/arti- com/policy/cybersecurity/298677-congressional-leaders-let-
cles/20160902/06412735425/dhss-new-election-cybersecuri- ter-to-states-bolster-election-cybersecurity.
ty-committee-has-no-cybersecurity-experts.shtml. 120 Letter from U.S. House of Representatives Speaker Paul
109 Readout of Secretary Johnson’s Call with State Election D. Ryan and Democratic Leader Nancy Pelosi, and U.S. Senate
Officials on Cybersecurity, U.S. Department of Homeland Majority Leader Mitch McConnell and Democratic Leader
Security (Aug. 15, 2016), available at https://www.dhs.gov/ Harry Reid to Hon. Todd Valentine, President of the National
news/2016/08/15/readout-secretary-johnsons-call-state-elec- Association of State Election Directors (Sept. 28, 2016), avail-
tion-officials-cybersecurity. able at https://www.politico.com/f/?id=00000157-7606-d0b2-
a35f-7e1f2aac0001.
110 Statement by U.S. Department of Homeland Security
Secretary Jeh Johnson Concerning the Cybersecurity of the 121 Joint Statement from the Department of Homeland
Nation’s Election Systems, (Sept. 16, 2016) https://www.dhs. Security and the Office of the Director of National Intelligence
gov/news/2016/09/16/statement-secretary-johnson-concern- on Election Security (Oct. 7, 2016), available at https://www.
ing-cybersecurity-nation%E2%80%99s-election-systems. dhs.gov/news/2016/10/07/joint-statement-department-home-
land-security-and-office-director-national.
111 Readout of Secretary Johnson’s Call with State Election
Officials on Cybersecurity, U.S. Department of Homeland 122 Joint Statement from the Department of Homeland
Security (Aug. 15, 2016), available at https://www.dhs.gov/ Security and the Office of the Director of National Intelligence
news/2016/08/15/readout-secretary-johnsons-call-state-elec- on Election Security (Oct. 7, 2016), available at https://www.
tion-officials-cybersecurity. dhs.gov/news/2016/10/07/joint-statement-department-home-
land-security-and-office-director-national.
112 Open Letter from the Nation’s Secretaries of State to Con-
gress, National Association of Secretaries of State, Let’s Work 123 Update by U.S. Department of Homeland Security Secre-
Together to Share Facts About Cybersecurity and Our Elections tary Jeh Johnson on DHS Election Cybersecurity Services (Oct.
(Sept. 26, 2016), available at http://www.nass.org/node/236. 10, 2016), available at https://www.dhs.gov/news/2016/10/10/
update-secretary-johnson-dhs-election-cybersecurity-services.
113 Testimony of Suzanne Spaulding, former Under Secretary
for the National Protection and Programs Directorate, U.S. 124 Id.
Department of Homeland Security, before the Congressional 125 Letter from Hon. John Kelly, Secretary of Homeland
Task Force on Election Security Forum entitled Securing Our Security, U.S. Department of Homeland Security to Sen. Claire
Elections: Understanding the Threat (Sept. 28, 2017), available McCaskill, Ranking Member of the Homeland Security and
at https://democrats-homeland.house.gov/hearings-and-mark- Government Affairs Committee, U.S. Senate (Jun. 13, 2017),
ups/hearings/task-force-election-security-securing-ameri- available at https://www.hsgac.senate.gov/media/minority-me-
cas-elections-understanding (explaining that state election dia/senate-hsgac-staff-issue-memo-highlighting-dhs-aid-to-
officials did not have sufficient time to make significant changes states-to-secure-election-systems.
to their elections systems by the time DHS began to receive
reports of election system targeting and engage with states in 126 Julie Hirschfield Davis, “Trump Says Putin ‘Means It’ About
late summer 2016). Not Meddling,” The New York Times (Nov. 11, 2017), available
at https://www.nytimes.com/2017/11/11/world/asia/trump-pu-
114 Open Letter from the Nation’s Secretaries of State to Con- tin-election.html?_r=0.
gress, National Association of Secretaries of State, Let’s Work
Together to Share Facts About Cybersecurity and Our Elections 127 Joint Statement from the Department of Homeland Secu-
(Sept. 26, 2016), available at http://www.nass.org/node/236. rity, the Office of the Director of National Intelligence, and the
46
Endnotes
Federal Bureau of Investigations on Russian Malicious Cyber 21, 2017), available at https://www.intelligence.senate.gov/sites/
Activity (Dec. 29, 2016), available at https://www.dhs.gov/ default/files/documents/os-jmanfra-062117.PDF.
news/2016/12/29/joint-dhs-odni-fbi-statement-russian-mali-
142 Testimony of Chris Krebs, Senior Official Performing
cious-cyber-activity.
the Duties of the Under Secretary, National Protection and
128 Joint Analysis Report of the U.S. Department of Home- Programs Directorate, U.S. Department of Homeland Security,
land Security National Cybersecurity Communications and before the U.S. Senate Committee on Armed Services (Oct. 19,
Integration Center and Federal Bureau of Investigations, Grizzly 2017), available at https://www.armed-services.senate.gov/
Steppe – Russian Malicious Cyber Activity, JAR-16-20296A imo/media/doc/Krebs_10-19-17.pdf.
(Dec. 29, 2016), available at https://www.us-cert.gov/sites/
143 Id.
default/files/publications/JAR_16-20296A_GRIZZLY%20
STEPPE-2016-1229.pdf. 144 Id. See also, Letter from the National Association of
Secretaries of State to Hon. John Kelly, Secretary of Homeland
129 Office of the Director of National Intelligence, Assessing
Security, U.S. Department of Homeland Security (Jul. 20, 2017),
Russian Activities and Intentions in Recent U.S. Elections, ICA
available at http://www.nass.org/sites/default/files/nass-letter-
2017-01D (Jan. 6, 2017), https://www.dni.gov/files/documents/
urgent-items-sec-kelly-072017.doc.pdf.
ICA_2017_01.pdf (describing the Kremlin’s activities as “a signif-
icant escalation in the directness, level of activity, and scope of 145 Letter from the National Association of Secretaries of
effort compared to previous operations”). State to Hon. John Kelly, Secretary of Homeland Security, U.S.
Department of Homeland Security (Jul. 20, 2017), available at
130 Assessing Russian Activities and Intentions in Recent U.S.
http://www.nass.org/sites/default/files/nass-letter-urgent-
Elections, supra, n. 3.
items-sec-kelly-072017.doc.pdf.
131 Id.
146 Id.
132 Statement by U.S. Department of Homeland Security Sec-
147 Letter from Hon. Connie Lawson, Indiana Secretary of
retary Jeh Johnson on the Designation of Election Infrastructure
State, National Association of Secretaries of State President to
as a Critical Infrastructure Subsector, (Jan. 6, 2017), available
Hon. Bennie Thompson and Hon. Robert Brady (Aug. 3, 2017)
at https://www.dhs.gov/news/2017/01/06/statement-secre-
(on file with Committee staff ).
tary-johnson-designation-election-infrastructure-critical. “Elec-
tion Infrastructure” includes: “storage facilities, polling places, 148 Testimony of Suzanne Spaulding, former Under Secretary
and centralized vote tabulations locations used to support the for the National Protection and Programs Directorate, U.S.
election process, and information and communications tech- Department of Homeland Security, before the Congressional
nology to include voter registration databases, voting machines, Task Force on Election Security Forum entitled Securing Our
and other systems to manage the election process and report Elections: Understanding the Threat (Sept. 28, 2017), available
and display results on behalf of state and local governments.” at https://democrats-homeland.house.gov/hearings-and-mark-
Id. ups/hearings/task-force-election-security-securing-ameri-
cas-elections-understanding.
133 Id.
149 Id. See also, Testimony of Chris Krebs, Assistant Secretary
134 Id.
for Infrastructure Protection, and Jeanette Manfra, Under Secre-
135 Id. tary for Cyber Security and Communications, National Protec-
tion and Programs Directorate, U.S. Department of Homeland
136 See National Association of Secretaries of State Reso-
Security, before the Homeland Security Committee, U.S. House
lution Opposing the Designation of Elections as Critical Infra-
of Representatives (Oct. 3, 2017).
structure (Feb. 18, 2017), http://nass.org/index.php/node/103.
150 Sari Horwitz, et. al., “DHS Tells States About Russian
137 “DHS Accelerates Work to Protect 2018 Elections Under
Hacking During 2016 Election,” The Washington Post (Sept. 22,
‘Critical Infrastructure’ Tag,” Politico (Jun. 11, 2017), available at
2017), available at https://www.washingtonpost.com/world/
https://www.politicopro.com/cybersecurity/story/2017/07/
national-security/dhs-tells-states-about-russian-hacking-
dhs-accelerates-work-to-protect-2018-elections-under-criti-
during-2016-election/2017/09/22/fd263a2c-9fe2-11e7-8ea1-
cal-infrastructure-tag-159371.
ed975285475e_story.html?utm_term=.27f1ff7979e6.
138 “DHS Accelerates Work to Protect 2018 Elections Under
151 Chad Day, Associated Press, “DHS: Hackers Targeted
‘Critical Infrastructure’ Tag,” Politico (Jun. 11, 2017), available at
Other Systems to Find Weak Spots,” The Washington Post
https://www.politicopro.com/cybersecurity/story/2017/07/
(Sept. 28, 2017), available at https://www.washingtonpost.com/
dhs-accelerates-work-to-protect-2018-elections-under-criti-
business/technology/dhs-hackers-targeted-other-systems-to-
cal-infrastructure-tag-159371.
find-weak-spots/2017/09/28/ffe1bcd0-a48a-11e7-b573-8ec-
139 “State election officials express frustration after meeting 86cdfe1ed_story.html?utm_term=.bab35e663963.
feds,” CNN Politics (Jul. 8, 2017) available at http://www.cnn.
152 See also, Testimony of Chris Krebs, Assistant Secretary for
com/2017/07/08/politics/nass-conference/index.html.
Infrastructure Protection, and Jeanette Manfra, Under Secretary
140 Id. for Cyber Security and Communications, National Protection
141 Testimony of Jeanette Manfra, Under Secretary for and Programs Directorate, U.S. Department of Homeland
Cyber Security and Communications, National Protection and Security, before the Homeland Security Committee, U.S. House
Programs Directorate, U.S. Department of Homeland Security, of Representatives (Oct. 3, 2017).
before the Select Committee on Intelligence, U.S. Senate (June
47
Endnotes
153 Id. The newly-established Election Task Force includes man Robert Brady, Co-Chairman, Joint Task Force on Election
regular participation from a number of officials within DHS Security (Aug. 25, 2017); Letter from John A. Gale, Secretary of
NPPD’s Office of Cybersecurity and Communications (e.g. State, State of Nebraska, to Congressman Bennie Thompson &
Stateholder Engagement and Cyber Infrastructure Resilience Congressman Robert Brady, Co-Chairman, Joint Task Force on
and National Cybersecurity and Communications Integration Election Security (Aug. 8, 2017) (on file with author); Letter from
Center), DHS NPPD’s Office of Cyber and Infrastructure Analy- Steve Sandvoss, Executive Director, Illinois State Board of Elec-
sis, DHS NPPD’s Infrastrucutre Protection, DHS’s Office of Intel- tions, to Tanya Sehgal, Elections Counsel, Committee on House
ligence and Analysis, DHS’s Office of General Counsel, DHS’s Administration – Minority Staff (Sept. 9, 2017) (on file with
Office of Legislative Affairs, DHS’s Office of External Affairs, author); Letter from Pedro A. Cortés, Secretary of the Com-
NPPD Office of the Under Secreatry, the Election Assistance monwealth, Commonwealth of Pennsylvania, to Congressman
Commission, the Federal Bureau of Investigation, the Cyber Bennie Thompson & Congressman Robert Brady, Co-Chair-
Threat Intelligence Integration Center, and Office of the Director man, Joint Task Force on Election Security (Aug. 23, 2017)
of National Intelligence. (on file with author); Letter from Connie Lawson, President,
National Association of Secretaries of State, to Congressman
154 Testimony of Chris Krebs, Assistant Secretary for Infra-
Bennie Thompson & Congressman Robert Brady, Co-Chair-
structure Protection, and Jeanette Manfra, Under Secretary for
man, Joint Task Force on Election Security (Aug. 3, 2017) (on file
Cyber Security and Communications, National Protection and
with author).
Programs Directorate, U.S. Department of Homeland Security,
before the Homeland Security Committee, U.S. House of Repre- 164 Letter from Nellie M. Gorbea, Secretary of State, State
sentatives (Oct. 3, 2017). of Rhode Island and Providence Plantations, to Congressman
Bennie Thompson & Congressman Robert Brady, Co-Chair-
155 Press Release, U.S. Department of Homeland Security,
man, Joint Task Force on Election Security (Aug. 25, 2017) (on
“DHS and Partners Convene First Election Infrastructure Coor-
file with author).
dinating Council,” (Oct. 14, 2017), available at https://www.dhs.
gov/news/2017/10/14/dhs-and-partners-convene-first-elec- 165 Letter from Gorbea, supra n. 164.
tion-infrastructure-coordinating-council. See also, Press
166 Letter from Cortés, supra n. 164.
Release, U.S. Election Assistance Commission, “Elections
Government Sector Coordinating Council Established, Charter 167 Edgardo Cortés, Commissioner, Virginia Department
Adopted” (Oct. 14, 2017), available at https://www.eac.gov/ of Elections, appearing at the Congressional Task Force on
news/2017/10/14/elections-government-sector-coordinat- Election Security
ing-council-established-charter-adopted/. 168 Letter from Connie Lawson, President, National Associa-
156 Testimony of Chris Krebs, Assistant Secretary for Infra- tion of Secretaries of State, to Congressman Bennie Thompson
structure Protection, and Jeanette Manfra, Under Secretary for & Congressman Robert Brady, Co-Chairman, Joint Task Force
Cyber Security and Communications, National Protection and on Election Security (Aug. 3, 2017) (on file with author).
Programs Directorate, U.S. Department of Homeland Security, 169 Letter from Gorbea; Letter from Simon; Letter from Gale;
before the Homeland Security Committee, U.S. House of Repre- Letter from Marci Andino, Executive Director, South Carolina
sentatives (Oct. 3, 2017). Election Commission, to Congressman Bennie Thompson &
157 U.S. Const. art. I, § 4, cl. 1. Congressman Robert Brady, Co-Chairman, Joint Task Force on
Election Security (Oct. 5, 2017) (on file with author); Letter from
158 U.S. Election Assistance Commission, The Election Admin.
Cortés.
and Voting Survey: 2016 Comprehensive Report, 159 (2017)
https://www.eac.gov/assets/1/6/2016_EAVS_Comprehen- 170 Letter from Gorbea, supra n. 164; Letter from Lawson,
sive_Report.pdf. supra n. 168.
159 Lawrence Norden & Ian Vanderwalker, Brennan Center for 171 Letter from Gorbea, , supra n. 164.; Letter from Andino;
Justice at NYU School of Law, Securing Elections from Foreign Letter from Simon.
Interference, 9 (2017) https://www.brennancenter.org/sites/de- 172 Letter from Matthew D. Chase, Executive Director, Na-
fault/files/publications/Securing_Elections_From_Foreign_In- tional Association of Counties to Leader McConnell, Leader
terference_1.pdf. Schumer, Senator McCain, and Senator Reed (Sept. 13, 2017)
160 J. Mijin Cha and Liz Kennedy, Millions to the Polls: Poll http://www.naco.org/blog/naco-supports-amendment-in-
Worker Recruitment & Training (February 18, 2014), http:// crease-federal-support-election-cybersecurity.
www.demos.org/publication/millions-polls-poll-worker-recruit- 173 Letter from Secretary Steve Simon, Secretary Kim Wy-
ment-training. man, Secretary Alex Padilla, Secretary Denise Merrill, Secretary
161 Norden & Vanderwalker; Cory Bennett et al., Cash- Alison Lundergan Grimes, Secretary Tom Schedler, Secretary
Strapped States Brace for Russian Hacking Fight, POLITICO Barbara Cegavske, Secretary Pedro Cortés, Secretary Nellie
(Sept. 3, 2017), http://www.politico.com/story/2017/09/03/ Gorbea, and Secretary Jim Condos to Senator McCain and
election-hackers-russia-cyberattack-voting-242266. Senator Reed (Sept. 8, 2017) https://issuu.com/neic/docs/sec-
retaries_of_state_letter_in_supp.
162 Brad Tuttle, How Much Election Day Costs the Country –
and Voters, Time, (Nov 8, 2016). 174 United States Election Project, http://www.electproject.
org/home/voter-turnout/voter-turnout-data (last visited, No-
163 Letter from Steven Simon, Secretary of State, State of
vember 1, 2017).
Minnesota, to Congressman Bennie Thompson & Congress-
48
Endnotes
175 Penn Warton Pub. Policy Initiative, The Warton School, staff, Sept. 27, 2017.
University of Pennsylvania, The Business of Voting, 11-13, 20
195 Blaze, 4, supra n. 182.
(2017) https://publicpolicy.wharton.upenn.edu/live/files/270-
the-business-of-voting. 196 Verified Voting, State Audit Laws Searchable Database,
https://www.verifiedvoting.org/state-audit-laws/about/ (last
176 Norden & Vandewalker, 9, supra n. 159.
visited Oct. 16, 2017).
177 Pam Fessler, Some Machines Are Flipping Votes, But That
197 Risk-Limiting Audits Working Group, Risk-Limiting
Doesn’t Mean They’re Rigged, NPR (Oct. 26, 2016) http://www.
Post-Election Audits: Why and How, 5, (Jennie Bretschneider et
npr.org/2016/10/26/499450796/some-machines-are-flipping-
al. eds., 1.1 version, 2012) https://www.stat.berkeley.edu/~stark/
votes-but-that-doesnt-mean-theyre-rigged.
Preprints/RLAwhitepaper12.pdf.
178 Lawrence Norden & Christopher Famighetti, Brennan
198 National Election Defense Coalition, supra n. 190.
Center for Justice at NYU School of Law, America’s Voting Ma-
chines at Risk, 5 (2015) https://www.brennancenter.org/sites/ 199 Russian Interference in the 2016 U.S. Election: Hearing Be-
default/files/publications/Americas_Voting_Machines_At_Risk. fore Senate Select Commission on Intelligence, 115th Congress
pdf. (2017) (testimony from J. Alex Halderman, Professor, University
of Michigan).
179 Center for American Progress, Election Infrastructure:
Vulnerabilities and Solutions, 1 (2017) https://www.american- 200 J. Alex Halderman, Professor, University of Michigan, in
progress.org/issues/democracy/reports/2017/09/11/438684/ person discussion with Task Force staff, August 9, 2017.
election-infrastructure-vulnerabilities-solutions/. 201 Bailey McCann, Rhode Island to Implement Post-Elec-
180 Penn Warton Pub. Policy Initiative, 13, supra n. 175. tion Audits, CivSource (Sept. 20, 2017) https://civsourceonline.
com/2017/09/20/rhode-island-to-implement-post-election-
audits/.
182 Matt Blaze et al., DEFCON 25 Voting Machine Hacking Vil-
202 Help America Vote Act of 2001, 52 U.S.C. §§ 20901-1145
lage: Rep. on Cyber Vulnerabilities in U.S. Election Equipment,
(2015).
Databases, and Infrastructure, 16 (2017) https://www.defcon.
org/images/defcon-25/DEF%20CON%2025%20voting%20 203 Norden & Vandewalker, 19, supra n. 159.
village%20report.pdf. 204 Callum Borchers, What We Know About the 21 States
183 Norden & Vandewalker, 9, supra n. 159. Targetted by Russian Hackers, The Washington Post (Sept.
23, 2017) https://www.washingtonpost.com/news/the-fix/
184 Ed Felten, E-Voting Links for Election Day, Freedom to
wp/2017/09/23/what-we-know-about-the-21-states-targeted-
Tinker (Nov. 2, 2017) https://freedom-to-tinker.com/2010/11/02/
by-russian-hackers/?utm_term=.c296117b25d4.
e-voting-links-election-day/.
207 Matthew Cole et al., Top-Secret NSA Report Details Rus-
sian Hacking Effort Days Before 2016 Election, The Intercept
188 Eric Geller, Virginia Bars Voting Machines Considered Top (June 5, 2017) https://theintercept.com/2017/06/05/top-secret-
Hacking Target, POLITICO (Sept. 8, 2017) http://www.politico. nsa-report-details-russian-hacking-effort-days-before-2016-
com/story/2017/09/08/virginia-election-machines-hacking-tar- election/.
get-242492.
189 Id.
209 Id.
190 National Election Defense Coalition, Expert Sign-On Letter
210 Penn Warton Public Policy Initiative, 15.
to Congress: Secure American Elections (2017) https://www.
electiondefense.org/election-integrity-expert-letter/. 211 Blaze, 5, supra n. 182.
191 Norden & Vandewalker, 11, supra n. 159; Geller, supra n. 188. 212 Id.
192 J. Alex Halderman, Professor, University of Michigan, in 213 Steve Simon, Secretary of State, State of Minnesota, in
email message to Task Force staff, Oct. 17, 2017. person discussion with Task Force staff, Sept. 28, 2017; Marian
Schneider, Special Adviser on Elections to the Governor of
193 Judd Choate, Director of Elections, State of Colorado, in
Pennsylvania, in phone discussion with Task Force staff, Oct.
person discussion with Task Force staff, Sept. 22, 2017.
13, 2017.
194 Jake Braun, Chief Executive Officer, Cambridge Global Ad-
214 Letter from Gorbea, supra n. 164.
visers, in person discussion with Task Force staff, Sept. 14, 2017;
Larry Norden, Deputy Director of the Democracy Program, 215 Evan Halper, U.S. Elections are an Easier Target for
Brennan Center for Justice at NYU School of Law, in phone Russian Hackers than Once Thought, LA Times (Jul. 28, 2017)
discussion with Task Force staff, Sept. 14, 2017; J. Alex Halder- http://www.latimes.com/politics/la-na-pol-elections-hacking-
man, Professor, University of Michigan, in person discussion 2017-story.html.
with Task Force staff, Aug. 9, 2017; Barbara Simons, Board of 216 Michael Wines, Wary of Hackers, States Move to Upgrade
Directors, Verified Voting, in phone discussion with Task Force Voting Systems, The New York Times (Oct. 14, 2017) https://
49
Endnotes
www.nytimes.com/2017/10/14/us/voting-russians-hack- 235 Matthew Cole et al., Top-Secret NSA Report Details Rus-
ing-states-.html?_r=0. sian Hacking Effort Days Before 2016 Election, The Intercept
(Jun. 5, 2017) https://theintercept.com/2017/06/05/top-secret-
nsa-report-details-russian-hacking-effort-days-before-2016-
Russian Hacking Fight, POLITICO (Sept. 3, 2017) http://www.
election/.
attack-voting-242266. 236 Id.
218 Governor Cuomo Directs Cyber Security of Voting 237 Id.
Infrastructure Amidst Reports of Foreign Interference in 2016
238 Id.; Ben Martin, Chief Operating Officer, VR Systems, and
Election, (Jun. 20, 2017) https://www.governor.ny.gov/news/
Mindy Perkins, Chief Executive Officer, VR Systems, in person
governor-cuomo-directs-cyber-security-advisory-board-re-
discussion with Task Force staff, Sept. 25, 2017.
view-cyber-security-voting.
239 Background to “Assessing Russian Activities and Inten-
219 Bennett, supra n. 7.
tions in Recent US Elections: The Analytic Process and Cyber
220 Nellie Gorbea, Rhode Island Secretary of State, appearing Attribution”. Office of the Director of National Intelligence. Jan. 6
at the Congressional Task Force on Election Security Forum, 2017. Report. Pg. 2
“Securing America’s Elections: Preparing for 2018 and Beyond,”
240 Id.
Oct 24, 2017.
241 Martin & Perkins, supra n. 238.
242 Id.
222 Yejin Cooke, Director of Government Affairs, National
Association of State Chief Information Officers, in person dis- 243 Penn Warton Public Policy Initiative, 15, supra n. 175.
cussion with Task Force Staff, Sept. 12, 2017. 244 Penn Warton Public Policy Initiative, 8, supra n. 175.
223 Bennett, supra n. 7. 245 Penn Warton Public Policy Initiative, 8, supra n. 175.
224 Id. 246 Michael Riley et al., The Computer Voting Revolution
225 Governor Rick Scott’s 2017-2018 Budget, (last visited, Oct. is Already Crappy, Buggy, and Obsolete, Bloomberg Busi-
18, 2017). http://fightingforfloridasfuturebudget.com/web%20 nessweek (Sept. 29, 2017) https://www.bloomberg.com/fea-
forms/Budget/BudgetService.aspx?rid1=327714&rid2=298915 tures/2016-voting-technology/.
&ai=45000000&title=STATE. 247 Penn Warton Public Policy Initiative, 32, supra n. 175.
226 Jackie Borchardt, Ohio Gov. John Kasich Vetoes Medicaid 248 Julie Hirschfield Davis, “Trump Says Putin ‘Means It’ About
Freeze, Signs State Budget Bill, Cleveland.com (Jul. 10, 2017) Not Meddling,” The New York Times (Nov. 11, 2017), available
http://www.cleveland.com/metro/index.ssf/2017/06/ohio_gov_ at https://www.nytimes.com/2017/11/11/world/asia/trump-pu-
john_kasich_signs_sta.html. tin-election.html?_r=0.
227 Veto Message in Brief, Sept. 20, 2017, p. 13. https://walker. 249 Testimony of Suzanne Spaulding, former Under Secretary
wi.gov/sites/default/files/09.20.17%20Veto%20Message%20 for the National Protection and Programs Directorate, U.S.
in%20Brief.pdf. Department of Homeland Security, before the Congressional
228 Voting System Standards, Testing and Certification, Task Force on Election Security Forum entitled Securing Our
National Conference of State Legislatures, http://www.ncsl. Elections: Understanding the Threat (Sept. 28, 2017), available
org/research/elections-and-campaigns/voting-system-stan- at https://democrats-homeland.house.gov/hearings-and-mark-
dards-testing-and-certification.aspx (Jun. 8, 2017). ups/hearings/task-force-election-security-securing-ameri-
cas-elections-understanding.
250 See, U.S. Information Agency report prepared for the U.S.
230 U.S. Election Assistance Commission, Managing Election
House of Representatives Committee on Appropriations, Soviet
Technology, https://www.eac.gov/voting-equipment/manag-
Active Measures in the “Post Cold War” Era 1988-1991 (June
ing-election-technology/ (last visited on Oct. 16, 2017).
1992), available at http://intellit.muskingum.edu/russia_folder/
231 Steve Simon, Secretary of State, State of Minnesota, in pcw_era/exec_sum.htm (quoting Eduard Shevardnadze, Min-
person discussion with Task Force staff, Sept. 28, 2017; Marian ister of Foreign Affairs of the Soviet Union (1985-91)). See also,
Schneider, Special Adviser on Elections to the Governor of Testimony of Clint Watts, Senior Fellow, Center for Cyber and
Pennsylvania, in phone discussion with Task Force staff, Oct. Homeland Security, George Washington University, before the
13, 2017. U.S. Senate Select Committee on Intelligence (Mar. 30, 2017),
232 Nellie Gorbea, Rhode Island Secretary of State, appearing
files/documents/os-cwatts-033017.pdf.
at the Congressional Task Force on Election Security Forum,
“Securing America’s Elections: Preparing for 2018 and Beyond,” 251 Testimony of Roy Godson, Emeritus Professor of Govern-
Oct. 24, 2017. ment at Georgetown University, before the U.S. Senate Select
Committee on Intelligence (Mar. 30, 2017), available at https://
233 Edgardo Cortés, Commissioner, Virginia Department
www.intelligence.senate.gov/sites/default/files/documents/
of Elections, appearing at the Congressional Task Force on
os-rgodson-033017.pdf (noting that even “[I]n the final years
Election Security.
of the Soviet Union there was enough information on their
234 Manfra, supra n. 104.
50
Endnotes
active measures systems to conclude that approximately 15,000 advisers form group to make 2020 race unhackable,” USA
personnel and several billions of hard currency annually were Today, (Oct. 10, 2017), available at https://www.usatoday.com/
being spent on these activities – aimed mostly at the U.S. and story/tech/news/2017/10/10/after-russian-election-hack-u-
its allies.”). s-security-advisers-form-group-make-2020-race-unhack-
able/747403001/. See also Robby Mook, “Keep the Hackers Out
252 See, e.g., “Russia’s Radical New Strategy for Informa-
of Our Elections,” CNN, (Aug. 24, 2017), available at http://www.
tion Warfare,” The Washington Post (Jan. 18, 2017), available
cnn.com/2017/08/24/opinions/keep-hackers-out-of-our-elec-
at https://www.washingtonpost.com/blogs/post-partisan/
tions-opinion-mook/index.html. See also Matt Rhoades, “Every
wp/2017/01/18/russias-radical-new-strategy-for-informa-
campaign is now a cyberwar target,” New York Post, (Aug. 13,
tion-warfare/?utm_term=.c26667e8ad3e (quoting Andrey
2017), available at http://nypost.com/2017/08/13/every-cam-
Krutskikh, a “senior level advisor” to Russian President Vladimir
paign-is-now-a-cyberwar-target/. See also Lawrence Norden
Putin, for remarks at the Russian information security fo-
and Ian Vandewalker, “Securing Elections From Foreign Inter-
rum Infoforum 2016 on Feb. 4-5, 2016, asserting that Russia
ference,” Brennan Center, (Jun. 29, 2017), available at https://
“has new strategies for the information arena that would be
www.brennancenter.org/publication/securing-elections-for-
equivalent to testing a nuclear bomb and would allow us to
eign-interference.
talk to Americans as equals.”). See also, “Inside Russia’s Social
Media War on America,” Time (May 18, 2017), available at http:// 258 Michael O’Hanlon, “Cyber Threats and How the
time.com/4783932/inside-russia-social-media-war-america/ United States Should Prepare,” Brookings, (Jun. 14,
(noting that “[O]ne particularly talented Russian programmer 2017), available at https://www.brookings.edu/blog/or-
who had worked with social media researchers in the U.S. for der-from-chaos/2017/06/14/cyber-threats-and-how-the-unit-
10 years had returned to Moscow and brought with him a trove ed-states-should-prepare/. See also Edward-Isaac Dovere,
of algorithms that could be used in influence operations. He “Hacker study: Russia could get into U.S. voting machines,” Po-
was promptly hired by those working for Russian intelligence liticoPro, (Oct. 9, 2017), available at https://www.politico.com/
services, senior intelligence officials tell TIME.”). story/2017/10/09/russia-voting-machines-hacking-243603. See
also The Brookings Institution, “The National Security Impera-
253 See, e.g., “Russia Election Hacking: Countries Where the
tive of Addressing Foreign Cyber Interference in U.S. Elections,”
Kremlin Has Allegedly Sought to Sway Votes,” Newsweek (May
Brookings, (Sept. 8, 2017), available at https://www.brookings.
9, 2017), available at http://www.newsweek.com/russia-elec-
edu/wp-content/uploads/2017/09/20170908_election_securi-
tion-hacking-france-us-606314.
ty_transcript.pdf.
254 Open Hearing on Russian Interference in European
259 Memorandum from Eric Fischer, Senior Specialist, Con-
Elections Senate Select Committee on Intelligence, 115th Cong.
gressional Research Service, on Use of Voter-Verified Paper
(Jun. 28, 2017), (statement of Ambassador (ret.) Nicholas Burns),
Audit Trails by State Election Jurisdictions to Tanya Sehgal,
Elections Counsel, Committee on House Administration – Mi-
files/documents/sfr-nburns-062817b.pdf.
nority Staff (Sept. 14, 2017) (on file with author).
255 James Ludes and Mark Jacobson, “Shatter the House of
260 National Election Defense Coalition, supra n. 190.
Mirrors: A Conference Report on Russian Influence Operations,”
Pell Center, (Sept. 26, 2017), available at http://pellcenter.org/ 261 Blaze, 4, supra n. 182.
wp-content/uploads/2017/09/Shatter-the-House-of-Mirrors-
262 Jake Braun, Chief Executive Officer, Cambridge Global Ad-
FINAL-WEB.pdf; Heather Conley and Ruslan Stefanov, “The
visers, in person discussion with Task Force staff, Sept. 14, 2017;
Kremlin Playbook,” CSIS, (Oct. 13, 2016), available at https://
Larry Norden, Deputy Director of the Democracy Program,
www.csis.org/analysis/welcome-kremlin-playbook; Alina Polya-
Brennan Center for Justice at NYU School of Law, in phone
kova et al, “The Kremlin’s Trojan Horses,” The Atlantic Council,
discussion with Task Force staff, Sept. 14, 2017; J. Alex Halder-
(Nov. 15, 2016), available at http://www.atlanticcouncil.org/im-
man, Professor, University of Michigan, in person discussion
ages/publications/The_Kremlins_Trojan_Horses_web_0228_
with Task Force staff, Aug. 9, 2017; Barbara Simons, Board of
third_edition.pdf; Christopher Paul and Miriam Matthews, “The
Directors, Verified Voting, in phone discussion with Task Force
Russian Firehose of Propaganda Model,” RAND, (Dec. 13, 2016),
staff, Sept. 27, 2017.
available at https://www.rand.org/content/dam/rand/pubs/
perspectives/PE100/PE198/RAND_PE198.pdf; and Minority 263 Norden & Vandewalker, 14, supra n. 159.
Staff Report of the House Committee on Science, Space, and 264 Juan Gilbert, University of Florida, in person discussion
Technology Subcommittee on Oversight, “Old Tactics, New with Task Force Staff (Nov. 16, 2017).
Tools: A Review of Russia’s Soft Cyber Influence Operations,”
(Nov. 2017), available at https://democrats-science.house.gov/ 265 Wines, supra n. 216.
sites/democrats.science.house.gov/files/documents/Rus- 266 Bennett, supra n. 7.
sian%20Soft%20Cyber%20Influence%20Operations%20-%20
Minority%20Staff%20Report%20-%20November%202017_0. 267 Letter from Gorbea, supra n. 164; Letter from Simon, supra
pdf. n. 163; Letter from Gale, supra n. 163; Letter from Cortés, supra
n. 163; Letter from Lawson, supra n. 168.
256 See, e.g., “Don’t Let Mexico’s Elections Become Putin’s
Next Target,” Council on Foreign Relations (Nov. 9, 2017), avail- 268 Burris, A. L., Fischer, E.A. (2016) The Help America Vote
able at https://www.cfr.org/blog/dont-let-mexicos-elections- Act and Election Administration: Overview and Selected Issues
become-putins-next-target. for the 2016 Election (CRS Report No. RS20898).
257 Elizabeth Weise, “After Russian election hack, U.S. security 269 J. Alex Halderman, Professor, University of Michigan, in
51
Endnotes
person discussion with Task Force Staff (Aug. 9, 2017). 283 Bennett, supra n. 182.
270 Risk-Limiting Audits Working Group, Risk-Limiting 284 Testimony of Suzanne Spaulding, former Under Secretary
Post-Election Audits: Why and How, 5, (Jennie Bretschneider et for the National Protection and Programs Directorate, U.S.
al. eds., 1.1 version, 2012) https://www.stat.berkeley.edu/~stark/ Department of Homeland Security, before the Congressional
Preprints/RLAwhitepaper12.pdf. Task Force on Election Security Forum entitled Securing Our
Elections: Understanding the Threat (Sept. 28, 2017), available
271 Risk-Limiting Audits Working Group, 5, supra n. 270.
at https://democrats-homeland.house.gov/hearings-and-mark-
272 Russian Interference in the 2016 U.S. Election: Hearing Be- ups/hearings/task-force-election-security-securing-ameri-
fore Senate Select Committee on Intelligence, 115th Congress cas-elections-understanding.
(2017) (testimony from J. Alex Halderman, Professor, University
285 Nellie Gorbea, Rhode Island Secretary of State, appearing
of Michigan).
273 Eric Geller, Colorado to Require Advanced Post-Election “Securing America’s Elections: Preparing for 2018 and Beyond,”
Audits, POLITICO (Jul. 17, 2017), http://www.politico.com/ Oct. 24, 2017; Edgardo Cortés, Commissioner, Virginia Depart-
story/2017/07/17/colorado-post-election-audits-cybersecuri- ment of Elections, appearing at the Congressional Task Force
ty-240631. on Election Security Forum, “Securing America’s Elections:
274 McCann, supra n. 201. Preparing for 2018 and Beyond,” Oct. 24, 2017.
275 National Election Defense Coalition, supra n. 190. 286 Nellie Gorbea, Rhode Island Secretary of State, appearing
276 Norden & Vandewalker, 15, supra n. 159. “Securing America’s Elections: Preparing for 2018 and Beyond,”
277 Alia Beard Rau, Russia Tried to Hack Arizona Voter-Reg- Oct. 24, 2017.
istration System, Federal Officials Say, AZ Central (Sept. 287 Matt Masterson, Chairman, Election Assistance Commis-
22, 2017), http://www.azcentral.com/story/news/politics/ sion, in person discussion with Task Force staff, Nov. 3, 2017.
arizona/2017/09/22/russia-tried-hack-arizona-voter-registra-
tion-system-federal-officials-say/695057001/. 288 Nellie Gorbea, Secretary of State, State of Rhode Island,
appearing at the Congressional Task Force on Election Security
278 Norden & Vandewalker, 19, supra n. 159. Forum, “Securing America’s Elections: Preparing for 2018 and
279 Yejin Cooke, Director of Government Affairs, National Beyond,” Oct. 24, 2017.
Association of State Chief Information Officers, in person dis- 289 United States Cong. House. House Permanent Select
cussion with Task Force Staff, Sept. 12, 2017. Committee on Intelligence. Open Hearing on Russian Active
280 Norden & Vandewalker, 19, supra n. 159. Measures Investigation, Mar. 20, 2017. 115th Congress. 1st
session, 2017.
281 Steve Simon, Minnesota Secretary of State, in person dis-
cussion with Task Force staff, Sept. 28, 2017; Marian Schneider, 290 Morgan Chalfant, “Homeland Security Cyber Unit on Alert
Special Adviser on Elections to the Governor of Pennsylvania, in for Election Day,” The Hill (Nov. 4, 2017), available at http://the-
phone discussion with Task Force staff, Oct. 13, 2017. hill.com/policy/cybersecurity/358710-homeland-security-cy-
ber-unit-on-alert-for-election-day.
Russian Hacking Fight, POLITICO (Sept. 3, 2017), http://www.
attack-voting-242266.
52

T Fes Report

Uploaded by

Copyright:

Available Formats

T Fes Report

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

T Fes Report

Uploaded by

Copyright:

Available Formats

CONGRESSIONAL TASK FORCE ON

REP. ZOE LOFGREN REP. JAMES R. LANGEVIN

REP. CEDRIC L. RICHMOND REP. VAL DEMINGS

Special thanks to staff who contributed to this final report:

UNDERSTANDING THE THREAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

TASK FORCE ACTIVITY APPENDIX . . . . . . . . . . . . . . . . . . . . . . . . . . 40

THE FOUR GREATEST STATE-ACTOR THREATS

country to another and is considered the backbone of Iran

The EAC operates on a small budget, spending

other resources.86 stakeholders, and sectors and subsectors may establish

stand up an Election Infrastructure Cybersecurity

and connect election officials to a range of tools recapitalize voting technology.118

Secretary Johnson also discussed ongoing deliberations

Although DHS has struggled to build trust with

STATE AND LOCAL GOVERNMENT

States and localities have taken a variety of steps to

All Vote By Mail

Paper Ballot and

CT Mixed Paper Ballot and

NJ Mixed Paper Ballot and

MD DREs with VVPAT

DRE: Direct Recording Electronic Voting Machines

OUR ELECTION INFRASTRUCTURE IS VULNERABLE

STATE AND LOCAL GOVERNMENTS NEED FEDERAL SUPPORT

FEDERAL AGENCIES LIKE DHS AND EAC NEED RESOURCES

Election Assistance Commission election night reporting systems.230 These documents

ELECTION VENDORS ARE UNREGULATED TARGETS

infrastructure, and make a request to Congress. In States Should Prioritize

PUBLIC FORUMS ON-SITE MEMBER AND

Free and Fair Election Technologies

National Security Imperative of Addressing Foreign National Governors Association

The Honorable Steve Simon, Minnesota Secretary of

Mr. Luther Weeks, State Auditability Working Group

92 United Nations General Assembly, Group of Govern- 104 Id.

You might also like