August 25th, 2019


Bipartisan initiative to thwart election hacking gains steam

James Hohmann

By James Hohmann The Washington Post

Published Sept. 14, 2017

The Closing of the American Mouth

WASHINGTON - West Virginia Secretary of State Mac Warner's son was wounded by an improvised explosive device in Afghanistan and suffered traumatic brain injury.

When he finally made it home, the Republican asked his boy to tell him about his toughest day in combat.

"He had been wounded. There was a girl who had a leg blown off. They had to call in F-16s to secure their positions," Warner recalled in an interview. "I was expecting those kinds of war stories out of him. But he said, 'Dad, the hardest day for me, without a doubt, was election day in Afghanistan.' It was 110 degrees. Before they went out, they put tourniquets on each of their arms and legs so, if they got hit, they could still turn the tourniquets. They found five IEDs around the one polling place that his platoon was assigned to defend." But Afghans came out to vote anyway, even at great personal risk to themselves.

Warner tells his son's story to stress how essential it is for Americans not to take our electoral process for granted and for leaders in both parties to do everything possible to block foreign governments like Russia from meddling in our elections.

He was one of four secretaries of state in Washington Wednesday for an election security conference that was organized by the Belfer Center at Harvard's Kennedy School. These election officials, accompanied by their deputies, huddled with cybersecurity experts from Google and Facebook, as well as officials from the FBI, the Department of Homeland Security and the U.S. Election Assistance Commission.

"This is a new issue for us. We're having to respond to stuff we're still learning about," said Connecticut Democratic Secretary of State Denise Merrill. "The first question we all have is: What are we going to do for 2018 and 2020? We all know we have to do things differently."

She identified an inherent "culture clash" between cybersecurity experts, who are all about confidentiality and secrecy, and elections officers, who prize transparency and openness. "Bringing those two cultures together has been extremely interesting," said Merrill, who chairs a cybersecurity task force for the National Association of Secretaries of State. "We're trying to figure out how best to communicate. We're having to learn a whole new language. We're establishing relationships."

Wednesday's event took place at Facebook's D.C. office. There were breakout sessions about protecting voter registration lists, recording election results and helping counties administer elections. A crisis communications expert gave a talk about the P.R. aspects of responding to a breach.

Elections are remarkably decentralized in the United States, which is both a strength and weakness of our system. Processes can vary dramatically from county to county.

The former director of information assurance at the National Security Agency, Debora Plunkett, is helping identify potential vectors of attack as elections officials teach her about the contact points in their systems. "These are seasoned professionals who know how to operate in the chaos of election day," said Plunkett, now a senior fellow at the Belfer Center.

The highlight of Wednesday was a tabletop exercise that simulated a foreign attack on the integrity of an election. An Army major who is enrolled in a master's program at the Kennedy School took point in designing the scenario, with help from eight other students at Harvard and MIT. The six months of planning before an election were compressed into one hour. Then election day was compressed into a second hour.

Participants were forced to make hard choices, such as whether to switch from an electronic system to paper ballots. At one point, someone representing a county brought in an email that supposedly had come from the secretary of state. But the secretary hadn't sent the email. It was a test to see whether the group would recognize that their email system had been hacked. Then what do you do next? Call the other counties who might have received the same erroneous email and assumed it was genuine? Stop using email altogether?

Psychological operations were also integrated into the activity. The fictitious enemy disseminated false information, using bots to publicize long lines and sow confusion on social media. Participants needed to decide how to respond to that, as well as protests that grew out of decisions they had made earlier in the exercise.

The conference was closed to the press, but organizers invited me exclusively to attend the opening session and interview participants afterward about lessons they learned.

Eric Rosenbach, the co-director of the Belfer Center, was chief of staff to Defense Secretary Ashton B. Carter from 2015 to 2017. The retired Army intelligence officer spent the Obama years at the Pentagon, including as the assistant secretary who oversaw cyber strategy. "The thing that bothered me more than all the things I saw in the seven years I was there was this past year was when the bad guys were going after our democracy and our election infrastructure," he said. "It really just bothered me to my core. . . . I'm not sure we responded as forcefully as we probably should have in retrospect, but you learn a lot when you're going through these things. . . . I wanted to do something about this from the outside."

Rosenbach said efforts like this are crucial to deter America's enemies. "I'm very worried about the perception that all the other bad guys around the world have after watching what the Russians did to this election that they can do something similar," he explained. "I can just see Kim Jong Un rubbing his grubby little hands and thinking, 'Well, you know what, we should go after the Americans too.'"

During a welcome reception Tuesday evening at the WeWork office space on Capitol Hill, Rosenbach briefed the 50 or so conference participants in broad strokes about the capabilities and objectives of the Russians, Chinese, Iranians and North Koreans.

Finally, he warned about "the wild card" risk of "some crazy domestic group" trying to mess with an election. "It could be on either fringe of the spectrum," Rosenbach said. "In some ways, I worry more about that because they know the American system. They could go into a polling place, pose as someone who is a voter but meanwhile they're slipping in a thumb drive (and) they're getting in WiFi networks."

One big focus right now for everyone involved in the effort is getting security clearances for secretaries of state so that the people who administer elections can be more "read in" about the precise nature of foreign plots. Warner from West Virginia, who took office at the start of this year, expects that people are going to start getting full clearances in the next couple of weeks. A DHS undersecretary assured them that their applications are being expedited.

"Cybersecurity is now part of the job description," said Rhode Island Democratic Secretary of State Nellie Gorbea. "We need to do it in a way that people trust by being as transparent as we can. . . .. This is more than a one-time thing."

The co-chairs of the Belfer Center's "Defending Digital Democracy" initiative are Robby Mook, who was Hillary Clinton's campaign manager in 2016, and Matt Rhoades, who managed Mitt Romney's campaign in 2012. Both participated in the tabletop exercise.

There is, of course, consensus among intelligence professionals that Russia went after Clinton and the Democratic National Committee last year as part of an extensive effort to interfere in the election, but the Chinese also hacked Romney's campaign in the fall of 2011. That forced Rhoades to spend precious dollars to harden security systems that he couldn't devote to winning the primaries.

"We were concerned about how partisan this issue had become," said Mook, explaining how they decided to collaborate.

"There's tons of things we disagree on," added Rhoades, "but we 100 percent agree that American voters should decide our elections. No one else."

Both guys are now working on a "playbook" to share with campaigns at all levels about best practices for protecting data and training staff.

The Belfer Center is also working to produce a set of best practices for what local governments should do when a breach occurs. They're thinking about packaging yesterday's tabletop exercise in a way that could be disseminated to elections officials around the country, so that individual states can do it on their own.

"We're never going to get the threat of an attack on the election system down to zero percent, but you can mitigate the risk and think about how to react to it," said Rosenbach. "You have to rehearse these things over and over again."