The National Defense Authorization Act released Dec. 9 contains several provisions aimed at securing U.S. election infrastructure months before presidential primary season is in full-swing.
The provisions in the compromised conference report mandate a broad range of election-related steps, from an assessment of foreign intelligence threats to U.S. elections to allowing top state election officials to receive Top Secret security clearances.
The security clearance language is good news for the information-sharing relationship between the the federal government and state election officials, who don’t have proper clearance to view high-level intelligence related to election infrastructure cyberthreats. Throughout the 2016 election, the Department of Homeland Security and the FBI had a fraught information-sharing relationship with the states. In the years since, top federal election officials have consistently said information sharing needed to be improved, and while officials say it has been, the clearance problem was still a hindrance.
The election security language in the bill directs DHS to furnish a report on 2016 cyberattacks on U.S. election infrastructure by foreign government within 60 days of the bill being signed into law. The report, which Congress wants unclassified, must include attempted and successful cyberattacks related to the 2016 election, including the names of the states and localities affected. Congress also wants it to include all attacks on vote registration databases, voting machines, voting-related computer networks.
The Senate Intelligence Committee released a report on cyberattacks on election infrastructure in 2016, but it was heavily redacted and only identified states by a number. If signed into the law, the NDAA also mandates that the intelligence community produce a report on security vulnerabilities in state election systems no later than 180 days before a federal election and submit it to congressional leadership and committees.
The new authorization bill also asks the intelligence community, FBI, DHS, DoD, and the Departments of State and Treasury to produce a “whole-of-government” strategy to defend against Russian cyberoperations against U.S. election infrastructure. The intelligence community definitively concluded that it was the Russian government behind the cyberattacks and interference in the 2016 election.
Congress wants the strategy provided by the potpourri of government agencies to include potential “deterrence” actions that “could or should” be undertaken to deter Russia and other nations from interfering with election systems. This section is perhaps the most intriguing, given that experts consider deterrence in cyberspace extremely difficult.
The same strategy must also include ways to improve attribution of Russian cyber actors. Attribution is not an easy undertaking in cyberspace, as hackers can mask themselves to look like other hacking groups. Congress also wants the report to set benchmarks and milestones for the strategy’s implementation.
The report must include input from the nation’s secretaries of state and other election officials; any technical security measures, such as auditable paper ballots; cyberthreat detection; public education efforts; and ways to improve information sharing with the states.
Another provision in the bill requires that the Director of National Intelligence and the secretaries of the FBI and DHS must brief Congress within two weeks after a “significant cyber intrusion" related to a federal election that they can attribute to a foreign actor with moderate or high confidence. The report must include considerations about publicizing the breach.
The NDAA also requires that the DNI establish a national counterintelligence officer in the National Counterintelligence and Security Center to lead election security work.
In addition, the authorization bill requires that the intelligence community submit a detailed report of all Russian influence campaigns over the last three years, as well as any future ones. During the 2016 election, Russia directed a misinformation campaign on social media to influence U.S. voters.
Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.