Photo: Brendan Smialowski/AFP/GettyImages
It’s already too late to upgrade election system security for the 2018 midterms, but there are four things the U.S. can do to prepare for 2020, former Facebook chief information security officer Alex Stamos writes in Lawfare.
Why it matters: 14 states are currently unable to double check that election results accurately reflect votes cast. Congress earlier this year set aside million of dollars to help states with election security in the face of potential Russian cyberattacks — but it's likely not all of the funds will be used by the November midterms.
First, Stamos writes, “Congress needs to set legal standards that address online disinformation.” Stamos cites the Honest Ads Act as a “good start” to building some guardrails for misinformation policies, but says more needs to be done to encourage tech companies to share threats from misinformation actors.
Second, the U.S. "must carefully reassess who in government is responsible for cybersecurity defense.”
- The current setup leads to overlapping authorities and responsibilities between the National Security Agency and the Pentagon’s U.S. Cyber Command. The Department of Homeland Security works on bolstering election infrastructure while the Federal Bureau of Investigation investigates cyber crimes after the fact.
- Stamos argues it would be useful for the U.S. government to create an agency that’s focused on just defensive cybersecurity and lacks intelligence, law enforcement, and military responsibilities, to really zero in on threats.
Third, “Each of the 50 states must build capabilities on election protection,” similar to how Colorado has organized election security teams and developed verifiable voting standards.
- This is a thorny issue: states have responsibility for elections but often can't afford new equipment and don't have the expertise to investigate cyberattacks originating overseas. But offers of federal support and federal standards can trigger complaints of federal overreach.
- Just this week secretaries of state from around the country and the White House pushed back on a bipartisan election security bill that would require post-election audits. citing states’ rights concerns.
Finally, Americans should put pressure on the government, Stamos says: “Americans must demand that future attacks be rapidly investigated, that the relevant facts be disclosed publicly well before an election, and that the mighty financial and cyber weapons available to the president be utilized immediately to punish those responsible.”
The bottom line: “Recent history has shown that once a large, powerful nation-state actor demonstrates the effectiveness of a technique, many other groups rush to build cheaper, often more nimble versions of the same capability,” Stamos writes.
- "After Facebook’s announcement on Tuesday, it is clear that Iran has also followed this playbook. There are many other U.S. adversaries with well-developed cyber-warfare capabilities, such as China or North Korea, that could decide to push candidates and positions amenable to them.”