Better Threat Sharing is Just the First Step in Securing Elections, Senate Committee Says
The intelligence committee previewed far more recommendations, including better attribution.
Providing better, faster cyber threat information to states should be the beginning, but not the end, of the federal government’s efforts to ensure future elections aren’t marred by the same security concerns as the 2016 contest, according to a preview of Senate Intelligence Committee recommendations released Tuesday.
The State Department should also work with allies to create a global understanding that election meddling is out of bounds, according to the recommendations, while the intelligence community should speed the process of attributing cyberattacks to nations and groups that violate those norms.
The government must then ensure those norms violators face consequences, according to the slate of recommendations.
The Trump administration last week imposed sanctions against Russian intelligence agencies and individuals responsible for meddling in the 2016 election, including probing state election systems in roughly 21 states and penetrating at least one voter database.
Many of those sanctioned had already been indicted by Special Counsel Robert Mueller, who’s investigating Russian attempts to upend the election among other issues.
The Senate recommendations, which will be outlined in greater detail during a Wednesday hearing, represent the close of one portion of the Senate investigation, which is also focused on possible collusion between Russia and the Trump campaign.
Tuesday’s recommendations also include funneling more federal money to state election systems to ensure they’re digitally secure and segregated from the internet and that votes include an auditable paper trail.
Money for those programs could be included in the omnibus spending bill set to be introduced Tuesday, Senate Intelligence Chairman Richard Burr, R-N.C., said during a press conference.
The committee recommendations include many election-specific goals, which the Homeland Security Department has been working on for more than a year, such as providing security clearances to top state election officials.
The lack of those clearances was a major factor in hobbling the pre-election response to Russia’s 2016 election meddling attempts.
The intelligence community should also work to rapidly declassify information and to provide additional context so that state-level officials understand what’s important and what’s not, the committee recommends.
That was another chokepoint during the 2016 election, during which the FBI alerted state-level officials about attempts to penetrate their systems but didn’t specify that the perpetrator was a foreign nation-state and didn’t convey the seriousness of the threat, Sen. Susan Collins, R-Maine, said during Tuesday’s press conference.
States also erred by not sharing information with the public about attempted breaches, Collins said.
Senators stressed during the press conference that there remains no evidence that Russian hackers changed any vote totals during the 2016 elections.
They also stressed that their recommendations should not be viewed as a federal power grab of states’ authority to manage their elections.
Other recommendations include that:
- The government should provide ample money for the Homeland Security Department to review state election systems and states should accept those reviews.
- Homeland Security should work with the General Services Administration to create a list of vendors offering top-level cybersecurity services to states.
- The department should also create voluntary guidelines, best practices and a risk management framework that state election officials can use.
- Cybersecurity experts, government officials and the media should agree on a common set of terms to more consistently describe election cybersecurity threats.
- Election systems should be bolstered with basic information security protections. That includes using two-factor authentication—for example, requiring both a password and a unique code texted to a verified phone—to verify people accessing the systems.
NEXT STORY: NPPD taps vendor for No. 2 role