How to hack-proof the next elec­tion

The Washington Post Sunday - - SUNDAY OPINION - BY TOM DONILON The writer was na­tional se­cu­rity ad­viser to Pres­i­dent Barack Obama from 2010 to 2013. In 2016, he chaired the Pres­i­dent’s Com­mis­sion on En­hanc­ing Na­tional Cy­ber­se­cu­rity.

We now know that Rus­sian Pres­i­dent Vladimir Putin ordered a com­pre­hen­sive ef­fort to in­ter­fere with the 2016 pres­i­den­tial elec­tion. This mis­sion in­volved the cy­bertheft and strate­gic pub­li­ca­tion of po­lit­i­cally sen­si­tive emails, the place­ment and am­pli­fi­ca­tion of mis­in­for­ma­tion on so­cial me­dia, overt pro­pa­ganda and ef­forts to pen­e­trate the sys­tems of dozens of state elec­tion author­i­ties.

This is not spec­u­la­tion or po­lit­i­cal pos­tur­ing; it is the pub­lic and high-con­fi­dence con­clu­sion of the U.S. in­tel­li­gence com­mu­nity. And it is wholly con­sis­tent with past Soviet and Rus­sian use of “ac­tive mea­sures” — in­tel­li­gence operations meant to shape an ad­ver­sary’s po­lit­i­cal de­ci­sions — with the strate­gic goal of un­der­min­ing the in­tegrity of and con­fi­dence in the West. Modern tech­nol­ogy has only in­creased the speed, scale and ef­fi­cacy of such ac­tions.

This would be alarm­ing even as a one-time oc­cur­rence, but as for­mer FBI di­rec­tor James B. Comey re­cently warned, “They will be back.” The fact is that, so far, Putin has paid too small a price to mean­ing­fully de­ter him in the fu­ture.

Here are five con­crete steps the United States should take to meet this on­go­ing threat to our democ­racy:

First, Pres­i­dent Trump must un­equiv­o­cally ac­knowl­edge Rus­sia’s at­tack on the 2016 elec­tion and clearly state that any fu­ture at­tack on our demo­cratic in­sti­tu­tions will not be tol­er­ated. One of the odd­est as­pects of the pres­i­dent’s for­eign pol­icy to date is his re­fusal to crit­i­cize — let alone con­demn — Rus­sian hos­til­ity, be it di­rected at our elec­tions or Ukraine, Syria or Afghanistan. The pres­i­dent con­tin­ued to make in­con­sis­tent state­ments in War­saw, claim­ing that “no­body re­ally knows” whether Rus­sia med­dled in the 2016 elec­tion. No pres­i­dent should ac­cept the rep­re­sen­ta­tions of a for­eign ad­ver­sary over the con­sid­ered con­clu­sions of his own in­tel­li­gence ser­vices. In all events, the pres­i­dent should de­mand a plan from his na­tional se­cu­rity team to de­ter and pre­vent elec­tion at­tacks.

Se­cond, the Depart­ment of Home­land Se­cu­rity and the Elec­tion As­sis­tance Com­mis­sion (EAC) should lead a process to de­velop elec­tion base­line cy­ber­se­cu­rity guide­lines and help states im­ple­ment these best prac­tices. For ex­am­ple, most peo­ple agree that ev­ery elec­tronic vot­ing ma­chine should cre­ate a paper record that can be au­dited, but about a quar­ter of vot­ers cast their bal­lots on ma­chines that leave no paper trail. DHS is best po­si­tioned to har­ness gov­ern­ment’s cy­ber­se­cu­rity ex­per­tise, while the EAC, cre­ated af­ter the 2000 re­count, is ex­pe­ri­enced at work­ing with state and lo­cal elec­tion author­i­ties. The process should be col­lab­o­ra­tive, just as it was when the Na­tional In­sti­tute of Stan­dards and Tech­nol­ogy part­nered with the pri­vate sec­tor to de­velop a “frame­work” of mea­sures and prac­tices widely her­alded as the gold standard in in­dus­trial cy­ber­se­cu­rity. This process should en­sure that ev­ery state es­tab­lishes a com­pre­hen­sive elec­tion cy­ber­se­cu­rity plan. And Congress should es­tab­lish a grant pro­gram to help states get there.

Third, we must de­velop a bet­ter sys­tem for shar­ing in­for­ma­tion be­tween state and fed­eral of­fi­cials. While the U.S. elec­tion sys­tem is de­cen­tral­ized, the threats against it are not con­fined to state bor­ders. In the lead-up to 2016, state of­fi­cials were not ad­e­quately dis­cussing elec­tion se­cu­rity with one another and the fed­eral gov­ern­ment. Even to­day, a num­ber of of­fi­cials are re­port­edly still in the dark about whether Rus­sian hack­ers pen­e­trated their sys­tems. The fed­eral gov­ern­ment should cre­ate a “cyber-FEMA” to help de­tect threats to state and lo­cal elec­tion sys­tems and then co­or­di­nate among Home­land Se­cu­rity, the FBI and the EAC to pro­vide nec­es­sary in­tel­li­gence and as­sis­tance.

Fourth, we must en­gage in a na­tional pol­icy dis­cus­sion about the roles and re­spon­si­bil­i­ties of our so­cial me­dia plat­forms and the steps they should take to pro­tect our democ­racy from ma­lign in­ter­fer­ence. The crown jew­els of our econ­omy, these com­pa­nies have enor­mous reach and in­flu­ence in our lives; we should not al­low them to be co-opted for for­eign in­for­ma­tion war­fare. Un­der­stand­ing this, they have started to take steps to pro­tect our cit­i­zenry from mis­in­for­ma­tion cam­paigns. Face­book re­cently be­gan em­ploy­ing third­party fact-check­ing out­lets to eval­u­ate ques­tion­able news items and give them less promi­nence in users’ news feeds. In April, Google an­nounced plans to re­work al­go­rithms to avoid driv­ing traf­fic to sites pro­mot­ing bo­gus claims. These mea­sures are a start, but to de­velop a truly com­pre­hen­sive so­lu­tion we must en­gage all stake­hold­ers and dis­cuss the roles these com­pa­nies, the gov­ern­ment and in­di­vid­u­als must play in pro­tect­ing our democ­racy.

Fifth, the United States should work within in­ter­na­tional fo­rums to es­tab­lish the prin­ci­ple that an at­tack on elec­tion sys­tems vi­o­lates the prin­ci­ples of non­in­ter­fer­ence and sovereignty and would jus­tify a ro­bust re­sponse. A for­eign at­tack on a bridge in New York or a sky­scraper in Chicago would surely rouse con­dem­na­tion as a vi­o­la­tion of in­ter­na­tional norms; an at­tack on our elec­tion sys­tem — the very foun­da­tion of our democ­racy — is just as se­ri­ous. But for norms to have teeth, they must be en­forced. With the re­cent dis­clo­sure of pen­e­tra­tion by Rus­sia into states’ elec­tion-re­lated com­puter sys­tems, the United States should promptly im­pose ad­di­tional sanc­tions on Rus­sian as­sets and in­di­vid­u­als. If not con­fronted, Putin will see no con­straints.

These are steps we can take to help se­cure the fu­ture of our demo­cratic in­sti­tu­tions in the cy­ber­age. We are on no­tice. We must act now.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.