When Ohio’s governor activated the National Guard to protect his state’s voting machines from “hacking,” responses ran from alarm to confusion to mockery. Practically and legally, there’s very little the Guard can do about election-related activities. But if proposed legislation becomes law the military’s role in election activities could change.
Officials have said the Ohio National Guard cyber unit, one of 23 in existence, will be testing various election-related computer systems, although it remains unclear just what that means. Penetration testing on notoriously insecure voting machines? Probing Ohio election-board databases, the kind that have already been targeted this election cycle? We asked; the Ohio National Guard declined to comment.
What’s more clear, thanks to the U.S. Constitution, is that state governments are responsible for keeping elections free of interference, and may activate their National Guard units for various things. But there are limits. Governors may not, for example, station armed troops outside polling places, which would be a felony violation of 18 US Code 592.
Can you put cyber flowers in the cyber barrels of the cyber guns of the cyber national guard? Cyber flower power. https://t.co/xANrx4kUsR— the grugq (@thegrugq) November 2, 2016
But states may call on Washington to help in other respects, including helping to secure networks, machines, and voter databases from theft or manipulation. They can also call on the FBI to investigate potential fraud or voting-related crimes.
“Frankly, counties and cities are the ones who administer this stuff. This is a very, very complicated matter,” James Trainor, the assistant director of the FBI’s cyber division said at September’s Billington Cybersecurity Summit.
Whatever help federal agencies might offer would be coordinated through the Elections Assistance Commission, Trainor said. (Some election experts have decried the EAC as largely ineffectual.) The bottom line, from the fed perspective, is that “unfortunately, not a lot can be done between now and November 8.”
One place that almost all states have turned for election-security help is the Department of Homeland Security, or DHS, which has limited resources to respond.
Some in DHS have pushed to have voting machines and related systems classified as critical infrastructure, a move that Rep. Hank Johnson, D-Georgia, is supporting through the proposed Election Security and Infrastructure Support Act of 2016. Other lawmakers have balked at the prospect. Testifying at a House Science committee meeting in September, Louisiana Secretary of State Tom Schedler asked, “Do we really want to create a new TSA for elections in this country?”
If the bill passes, or if DHS reclassifies voting machines as critical infrastructure, then the Defense Department could conceivably be called in to play some role in securing voting equipment. The Defense Department’s Cyber Strategy, published in April 2015, says the military’s 13 Cyber Mission Force teams can help DHS respond to a “disruptive, manipulative, or destructive cyber attack” whose effects on infrastructure present “a significant risk to U.S. economic and national security.” Massive vote tampering, while unlikely to cause loss of life, might fall under that category. It’s sort of up in the air. Also, the teams would report to DHS only in response to an event, not in preparation.
Andy Ozment, assistant DHS secretary for cybersecurity and communications, has called the issue a “distraction.”
Classifying voting machines as critical infrastructure, Ozment said at the Billington Summit, “gives us the ability to offer more help. It does not put DHS in charge. It does not create any sort of ownership or regulatory restriction.” (See also: the National Infrastructure Protection Plan). Rather, he said, the change would allow DHS to better prioritize states’ requests for help with election securing.
And no, it won’t happen before next week.
“This is not something we are looking at in the near term. This is a conversation,” he said.