Last Friday, the same day three of the top spy agencies in the U.S. released a summary of an investigation into Russia’s role in cyberattacks before the election, the Department of Homeland Security made a move that attracted less attention: It classified the elections process as “critical infrastructure,” putting it in a highly protected category alongside other vital elements of the country’s basic operations, like dams and the electrical grid.
The classification will institutionalize the federal government’s role in helping state and local organizations secure the country’s elections, and makes it easier for DHS to offer them resources and intelligence information to that end. But tucked a few paragraphs into the official announcement was another key reason for the change: “The designation makes clear both domestically and internationally that election infrastructure enjoys all the benefits and protections of critical infrastructure that the U.S. government has to offer.”
Those “benefits and protections” might have something to do with keeping elections off-limits for foreign tampering. “One of the critical norms that we have garnered international support for is that no nation-state will attack another country’s critical infrastructure in peacetime,” said Lisa Monaco, President Obama’s homeland-security adviser, at an event at the Aspen Institute on Friday. “Particularly with what we’ve seen over the last several months, we want to be clear that our electoral process is part of that infrastructure that we condemn—hopefully on a bipartisan basis—any foreign intervention into.”
Election systems will join a list of 16 other elements that make up the country’s critical infrastructure. But it’s too late for the designation to cover the 2016 election.
In its investigation, the intelligence community found that Russian cyberattacks didn’t target or compromise “systems involved in vote tallying.” But in the lead-up to the election, voter-registration databases in nearly half of of U.S. states came under attack from foreign hackers, and four were breached, ABC News reported. Those intrusions were also suspected to be Russian in origin.
Voter-registration databases—one of the parts of the election infrastructure that DHS has now designated as critical—are usually connected to the internet, unlike voting machines themselves. Many voter databases were not protected or encrypted, Monaco said.
The development of cyberwar norms is still in its early stages. Designating election systems as critical infrastructure, however, draws on a broader national-security standards of conduct: The same norms that deter an attack on a foreign country’s electrical grid would now cover electoral systems, too.
But for nascent cyberwar norms to continue to solidify, Monaco said, the next administration will need to keep enforcing international standards by punishing states that violate them. She said that President-elect Trump should be prepared to use tools like an executive order that Obama signed in April 2015, which authorizes the Treasury Department to impose economic sanctions in response to malicious cyberattacks. She characterized the executive order as a “loaded gun.”
“We have to be very clear that this activity will not stand,” Monaco said Friday. “It will not go unresponded to, and there will not be a free pass for malicious cyberactivity against our country.”