The Obama administration isn’t ready to publicly attribute recent hacks against state election systems and the Democratic National Committee to Russia — nor to any particular group or country for that matter.
But its top homeland security adviser said Wednesday that an official U.S. response may still be coming, and in the meantime, federal officials are keen to bolster public confidence in the U.S. election system, including through new efforts to help state and local election officials improve their cybersecurity posture.
Asked at a Center for Strategic and International Studies forum whether the government would respond to the election-related cyber incidents with some of the same prosecutorial and sanctioning tools it applied to North Korea’s hacking of Sony Pictures and China’s pervasive intrusions into U.S. industrial firms, Lisa Monaco, the assistant to the president for homeland security and counterterrorism, said, “Stay tuned.”
She declined to specifically name Russia as the culprit in the election hacks, but said that nation had clearly shown itself to be a “bad actor” in cyberspace.
“And nobody should think there’s a free pass when you’re conducting malicious cyber activity, just like they shouldn’t think there’s a free pass on terrorist activity,” she said. “Our reach is long. Sometimes it takes a long time to build a case, but it doesn’t deter us from continuing to pursue it.”
Meanwhile, Monaco said the administration, via the Homeland Security Department, has been reaching out to state election administrators, offering help to shore up the cybersecurity of their systems. DHS and the White House are also actively exploring the question of whether the government should designate election systems as U.S. critical infrastructure, as it’s done with 16 other “sectors,” including the power grid, health care and the banking system.
“Regardless of which way that goes, we’re pushing out a whole set of tools that secretaries of state can avail themselves of from the experts at DHS,” she said. “That includes the ability to scan their systems to determine whether they have vulnerabilities and quickly patch them, a set of best practices — encrypting their data, etc. — a whole set of things they can apply, but they’ve got to be willing to do it. This is all in state control.”
That fact alone gives federal leaders some degree of confidence that altering the results of any nationwide election via hacking is almost impossible.
“The advantage I see from a defensive standpoint is that the structure is so disparate and so much of the system is still very manually focused,” Adm. Michael Rogers, the commander of U.S. Cyber Command and director of the National Security Agency said at a congressional hearing earlier in the week. “It’s not just one, nationwide, single integrative structure, and that tends to help us defensively.”
Monaco added that most of the systems that are involved in actually tabulating votes are physically disconnected from the internet and therefore inaccessible to hackers, even though cyber intruders have managed to make their way into a handful of state systems that handle functions such as online voter registration.
“What I do think we need to worry about is efforts to sow concern or confusion about the resilience of our system, which is why I will continue to be very clear that I think we have a resilient structure because it’s in so many different hands,” she said. “But the efforts of malicious actors to intrude on registration databases and other elements of our voting infrastructure is a concern.”
Also on Wednesday, Sen. Tom Carper (D-Del.), the ranking member on the Senate Homeland Security and Governmental Affairs Committee, drafted a letter to the National Governors Association, urging NGA to help prod state officials to accept help from DHS.
“When I served as Governor from 1993 to 2001, my fellow governors and I did not have to worry about the many of the kinds of cybersecurity challenges faced by states today. While I remain confident in our election systems today and in the numerous security precautions already taken by states, I respectfully ask that you continue to encourage your fellow governors to review the cybersecurity of their election systems and to take advantage of the information and voluntary assistance provided by DHS and other federal agencies,” he wrote. “While I fully appreciate a state’s responsibility to administer its own election systems, I believe that we must continue to work together to protect the values and institutions that we cherish so much in our great country.”