Wanted: A firewall to protect U.S. elections

As the FBI and Congress work to unravel Russia’s hacking of the 2016 presidential election and learn whether anyone in Donald Trump’s campaign supported the effort, one thing has become clear: U.S. elections are far more vulnerable to manipulation than was thought.

A U.S. Department of Homeland Security warning and offer last year to help state election officials protect voter registration rolls, voting machines, and software from tampering was coolly received, perhaps out of skepticism or innate distrust of federal interference in a domain historically controlled by the states.

Now, as federal and state officials are partnering to examine voting and election security, a new initiative at Harvard Kennedy School (HKS) is working to shore up another at-risk component of the U.S. election system: political campaigns.

Led by former presidential campaign managers for Democrat Hillary Clinton and Republican Mitt Romney, the Defending Digital Democracy project is gathering cybersecurity experts from the U.S. Department of Defense, the National Security Agency, and the Department of Homeland Security, as well as private-sector internet heavyweights like Facebook, Google, and the cybersecurity firm CrowdStrike, to identify problems and share pragmatic wisdom with local, state, and federal campaigns so they are better informed about cyber threats and can make their organizations harder for attackers to infiltrate.

“It’s really important that this is a bipartisan effort,” said Eric Rosenbach, the project’s director and a former cybersecurity leader at the Pentagon. “I don’t think that the Democrats value cybersecurity of their campaigns more than Republicans. I think Republicans are equally tuned in to the fact that it’s important because everyone recognizes that, down the road, it could impact anyone, regardless of their partisan affiliation. And so, we’re really trying to stay out of the fray.”

“Above all, we want to make sure that we don’t change the nature of the democratic system just because we’re nervous about the threat.”

Eric Rosenbach, Defending Digital Democracy director (pictured above)

One project goal is to replicate the kind of information-sharing culture that exists in major industries where cybercrime is a constant concern, one that encourages collaboration in the face of threats and using best practices despite an inherently competitive culture.

“That’s what we’ve got to do in politics, and that’s why Matt and I believed it was so important to take a bipartisan approach,” said Robby Mook, who managed Clinton’s 2016 campaign. Mook will lead the project along with Matt Rhoades, who ran Romney’s 2012 presidential bid.

The idea for the project stemmed from Rosenbach’s experience as the Defense Department’s lead on cybersecurity issues during his time as chief of staff to Defense Secretary Ash Carter from 2015 to January 2017. While U.S. cyber defense efforts do protect the country from many serious threats, the dangers facing political campaigns are continuously evolving and require both vigilance and nimbleness, qualities that organizations outside the federal government may more readily bring to bear, he said. Without the potential stigma of a party affiliation, an independent body might more easily bring together stakeholders on both sides of the aisle, said Rosenbach, who is the Belfer Center’s co-director with Carter.

A collaboration of the Belfer Center, the Institute of Politics and the Shorenstein Center on Media, Politics and Public Policy, the project over the next two years will develop playbooks containing practical, low-cost advice and will work toward proposing technology-based tools, legislative fixes, and foreign policy remedies to encourage deterrence. In November, the project produced a cybersecurity playbook for campaigns. The project will release a playbook this spring that will offer guidance and best practices for mitigating threats.

Though political dirty tricks, like cyber intrusions and data theft, are not new to campaign veterans, the 2016 breaches of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee, and the personal email account of John Podesta, Clinton’s campaign chairman, brought a sense of urgency to having top-notch cybersecurity.

Mook noted that while the campaign took great care to protect against sabotage by political opponents or intruders looking for valuable information to use for espionage purposes, “I don’t think anybody was imagining that a foreign country would steal the information and then release it out to the media.”

The Russian cyberattack taught him that “it didn’t just matter how secure our campaign was, it mattered how secure the other organizations we work with are. So, the DNC, John Podesta’s personal email account — they were all good places for adversaries to find ways to hurt us. And so it really opened my eyes to how important it was to have a cybersecurity strategy that covers risk across a number of different surfaces, not just the one you directly control,” said Mook.

Getting campaigns to protect themselves properly won’t be easy, analysts caution. Though there’s plenty of expertise and goodwill among the cyber and tech communities to do their part to safeguard elections, Mook argues, political operatives are at a distinct disadvantage because they’re typically poorly resourced ad hoc organizations going up against sophisticated international intelligence agencies.

“Some of the best hackers in the world are taking on campaigns that are run by people who just learned what the word ‘cybersecurity’ meant a few years ago,” he said. “It’s not a fair fight.”

“One of the things that I’ve found incredibly challenging is the whole nature and structure of these campaigns,” said Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, the firm that first identified Russian hackers as behind the DNC email server breach.

Unlike with business startups, in most political campaigns “there is no network, there is no standardized architecture, there is no one in charge of security at those places. It’s really just a loose amalgamation of people who come together for a period of maybe 18 months, [which] makes it even more difficult to try and protect these organizations than a typical company, even if there’s a high level of awareness,” Alperovitch said.

Mook said many in the political world are thinking about cybersecurity very differently because of what happened in 2016, but while there’s lots more work to do, there’s not much time before the next national election.

“I think we all recognize how vulnerable we are, in particular because the Russians changed the threat so dramatically during 2016. We have to imagine other adversaries are going to come at us in even more sophisticated ways in the coming years,” he said. “We’re in a race and we’re running faster, but we need to start sprinting.”

Last fall, 17 HKS students involved in the project began fanning out to states including California, Oregon, Nevada, Virginia, Colorado, New Jersey, Wisconsin, and Minnesota to conduct field research with local and state election officials, to hear their concerns, to observe their voting systems and processes, to learn how they are protecting the security and integrity of their elections, and to help identify areas of vulnerability. Students will visit additional states this semester.

In the video above, Rosenbach outlines the various cyber threats against American election systems and democratic processes.

Some locales have opted to go further by participating in “tabletop exercises” in which an outside group deliberately attacks an election system, running simulations that test existing protections and protocols to identify weaknesses that a state or municipality’s own internal checks may not uncover.

Because the factors that affect voting security vary greatly from state to state — vastly different election methodologies and schedules, demographic variations, voting cultures, and constitutional requirements, among others — making one-size-fits-all changes from on high isn’t the answer.

“Some of the best hackers in the world are taking on campaigns that are run by people who just learned what the word ‘cybersecurity’ meant a few years ago. It’s not a fair fight.”

Robby Mook, Hillary Clinton’s 2016 campaign manager

“I don’t think there’s just one thing that makes a state successful. I think it’s almost like a recipe where there’s a bunch of things that have to come together in order for it to work,” said Jennifer Nam, M.P.A. ’18, a project team leader who before coming to Harvard spent a decade in the U.S. Army doing intelligence work.

One bright spot in the effort is that the tech community’s longstanding hesitation to get involved in national security matters appears to be thawing.

“It’s understandable why in the post-Snowden era, some of the tech community was skeptical of working with the government,” said Rosenbach, noting that regaining trust with tech leaders was a focus of the Defense Department when Carter was its secretary. “I do think the tech community now is more open to working with the government, but it just has to be in the right way and in a way that’s appropriate given First Amendment and Fourth Amendment concerns and everything else that’s going on in the world.”

Whatever steps campaigns take to minimize their risks, Rosenbach said it’s important not to overreact to the threat and inadvertently infringe on governmental cornerstones like free and open elections, a free press, and widespread trust in electoral outcomes.

“Above all, we want to make sure that we don’t change the nature of the democratic system just because we’re nervous about the threat,” said Rosenbach. One concern is how the nation might respond to another election cyberattack. “No matter who was in the White House, the tendency will be then to really lock down on security, and that, quite frankly, could be something that’s more dangerous than the attack itself, so we need to keep that in mind, too.”