Administrative Law Blog Essay

Cyber Interference in Elections and Federal Agency Action

Pop quiz: which part of the federal government is tasked with preventing cyber interference in our elections?

Congress has refused to say. We have reached a point of a significant gap between an important federal need and existing federal power. And in the absence of that federal power, federal agencies have stepped into the gap and extended their authority into domains unanticipated by Congress.

Of course, there is clear statutory guidance for some aspects of protecting election integrity. We can think about preventing campaign interference in our elections. Portions of that job fall squarely within the domain of the Federal Elections Commission, which enforces campaign finance laws.

We can also think about prosecution or punishment of those who engage in either foreign campaign interference, like the Justice Department’s recent criminal indictment of a Russian woman with interference in the 2018 midterm elections, or foreign cyber interference, like actions from the Obama and Trump administrations to sanction those who interfere with election systems in the United States. But that’s focused on punishing election interference that has already occurred.

Preventing cyber interference is another matter. Cyber interference could take different forms. It might mean disruption of election-related websites, a version of the recent teenage hacker who manipulated a public-facing website to alter the site’s display of vote totals—a form of vandalism with no material impact on our democracy. It’s an inconvenience, the equivalent of a server failure or a power outage on Election Day.

Worse, it might mean infiltration of voting systems, like voter registration databases, and altering them, such as changing information or deleting names from the lists of registered voters. And perhaps the least likely, but by far the most troubling to our democracy, foreign or domestic actors might attempt to modify the outcomes of votes cast using electronic voting machines in ways that are undetectable.

Who in the federal government is tasked with preventing these scenarios from happening? Congress has not directly empowered any federal agency to protect elections from cyber interference. But that hasn’t stopped various agencies from stepping in anyway. The justifications for agency activity largely arise from two perhaps unlikely statutory sources: one enacted after 9/11, another after Bush v. Gore.

After the terrorist attacks on September 11, 2001, Congress enacted the USA PATRIOT Act. That law includes a provision known as the Critical Infrastructures Protection Act of 2001. Critical infrastructures are those “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Critical infrastructure sectors include dams, nuclear reactors, and water, and wastewater systems. They extent to broad areas like “food and agriculture” and “financial services.”

Congress then created the Department of Homeland Security (DHS) in 2002, which took over the role of designating critical infrastructure. In 2017, the outgoing Secretary of Homeland Security designated “election infrastructure” as a critical infrastructure sector, and that decision, after some pushback from the states, was affirmed by President Trump’s first DHS secretary, John Kelly.

Maybe DHS is the best place for prevention to reside. Thus far, DHS has principally engaged in an information-sharing capacity. It has provided a suite of services to state and local governments to help manage cybersecurity—assessing election systems and vulnerabilities, providing training and consulting, sharing information, and coordinating responses to threats. It has convened the Election Infrastructure Subsector Government Coordinating Council to work with key stakeholders and to share information.

The USA PATRIOT Act isn’t the sole source of authority for agency activity. Another is the Help America Vote Act of 2002. After Florida’s recount in the 2000 presidential election and the Supreme Court’s decision in Bush v. Gore, Congress passed legislation to assist jurisdictions that used outdated voting machines, including punch card systems and lever voting machines.

Congress also created the Election Assistance Commission (EAC), an agency led by four members, and “a national clearinghouse and resource for the compilation of information and review of procedures with respect to the administration of Federal elections.” The EAC would help test and certify voting systems and provide voluntary guidance to the states.

For much of its existence, the EAC languished. It lacked a quorum to do business for an extended period of time. Congress considered shutting it down.

But the EAC has seen a resurgence. In March 2018, Congress provided $380 million to the EAC to make grant payments to states to help them improve election system security. That cash was quickly dispersed to the states. The EAC continues to work with state and local election officials and the National Institute of Science and Technology to facilitate state and local election officials in securing election systems. While Congress could expressly preempt state authority in this area, the EAC has acted as an advisor and a facilitator for interested election officials.

The short answer to the opening question, then, is that both DHS and the EAC have taken the lead in preventing cyber interference in elections, but they have worked in conjunction with other agencies. Their statutory authorities are a generation old and not built in anticipation of these contemporary concerns. One may understandably wonder about agency gap-filling in this area. Is it regulation of elections in a manner consistent with our constitutional structure? And if multiple overlapping agencies are acting, is their behavior the best and most efficient means of doing so?

The Elections Clause of the Constitution provides that “[t]he times, places and manner of holding elections for Senators and Representatives, shall be prescribed in each state by the legislature thereof; but the Congress may at any time by law make or alter such regulations.” There is a commitment that states run federal elections unless Congress steps in. When Congress does step in, it preempts any state election law to the contrary.

But Congress hasn’t spoken directly to the issue of how the federal government should protect elections from cyber-attacks. DHS involvement concerning election infrastructure extends to all election systems, including state and location elections, extending beyond the Elections Clause and acting in the interest of national security. DHS involvement, however, has admittedly been voluntary and mostly concerned with sharing information. The EAC, too, has acted in a role more as facilitator among thousands of elections officials.

Congress has considered providing more specific guidance, which might improve efficiency concerns. One response would shift more responsibility concerning cybersecurity squarely into DHS. But Congress has more election-specific options it’s considering, too. The proposed Securing America’s Voting Equipment Act (or “SAVE Act”) focuses primarily upon DHS working with the Director of National Intelligence. It provides grant funding to states, encourages voluntary information sharing, and incentivizes a “bug bounty” program to encourage hackers to find and report cybersecurity flaws in voting systems.

Another proposed bill, the Secure Elections Act, would encourage the same kind of information sharing from DHS among state and local election authorities as the SAVE Act. It would create an advisory panel to establish guidelines for election cybersecurity. It includes some of the key provisions of the Securing America’s Voting Equipment Act, and it also encourages states to use paper ballots and implement statistical audits for federal elections. It also offers a larger role for the EAC in helping DHS develop guidelines.

The proposed Protecting American Votes and Elections Act (or “PAVE Act”) would extend beyond encouraging states with money and guidelines, and it instead provides express rules from Congress about how to run elections. It would require voter-verified paper ballots and risk-limiting audits in federal elections.

These proposed bills have varying levels of support and bipartisanship. In some ways, their effects would be quite minor; one of the proponents of the Secure Elections Act suggested the bill would do little that wasn’t already happening in federal agencies. Money, the ubiquitous concern from the states, seems to be a common and easy item in each legislative proposal.

But Congress shows little urgency to act by 2018 or even 2020. It might be because it deems the threat insubstantial—a perceived low risk, or that Congress has a high risk tolerance. But the reason might also be that federal agencies have already stepped into the breach. Congress may be satisfied that the balance between federal and state governments has been appropriate, and that existing legislation, while perhaps outdated, has been sufficiently broad to permit agencies to act.

What about states?  They have some cash from Congress, but many don’t intend to prioritize security upgrades by 2020. Few States have passed material legislation relating to cybersecurity. Perhaps they would prefer a comprehensive solution from Congress. Perhaps they’re satisfied with the information sharing from federal agencies. Perhaps we’re witnessing accretion of state agency power similar to what is occurring with federal agencies—that is, the thought that state Secretaries of State, county election officials, and election-related agencies can manage these problems without new laws.

The response to election cyber interference over the last two years has been a vignette into government behavior. Federal agencies have moved with urgency to use existing statutory authority to act in the absence of congressional guidance. Congress appears satisfied, and its major response has been to provide cash to states while allowing federal agencies and the states to operate on their own, with a little congressional oversight. Maybe that’s the appropriate balance. All the same, specific guidance and authorization from Congress may provide a more robust protection from cyber interference in elections. Whether that happens before a significant problem arises remains to be seen.