Wanted: A firewall to protect U.S. elections

The idea for the project stemmed from Rosenbach’s experience as the Defense Department’s lead on cybersecurity issues during his time as chief of staff to Defense Secretary Ash Carter from 2015 to January 2017. While U.S. cyber defense efforts do protect the country from many serious threats, the dangers facing political campaigns are continuously evolving and require both vigilance and nimbleness, qualities that organizations outside the federal government may more readily bring to bear, he said. Without the potential stigma of a party affiliation, an independent body might more easily bring together stakeholders on both sides of the aisle, said Rosenbach, who is the Belfer Center’s co-director with Carter.

A collaboration of the Belfer Center, the Institute of Politics and the Shorenstein Center on Media, Politics and Public Policy, the project over the next two years will develop playbooks containing practical, low-cost advice and will work toward proposing technology-based tools, legislative fixes, and foreign policy remedies to encourage deterrence. In November, the project produced a cybersecurity playbook for campaigns. The project will release a playbook this spring that will offer guidance and best practices for mitigating threats.

Though political dirty tricks, like cyber intrusions and data theft, are not new to campaign veterans, the 2016 breaches of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee, and the personal email account of John Podesta, Clinton’s campaign chairman, brought a sense of urgency to having top-notch cybersecurity.

Mook noted that while the campaign took great care to protect against sabotage by political opponents or intruders looking for valuable information to use for espionage purposes, “I don’t think anybody was imagining that a foreign country would steal the information and then release it out to the media.”

The Russian cyberattack taught him that “it didn’t just matter how secure our campaign was, it mattered how secure the other organizations we work with are. So, the DNC, John Podesta’s personal email account — they were all good places for adversaries to find ways to hurt us. And so it really opened my eyes to how important it was to have a cybersecurity strategy that covers risk across a number of different surfaces, not just the one you directly control,” said Mook.

Getting campaigns to protect themselves properly won’t be easy, analysts caution. Though there’s plenty of expertise and goodwill among the cyber and tech communities to do their part to safeguard elections, Mook argues, political operatives are at a distinct disadvantage because they’re typically poorly resourced ad hoc organizations going up against sophisticated international intelligence agencies.

“Some of the best hackers in the world are taking on campaigns that are run by people who just learned what the word ‘cybersecurity’ meant a few years ago,” he said. “It’s not a fair fight.”

“One of the things that I’ve found incredibly challenging is the whole nature and structure of these campaigns,” said Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, the firm that first identified Russian hackers as behind the DNC email server breach.

Unlike with business startups, in most political campaigns “there is no network, there is no standardized architecture, there is no one in charge of security at those places. It’s really just a loose amalgamation of people who come together for a period of maybe 18 months, [which] makes it even more difficult to try and protect these organizations than a typical company, even if there’s a high level of awareness,” Alperovitch said.

Mook said many in the political world are thinking about cybersecurity very differently because of what happened in 2016, but while there’s lots more work to do, there’s not much time before the next national election.

“I think we all recognize how vulnerable we are, in particular because the Russians changed the threat so dramatically during 2016. We have to imagine other adversaries are going to come at us in even more sophisticated ways in the coming years,” he said. “We’re in a race and we’re running faster, but we need to start sprinting.”

Last fall, 17 HKS students involved in the project began fanning out to states including California, Oregon, Nevada, Virginia, Colorado, New Jersey, Wisconsin, and Minnesota to conduct field research with local and state election officials, to hear their concerns, to observe their voting systems and processes, to learn how they are protecting the security and integrity of their elections, and to help identify areas of vulnerability. Students will visit additional states this semester.

Some locales have opted to go further by participating in “tabletop exercises” in which an outside group deliberately attacks an election system, running simulations that test existing protections and protocols to identify weaknesses that a state or municipality’s own internal checks may not uncover.

Because the factors that affect voting security vary greatly from state to state — vastly different election methodologies and schedules, demographic variations, voting cultures, and constitutional requirements, among others — making one-size-fits-all changes from on high isn’t the answer.

“I don’t think there’s just one thing that makes a state successful. I think it’s almost like a recipe where there’s a bunch of things that have to come together in order for it to work,” said Jennifer Nam, M.P.A.’18, a project team leader who before coming to Harvard spent a decade in the U.S. Army doing intelligence work.

One bright spot in the effort is that the tech community’s longstanding hesitation to get involved in national security matters appears to be thawing.

“It’s understandable why in the post-Snowden era, some of the tech community was skeptical of working with the government,” said Rosenbach, noting that regaining trust with tech leaders was a focus of the Defense Department when Carter was its secretary. “I do think the tech community now is more open to working with the government, but it just has to be in the right way and in a way that’s appropriate given First Amendment and Fourth Amendment concerns and everything else that’s going on in the world.”

Whatever steps campaigns take to minimize their risks, Rosenbach said it’s important not to overreact to the threat and inadvertently infringe on governmental cornerstones like free and open elections, a free press, and widespread trust in electoral outcomes.

“Above all, we want to make sure that we don’t change the nature of the democratic system just because we’re nervous about the threat,” said Rosenbach. One concern is how the nation might respond to another election cyberattack. “No matter who was in the White House, the tendency will be then to really lock down on security, and that, quite frankly, could be something that’s more dangerous than the attack itself, so we need to keep that in mind, too.”

Christina Pazzanese is a Harvard staff writer. This article is published courtesy of the Harvard Gazette, Harvard University’s official newspaper.