The coming battle over election system security in the United States
What's the best way to protect election systems in the United States? Is it a good thing that we have a decentralized federalist system, where the states vary, and even the counties within states vary, to some degree, preventing easy singular takeover or attack of our election systems? Or should we strive for greater oversight and best practices through more uniform standards that can be implemented across the country at the federal level?
The battle is fascinating because it eschews typical partisan lines and instead reflects deep concerns from two different groups--state secretaries of state who run elections, worried about needless cost, unnecessary regulations, and changing standards outside of their control; and federal security officials, who view different, sometimes international, threats as an essential reason for greater federal control of our elections infrastructure.
On January 6, 2017, a lame-duck Secretary of the Department of Homeland Security, Jeh Johnson, declared that election systems in the United States would be "critical infrastructure." DHS emphasized that this is not a "federal takeover, regulation, oversight or intrusion" for elections. Instead, it is designed to provide state and local officials with better assistance from DHS.
The next day, a member of the Election Assistance Commission, Christy McCormick, quickly fired back with a sharp critique of the designation, identifying problems with the scope of the designation. Compliance is purportedly "voluntary," but it appears that DHS may withhold certain information that would otherwise be available if states fail to comply. The scope of the order is unknown--indeed, it appeared to Ms. McCormick that the new things provided from the order were already available to state and local officials who requested it of DHS. And she suggested that political partisanship was involved.
This might have all the trappings of a Democrats-want-more-federal-oversight-Republicans-don't type of battle.
But soon, state secretaries of state, regardless of their partisan affiliation, began to express concern. Consider Alex Padilla of California: it "raises important questions.," and the limits are "unclear," particularly given a new incoming administration.
Soon, the National Association of Secretaries of State ("NASS") would adopt a resolution formally opposing the designation, noting problems arising from the designation, such as oversight of items that are not subject to cybersecurity threats; political opposition to the designation in Congress; and unanswered questions.
When NASS pressed DHS regarding the designation, the new administration expressed that it would continue to support the designation. Members of the Georgia legislature have already introduced a resolution calling for redesignation.
It remains to be seen what this designation actually does. As the DHS letter notes, much information was shared between DHS and the states. The designation allows from more "detail" and "tailoring," DHS explains--what value that is, I think, remains to be seen.
But NASS is concerned, understandably, that these "voluntary" commitments may no longer look so voluntary. And is that a good thing? It's easy to consider the benefits to greater federal oversight, and its significant costs. And we're observing the key stakeholders on each side of this debate preparing for a longer battle over the future of election system security.
So, in a only-somewhat-false dichotomy, what's better? A future of state-controlled, decentralized systems difficult for any single cyber threat, but potentially at greater risk in individual jurisdictions that fail to maintain sufficient standards? Or a future of federal oversight of election systems designed to provide the best practices and standards with superior procedures and oversight, but with likely higher costs, uniform standards offering less local control and flexibility, potentially increased politicization of federal standards, and greater nationwide vulnerability? I certainly can't answer it (although I think Zip disks aren't a part of future election systems security), and it'll take time to see how this relationship between DHS and NASS plays out. Let's hope the battle between them yields the best possible result for keeping our election systems safe.