A Conversation with Cyber Threat Alliance’s Michael Daniel on Election Security
Conspiracy Theories, Domestic Threats and Clear Communication: The Cybersecurity Industry’s Role in the November 3rd Election
Uncertainty and anxiety ratchet up each day closer we get to the November 3rd Election. Frenzied stories about protecting votes, conspiracy theories, the general security of our elections and the health of democracy dominate the news cycle. The ghost of Russian hacking in 2016 lordes over everything.
This is the first presidential election since cybersecurity’s effect on elections became a mainstream concern. Michael Daniel is the President and CEO of the Cyber Threat Alliance (CTA) and former Special Assistant to President Obama and Cybersecurity Coordinator on the National Security Council Staff. I spoke with him about the role of the cybersecurity industry in this election and the future of election security.
The big takeaway: long-term planning and communication, not technology, are key to protecting the democratic process.
Claire Teitelman (CT): How should the cybersecurity industry approach protecting elections?
Michael Daniel (MD): One issue is that the industry tends to focus on election security in the few months leading up to the election and not at other times. The truth is that state and local election officials have to work on this stuff all the time and changes and improvements usually have to happen during the downtimes in the off cycle. So, at this point, a lot of things are already locked into place.
That’s one of the things that really annoys them [state and local officials] is when election security nerds show up the September before the election and say “you should do all this stuff.” Great. If you told me that two years ago, I could have actually done something with it. I think just being mindful of the fact that it’s about managing risk for the long term and over multiple election cycles would pay significant dividends.
CT: You mentioned in the Highwire Election Security panel that this long-term thinking also needs to be applied to how we fund federal cybersecurity. Can you explain a bit more about that?
MD: Most companies think about their cybersecurity as an ongoing investment. You don’t just buy the widget and plug it into your network and then you’re good and done. It doesn’t work that way. Why should we expect that cybersecurity for our electoral infrastructure to be any different?
The federal government has an interest in ensuring an increased level of cybersecurity for the entire electoral infrastructure. Many of the threats that we face are nation-state threats, and that’s the federal government’s responsibility to combat. But we also want to maintain our federalist structure. We want state and local governments to maintain control over the electoral process. That’s really key.
The federal government should be providing funding and technical support to state and local governments over time, in a sustained manner — where the funding is predictable — and maintained over several years. That’s going to look a lot more like infrastructure funding for roads, or other kinds of grant programs, where the state has to put up a certain percentage and the federal government then kicks in another percentage.
State and local governments should be able to plan for their own election cycles over time. It would be far more effective for improving security to have steady funding sources than these bursts of cash.
CT: Given enough lead time and funding, what are the biggest election security issues the industry can help fix?
MD: What you’re trying to do is reduce the risk across the entire electoral process, from registering voters, to generating the poll books, to having people cast their ballots, ensuring that the ballots are counted properly, and that then they are reported properly. It’s the whole life cycle, not just voting machines, that needs to be protected. From a state and local election officials perspective, you want to focus on the things that will reduce the risk of something bad happening to those most vulnerable parts of the process, particularly at scale. That’s often not the voting machines; it’s often the voter registration databases. The question then becomes, how do I make sure I maintain the integrity of those voter registration databases? And then, how do I actually ensure that I can rely on those results? Really, that’s about both processes and technology.
At this point, a few weeks before an election, the technical solutions already have to be in place. There’s not a lot more that we can do on the technical front because those systems have to be locked down. The process is where we should focus now.
CT: For the Election on November 3rd, if it’s too late for technical solutions, what should be the role of the cybersecurity industry?
MD: Similar to our mission at Cyber Threat Alliance of collaborating, sharing threat intel for the greater good, it’s important for the private and public sector to come together to address this challenge. So between now and Election Day, the cybersecurity industry needs to be ready to support state and local officials with incident response and respond quickly if something seems to be going wrong. At CTA, we have an election security working group focused on how we maintain the connections between all the stakeholders so that if something appears to be going wrong, we can respond very quickly. We can help identify whether there’s an actual threat or if it’s just business as usual.
We also need to set clear expectations. There are crazy things, abnormalities, that happen in every election. There are always random technical glitches that are just that, glitches. Those things happen and have always happened. And they will happen again.
We need to set expectations that no election ever runs perfectly smoothly, and that the existence of those anomalies and those glitches does not indicate that somebody has fundamentally messed with the electoral process, nor does it undermine the overall result. That’s just how a big election process is. It’s a little bit messy, particularly around the edges.
CT: Setting expectations sounds like it’s a communication, not technical, goal. How much of cybersecurity at this point is communication?
MD: I used to joke that my title in the White House should have been in Cybersecurity Calibrator because half the time I was running around saying, “No, you really should pay attention to this, this threat is real.” And the other half I spent running around going, “Okay, let’s take a step back from the edge, please stop panicking. The world is not about to end; let’s breathe.”
It’s about being very judicious in talking about how these threats can manifest and being very sober about how we talk about the threat and not overselling it. Fundamentally, our electoral infrastructure is very robust. It’s very distributed. It’s got a lot of people paying attention to it. There’s a lot more focus on the cyber aspects this time around. There’s more focus on the disinformation aspects, too.
The communication has to be about being very transparent about the process. If we had an incident, here’s what we’re going to do. If there’s an incident actually occurring, here are the steps we are taking to investigate it and to address it. And then you come out, and you actually tell people what you found. I think if you do that, then you could help manage some of the inevitable spin, conspiracy theories and other things that are going to happen.
CT: What are the dangers of misinformation and conspiracy theories this election?
MD: Conspiracy theory nerds are going to have a field day no matter what happens. You’re not worried about them. You’re worried about the general public. What you want is to be able to communicate that you have a process. Even if you don’t know what’s going on right now, you have a process for figuring that out, you’re going to follow that process, you’re going to be transparent about that process, there’s going to be oversight of that process, and that people can trust the results of that investigation. That’s really how you help maintain people’s confidence in the system.
CT: What are the 2020 election interference threats we aren’t talking enough about?
MD: I think domestic interference is an under-appreciated problem. One of the things that I’ve discussed off and on with some people after what we went through in the last election is what domestic groups are going to learn from the Russian approach. We can’t be blind to the fact that there are groups within the United States that have axes to grind and would love to sow chaos and discord.
That becomes much more of a law enforcement issue. The First Amendment protects a lot of what they say, but if you cross the line into trying to have a disruption effect on the electoral process, that’s criminal activity. We should respond to those actions like we would other criminal activity, and treat them as such.
Overall, it’s something we ought to be cognizant of — that the source of misinformation or disinformation activity might be domestic. It might not all be international.
Most of all, again, the cybersecurity industry should be working and clearly communicating with private and public stakeholders and the general public. This collaboration, mutual trust and respect is vital if we want to protect our votes in 2020. This election should just be the beginning of our consistent investment of time and money into protecting and strengthening democracy.
To listen to more of Michael’s views on election security, watch On the Record: Election Security and Protecting the Vote.