With the midterm elections three weeks out, how antsy should we be about the security of our vote?
The past two years provide little ground for optimism. In 2016, we learned that foreign hackers, believed by the FBI to be Russian, had cracked two state voter-registration databases. Last summer, the Department of Homeland Security reported that 21 states’ election systems had been targeted by Russian hackers.
But in an interview last week, former Central Intelligence Agency director John Brennan, a longtime security expert, refrained from retreating into fingernail-chewing anxiety. Instead, Brennan said he’s confident in the work being done to secure voting systems—even as he harbors doubts about security leadership in President Trump’s White House, and people’s ability to focus on threats beyond those we’ve already seen.
In other words: Don’t panic, but don’t stop being paranoid.
Sharing threat information is caring
In a conversation after his keynote at a security conference in Washington last week, Brennan said that at both the federal and state levels of government, people are diligently working to stop future cyber attacks on our voting systems.
“I think there have been some steps taken to try to better understand what can be done on the technical front to prevent, to detect, to react to any types of intrusions,” he said.
But does that mean we’ve advanced to the point where we could defeat a repeat of the same attack? “I don’t know,” said Brennan, who led the CIA from 2013 to 2017, and, prior to that, served as President Obama’s homeland-security adviser.
The government itself says it’s much better prepared than in 2016. “We have made tremendous strides,” DHS secretary Kirstjen Nielsen said at an event hosted by the Washington Post last Monday.
“States are taking this very seriously, down to the county level. The information sharing is much stronger than it ever has been before,” she said.
Outside observers, some unlikely to agree with the White House on most issues, also say communication between Washington and states has advanced greatly.
“There’s better communication between the department of homeland security and state officials,” Aquene Freechild, co-director of Public Citizen’s Democracy Is For People project and co-founder of the group Secure Our Vote, said in a briefing Monday afternoon.
In the same briefing, Lawrence Norden, deputy director of the Democracy Program at New York University School of Law’s Brennan Center for Justice, noted the “extensive cybersecurity training” provided by DHS and others as well as the $380 million in additional security funding Congress provided.
(The Brennan Center is unrelated to the former CIA director; its name honors former Supreme Court Justice William J. Brennan, Jr.)
Trump’s leadership is problematic
Brennan, who had his security clearance yanked in August by Trump after the former CIA director criticized the president on Twitter, delicately raised doubts about the ability of this White House to focus on cybersecurity risks.
“I have full confidence that the intelligence community—CIA, NSA, and FBI—are going to do their level best to uncover, and then bring forward, information about efforts to intrude on the election,” he said. “And I think there are a number of very serious-minded individuals in the policy arena in Washington who will act upon that intelligence.”
“Are all of the senior people in Washington serious about this?” he continued. “I leave that to others to decide.”
Brennan cast particular doubt about the Trump administration’s decision to leave the National Security Council’s cybersecurity-coordinator post vacant.
“I was shocked at that,” he said. “When I was the homeland security advisor, the cybersecurity coordinator worked for me, and I relied heavily upon that person and that office.”
Without that role filled, he continued, there’s no obvious person overseeing the cybersection actions of such separate agencies and offices as the FBI, the CIA, the National Security Agency, the Department of Homeland Security, and the Department of Defense. “Once you eliminated the cybersecurity coordinator, who does that responsibility fall to?”
Creative thinking counts
Brennan urged security experts in and out of government to think creatively about what could go wrong, instead of simply trying to to stop the attacks of two years ago.
“You really need to red-team it,” he said in a reference to the security practice of assigning experts to try to defeat a given system. “Think of all the ways that adversaries could seek to disable, destroy, disrupt, interfere, modify any of the elements of your voting system.”
That also goes for his concerns over such tech frontiers as cryptocurrencies (as in, “how they can be exploited and manipulated by various international criminal networks and others”) and artificial-intelligence applications that Brennan fears are being developed in countries without the same ethical guardrails as the U.S.
“Science and technology is just going at such an accelerated rate in terms of new discoveries,” Brennan said. “We need to use our imagination in terms of what the next iteration of the challenge or threat is.”
More from Rob: