In the last few days, Secretary of Homeland Security Jeh Johnson and Homeland Security Advisor Lisa Monaco have both suggested that in the wake of the DNC hack, the United States is considering designating its election system as critical infrastructure. That’s a good idea. Designating election infrastructure as “critical” captures the commonsense notion that protecting elections from cyber-enabled manipulation is very important. The designation also has implications for preparing for and responding to cybersecurity incidents, including pursuant to Presidential Policy Directive-21 and last week’s Presidential Policy Directive-41.
But designating election-related systems as critical infrastructure would also provide an opportunity to socialize a norm against cyber-enabled interference with elections at the international level. As debates continue about how the United States should respond to the alleged Russian hack of the DNC, a new U.N. Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security will convene this month in New York. The United States can use the GGE process to set down a clear marker that election infrastructure is part of the critical infrastructure that last year’s GGE agreed should not be attacked in peacetime.
The DNC hack and subsequent information dumps on WikiLeaks have brought cybersecurity concerns about elections into the public debate, but experts have highlighted security problems with voting machines—particularly ones that don’t produce paper audit trails—for more than a decade. (For an overview of that history, see here.) Bruce Schneier argued in the Washington Post last week that before November “[w]e must . . . create tiger teams to test the machines’ and systems’ resistance to attack, drastically increase their cyber-defenses and take them offline if we can’t guarantee their security online.”
Along with upping its defenses, the United States should take the opportunity provided by the new GGE process to push for agreement on a norm against interference with election infrastructure. Last year’s GGE report accepted a U.S.-proposed norm against attacking critical infrastructure in peacetime, but left undefined what constitutes critical infrastructure. Specifically, the GGE member states (including Russia) agreed that, “A State should not conduct or knowingly support [information and communications technology or] ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public,” (para. 13(f)), and that “States should . . . respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty” (para. 13(h)). The GGE report did not define “critical infrastructure,” but called for “[t]he voluntary provision by States of their national views of categories of infrastructure that they consider critical” (para. 16(d)).
The United States should clarify in this year’s GGE that election infrastructure counts as critical infrastructure in the United States. I pointed out last summer that:
[a]s a domestic matter, the United States has defined critical infrastructure very broadly to include 16 sectors, such as communications, the defense industrial base, financial services, nuclear reactors, and transportation. But some of the sectors are less obvious. The Department of Homeland Security lists as examples of the “commercial facilities sector” professional sports leagues, casinos, campgrounds, and motion picture studios. Many countries might be surprised to discover that the United States considers the Iranian hack of the Las Vegas Sands Corporation and the North Korean hack of Sony Pictures to be attacks on “critical infrastructure.” To avoid creating potentially dangerous confusion over what the norm encompasses, the GGE should agree . . . to a definition of critical infrastructure in the international sphere.
Expanding the U.S. definition of critical infrastructure to include election infrastructure in time to make a stand with GGE members could help to promote an international norm against cyber-enabled meddling in elections. It could also send a clear signal about the seriousness with which the United States would regard intrusions aimed at interfering with the integrity of this fall’s elections.
GGE agreement would not, of course, be a panacea. Compliance in practice is different from agreement in principle. And it’s not perfectly clear what would count as election infrastructure in the United States or abroad. Nonetheless, while the U.S. government considers possible responses to Russia over the DNC hack, the GGE process provides a chance to build a coalition against cyber-enabled election interference.