electionlineWeekly Guest Post on William and Mary Law’s Election Security Mock
[Image via law.wm.edu]
Last week, William and Mary Law School hosted an election security event featuring a mock argument focused on a cybersecurity issue – and this week, electionlineWeekly has a guest post about the event from Anna McMullen ’18, Rebecca Green and Amy McDowell, Election Law Program Co-Directors; and
Reiko Dogu, ELP Program Manager, with a short foreword by the Democracy Fund’s Tammy Patrick. Check it out:
Foreword
A wise man once said that election administrators need to also be IT Managers; I think he would agree that in the current climate they also need to be security experts.
Election professionals have increased the focus of their attention to security issues since the 2016 election cycle given the knowledge of increased threats from nation-state adversaries. “Threat-landscape”, “penetration testing”, and a slew of new initialisms and acronyms are now part of the election administrator’s lexicon.
The good news is that there is support from all levels of government, as well as the non-profit and for-profit sectors, in ensuring that our democratic processes are protected.
Yet, there has been one area that had not garnered as much attention until last week: that of statutory/legal coverage, precedence, and the availability of what guidance an election official has at their disposal should they find that their system was attacked.
Do our existing laws provide a clear path forward should an attack be successful?
How do contingency plans and state of emergency statutes speak to this issue, if at all?
Who is responsible and authorized to make certain decisions about the protection of our systems?
These questions, and more, were contemplated last week at the William and Mary Law School event.
12th Annual Election Law Symposium
Election Data Security: Testing the Critical Infrastructure DesignationOn April 12, the William & Mary Election Law Program hosted a unique symposium aimed at expanding understanding of the role of courts in promoting election security. The symposium focused specifically on the critical infrastructure designation pursuant to the Critical Infrastructure Protection Act of 2014.
Following opening remarks by Symposium student Co-Chairs Camden Kelliher ’21 and Alexis Dalton ’20, the event kicked off with a war game simulating an election security dispute in the fictional state of “Flichigan.” The law of Flichigan combined the Virginia election code with provisions from the Michigan state constitution as the basis for the exercise.
In the fictional scenario, Flichigan experienced a hack of its voter registration database in Flichigan’s most populous county, Bayne County. The hack occurred several weeks prior to Flichigan’s U.S. Senate primary elections in August 2018. The hacker changed registration information of roughly one hundred Flichigan voters, resulting in mass confusion at Bayne County polling places on the day of the primary. Bayne County election officials worked to efficiently resolve the matter by issuing provisional ballots and engaging in an audit process following the primary to ensure an accurate count. The winning candidate won in a landslide.
As the November general election approached, Secretary of State John Ruth—the state’s chief election official—hired an outside vendor to audit the security of the state’s election system. Secretary Ruth immediately implemented all recommendations that the vendor made. On this basis, Secretary Ruth believed that the necessary steps were taken to ensure the general election would be secure. Mary Barrett, General Registrar of Bayne County, was not convinced. She invoked a federal statute that enables non-federal entities to request that the Department of Homeland Security (DHS) conduct a security assessment.
Because, as of January 2017, elections are designated as critical infrastructure to be afforded special protection under the Critical Infrastructure Protection Act of 2014, DHS gave priority to Barrett’s request. Barrett requested specifically that DHS conduct a security audit of Bayne’s voter registration system, a request that would require the cooperation of the Secretary of State in providing access to DHS. Secretary Ruth, skeptical of federal meddling in state election matters and concerned that such access could subject Bayne data to enhanced risk, refused DHS access to Bayne County’s voter registration system. In response, Registrar Barrett sought a writ of mandamus to compel Secretary Ruth’s cooperation, a request which a Flichigan trial court denied. Registrar Barrett immediately appealed, leading to the oral argument at the Election Law Symposium’s war game: Bayne v. Ruth.
Venable political law attorney Meredith McCoy ’12 argued before the bench as counsel for Bayne County’s General Registrar. John Davisson of the Electronic Privacy Information Center (EPIC) (an organization on the forefront of advocating for voter privacy) argued on behalf of Secretary Ruth.
The mock judges presiding over the argument were Edgardo Cortes, Former Commissioner for the Virginia Department of Elections and current advisor on cybersecurity and elections at the Brennan Center; David Becker, Executive Director of the Center for Election Innovation & Research; and Mark Listes, Policy Counsel at the U.S. Election Assistance Commission.
Ms. McCoy argued that Bayne County should be permitted to request DHS assistance because the Flichigan statute places the authority over voter registration and list maintenance processes with county election officials. State statute also organized Flichigan’s electoral process in a decentralized manner; each county has its own Board of Elections with decision-making authority. McCoy highlighted local registrars’ authority with several examples that demonstrated that the state’s chief election official serves a guiding role, but lacks authority to compel local registrar action under the state statutory scheme.
McCoy argued that the appeal centered on voter registration, a responsibility of Flichigan counties, as opposed to election purity which is a state responsibility. McCoy emphasized the importance of a decentralized election system, arguing that such a system promotes election security because there is no central location or single security protocol that a would-be hacker could access, thus compromising all state voter data. McCoy argued that Congress’ decision to provide “non-federal entities” with the opportunity to request assistance from DHS overrode the Secretary of State’s refusal to comply.
On behalf of Secretary Ruth, Mr. Davisson argued that the Flichigan chief election official, not local registrars, is responsible for ensuring Flichigan elections are secure and is thus the only person with authority to request the DHS audit. Davisson maintained that Congress, when it passed the National Cybersecurity Protection Act of 2014, never intended to empower local registrars to request assistance from DHS. That power, Davisson advocated, more naturally falls to the state’s chief election official who is responsible for maintaining the statewide voter registration database. Davisson conceded that Flichigan statute delegated to local registrars supervisory power over voter registration lists in their own counties, but nevertheless asserted that since the state maintained the centralized voter registration database, the Secretary of State should make all decisions related to its security.
After argument concluded, the panel retired to deliberate, returning a 2-1 verdict in favor of the state and denying the writ of mandamus.
The majority agreed with the Secretary of State that security should be handled centrally, not locally. They asserted that local registrars’ state constitutional duty to maintain “the purity of elections” extended to maintenance and upkeep of the voter registration records but did not extend to making unilateral cybersecurity decisions. The dissent agreed with the Registrar’s argument that maintenance of the voter records indicated an implicit duty to ensure data security.
“I think it’s very difficult to make the case that anyone in the…local jurisdictions has the right at any point in time to tell a federal agency to come in and scan a state-owned system,” Mock Judge Becker opined. “I think you need to show extraordinary need for that…. So ultimately I didn’t see any extraordinary need there to impose federal jurisdiction over a state.”
Following the war game, William & Mary Professor Rebecca Green, who co-directs the Election Law Program, moderated a debrief of the trial, during which questions arose regarding the realism and scale of the fictional scenario. Questions also delved into real-life election security issues.
Green asked the mock judges to weigh in on the question of partisanship. What if Secretary Ruth and Registrar Barrett belonged to different political parties, a fact that might give the appearance that partisan politics drove their decision-making? How should judges navigate politically-charged disputes when it comes to election security? The mock judges pushed back, noting that election officials are accustomed to working in hyper-partisan environments every day. Professionalism would therefore dictate that state and local officials would focus intently on the shared goal of securing the state’s elections, despite differences on how to accomplish this goal. The war game, after all, featured no bad actors or villains (besides the hacker!) Both Secretary Ruth and Registrar Barrett sought to secure Flichigan elections—they just had different opinions on how to get there.
Green also noted the recent real-life ransomware attack in Atlanta that locked city employees out of all municipal computer systems. Hackers threatened to delete the city’s data unless the city paid $51,000 to the hackers. Green wondered, if a ransomware attack hit a state’s election system, should the federal government step in to help? Quoting an Obama cybersecurity official who suggested that “expecting every state and local government system to be able to go up against nation-state actors is … patently ridiculous,” Green questioned whether election security is in fact best addressed at the state and local level or whether there should be a greater federal role. Participants responded by noting that communication is key. DHS and state and local officials have worked diligently to open lines of communication to allow nimble response to threats that can incorporate federal expertise as needed.
Another point explored was the hot button issue of voter privacy and how best to protect voter data if the federal government becomes involved in an election security issue. Mr. Davisson, counsel for EPIC, raised the concern that voters submit their information to the state for purposes of participating in democratic processes. He cautioned that exposing voter data to the federal government could subject that data to use for other purposes. With this point in mind, the panel discussed how, in most states, voter data is publicly available to campaigns, to get-out-the-vote organizations, and others. Allowing voter data to be accessed through a public records search serves an important policy goal of enhancing public trust in election administration, increasing participation, and providing an oversight mechanism to ensure that the data is accurate. While panelists agreed on this basic proposition that voter data should be accessible, there was less agreement on the question of who ultimately “owns” voter data—voters themselves, local registrars, or the state?
The symposium concluded with a panel discussion focused on election security and the courts. Moderator Tammy Patrick of the Democracy Fund, Kemba Walden of the U.S. Department of Homeland Security, and Joseph Lorenzo Hall of the Center for Democracy & Technology, joined the discussion. Walden noted that this scenario is very relevant to the question of DHS involvement and explained that when DHS receives a request for assistance, it verifies that all necessary consent is obtained from the proper authorities prior to proceeding. Walden also clarified the effect of a critical infrastructure designation. As discussed, requests to protect critical infrastructure rise to the top of the list of DHS priorities. For his part, Joe Hall also emphasized the importance of security surrounding voter registration information. He explained that voter registration information is very useful in the de-anonymization of other records. For example, anonymized medical records are sometimes shared publicly for use in research. These records have many pieces of personal data removed to hide the identity of patients. Voter registration information can be used to repopulate that personal data and has been used in some instances to identify patients. Therefore, the security of state voter registration databases is of paramount importance to individual privacy interests.
In all, the Symposium highlighted numerous core challenges that face election administrators as they work to secure U.S. elections in 2018 and beyond. What was clear from the assembled gathering is that a lot of smart minds are on the job.
Video of the oral argument portion of the war game is available here.
As you can see, the event was absolutely chock-full of interesting issues (state/local control, federal jurisdiction, privacy, etc.) with which real-life Flichigans and Bayne Counties may have to wrestle in the future – although hopefully not the outside hack that triggered the case. Thanks to the students and educators at William and Mary for organizing the event, to the Democracy Fund for supporting it – and, as always, to electionlineWeekly for sharing it with those of unable to attend in person.
Take care, have a great weekend … and stay tuned!