Many states have responded with alarm to the massive data call issued by the Presidential Advisory Commission on Election Integrity co-chaired by Vice President Mike Pence and Kansas Secretary of State Kris Kobach. State election officials have voiced concerns that the commission’s real agenda is to generate support for election laws that suppress voter participation. Indeed, 21 states and the District of Columbia declined to provide any data in response to the commission’s initial outreach, which a federal district judge made clear is merely a request, not a lawful demand.
Perhaps most colorfully, Mississippi’s secretary of state responded to the request by saying that the commission “can go jump in the Gulf of Mexico and Mississippi is a great State to launch from.” The commission’s request for Social Security numbers was refused by none other than Secretary of State Kobach himself on Kansas’s behalf. Even as many states reaffirm their refusals to provide any information, others are providing a considerable amount of data on their voters. And this raises an additional and significant concern about the commission’s work: the lack of protection for this sensitive data.
As former Homeland Security Secretary Michael Chertoff has rightly emphasized, the ingestion and aggregation of this massive amount of massively sensitive information poses its own form of threat. It provides a single, seductive target for the many actors we now know are keen to manipulate and undermine confidence in our elections, as well as to gather detailed information on Americans for espionage purposes.
{mosads}So, as states consider what information to provide to the commission, they owe it to their voters and the sanctity of the elections our country’s laws entrust them to administer to consider how that information should be handled once provided. Indeed, some state laws impose rules and requirements for accessing sensitive electoral data. Beyond that, and regardless of any state’s particular laws, respect for America’s voters and elections requires sensible protection of the data.
The Trump administration must take seriously the responsibility of safeguarding of the data its commission is requesting. Unfortunately, the administration deliberately moved the commission’s “administrative home” from the U.S. Department of Defense, which had already designed a website to receive the data requested, to the Executive Office of the President, raising concerns that the move was designed to cloak the commission’s work from transparency laws, since the Freedom of Information Act applies to virtually all departments and agencies across the federal government but not to the Executive Office of the President.
The Defense Department, of course, has at its disposal the resources and expertise of the National Security Agency and U.S. military in protecting the transmission of sensitive data, in stark contrast to the limited capacity of the White House Executive Office. That puts an even higher burden on the states to demand that the commission at least take certain basic cybersecurity steps if those states are to comply — voluntarily — with the commission’s unprecedented data request. We urge at least five such steps.
First, the information should be encrypted, while in transit to and within the commission as well as when stored by it. Encrypted data, even if stolen, needs to be decrypted, an often insurmountable challenge even for governments. That’s why encryption has become the norm for many email providers, messaging apps and hardware such as cell phones and laptops.
Second, multi-factor authentication should be required to access the data. This, too, is becoming common practice: If you don’t already require your email provider to confirm that you’re really you when logging in for the first time from a new computer or device, you’re significantly risking the security of your email while sparing yourself ten seconds of minor inconvenience. The same should be required to access this sensitive data.
Third, access to the data should be restricted to a clearly defined minimally necessary list of authorized individuals with separate user accounts on a strict need-to-know basis. This minimizes the inherent vulnerability associated with every additional user and puts on notice every user that the circle of potential culprits is small if information leaks out. And, while passwords aren’t a sufficient defense on their own, they should be complex and unique for authorized users.
Fourth, credible and independent cybersecurity audits of the commission’s database should be conducted on a periodic basis, which in turns requires that the database be designed so that every access to it can be traced in order to facilitate such audits. Many cyber intrusions and exfiltrations occur for months or even years before they’re noticed; but periodic audits can identify breaches and stop the bleeding far more quickly.
Fifth, the database should be “air-gapped,” meaning it should be held on a segmented network not connected to the internet. This helps to insulate and thus protect the database. It also means that, when the commission’s work is done, the data held there can and should be deleted with accompanying certification by the commission’s co-chairs.
From a cybersecurity standpoint, it’s simply a bad idea to put all of this sensitive information in one place. But if the administration is committed to gathering this data, then failing to take the steps outlined above is indefensible. In an era when the commission’s database is a prime target for adversaries foreign and domestic keen to sabotage and distort our democratic system, protecting America’s elections demands protecting American voters.
Rajesh De served as general counsel of the National Security Agency during the Obama administration. He now leads the cybersecurity and data security practice and co-leads the national security practice at Mayer Brown LLP, where he is a partner.
Joshua A. Geltzer served as senior director for counterterrorism and deputy legal advisor at the National Security Council during the Obama administration. He is now executive director and visiting professor of law at the Institute for Constitutional Advocacy and Protection at Georgetown University.
Matthew G. Olsen served as director of the National Counterterrorism Center during the Obama administration. He is now an adjunct senior fellow at the Center for a New American Security and co-founder of technology firm IronNet Cybersecurity.
The views expressed by contributors are their own and are not the views of The Hill.