COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY
election. State 7 reported their experience with DHS during the 2017 statewide election was quite good. DHS sat with election officials all day, which meant State 7 could pass messages quickly to NCCIC.
(U) In March 2018, Congress appropriated $380 million in funding for election security improvements. The funding was distributed under the formula laid out in the Help American Vote Act (HAVA) and was intended to aid in replacing vulnerable voting machines and improving cybersecurity. As of July 2018, 13 states said they intended to use the funds to buy new voting machines, and 22 said they have "no plans to replace their machines before the election—including all five states that rely solely on paperless electronic voting devices," according to a survey by Politico.[1]
- IX. (U) RECOMMENDATIONS
- 1. (U) Reinforce States' Primacy in Running Elections[note 1]
(U) States should remain firmly in the lead on running elections, and the federal government should ensure they receive the necessary resources and information.
- 2. (U) Build a Stronger Defense, Part I: Create Effective Deterrence
(U) The United States should communicate to adversaries that it will view an attack on its election infrastructure as a hostile act, and we will respond accordingly. The U.S. Government should not limit its response to cyber activity; rather, it should create a menu of potential responses that will send a clear message and create significant costs for the perpetrator.
Ideally, this principle of deterrence should be included in an overarching cyber doctrine for the U.S. Government. That doctrine should clearly delineate cyberespionage, cybercrime, and cyber attacks. Further, a classified portion of the doctrine should establish what the U.S. Government believes to be its escalation ladder in the cyber realm—what tools does it have, what tools should it pursue, and what should the limits of cyber war be. The U.S. strategic approach tends to overmatch adversaries with superior technology, and policymakers should consider what steps the U.S. will need to take to outstrip the capabilities of Russia, China, Iran, North Korea, and other emerging hostile actors in the cyber domain.
(U) U.S. cyber doctrine should serve as the basis for a discussion with U.S. allies and others about new cyber norms. Just as the international community has established norms and treaties about the use of technologies and weapons systems, the U.S. should lead a conversation about cyber norms and the limits of cyber activity with allies and others.
- ↑ The Committee's recommendation to "reinforce states' primacy in running elections" should be understood in reference to states' responsibility for election security, and not as pertaining to broader election issues, such as campaign finance laws or voting rights laws.
- ↑ (U) States Slow to Prepare for Hacking Threats, Eric Geller, Politico, July 18, 2018.
54
COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY
