October 16, 2020 Public Contract Law Journal

Russian Interference in U.S. Elections: How to Protect Critical Election Infrastructure from Foreign Participation

by Jedidiah Blake II
Ballot Box

Ballot Box

Jedidiah Blake II (jblake@law.gwu.edu) is a third-year law student at The George Washington University Law School and served as the Senior Notes Editor for the Public Contract Law Journal for the 2019 – 2020 academic year. He would like to thank Professor Sonia Tabriz, Meghan McConnell, and Roxanne Cassidy for their assistance during this process. Additionally, he would like to thank his family for their love and prayers.

Abstract

U.S. elections are under attack. U.S. officials have confirmed that Russian hackers attempted to subvert the 2016 presidential election. Russians hacked into the Democratic National Committee network and released thousands of documents. They used social media to spread disinformation and attempted to hack state voting systems. While investigations were ongoing following the election, the FBI discovered that one of Maryland’s election software contractors was owned by a Russian company. This discovery presents a unique problem about how to react to foreign participation in U.S. election infrastructure. This Note considers two contracting options and one option borrowed from election law. The first option is to apply the foreign national ban from campaign finance law to election contracts. Another option is to apply the new DoD security assessment “pillar” to election contracts. The third option is to ban the company at issue in Maryland, similar to the ban on Kaspersky. The best solution, however, is a combination of the first and second options because they are in keeping with policy ideals of fairness and the preservation of the United States’ “political community.”

I. Introduction

In late 2015, Russian government hackers targeted the Democratic National Committee (DNC) network, gaining access to emails, other communications, and opposition research on then-presidential candidate Donald Trump.1 This attack was part of a concerted effort by Russia to subvert and “sow discord” in the U.S. political system.2 This attack was not limited to political party networks: the Russians also attempted to hack into state election systems, illegally paid for political advertisements, and used trolls and fake social media accounts to spread disinformation and create controversy.3

Despite consensus in the intelligence community that Russia deliberately sought to interfere in the 2016 presidential election, these accusations generated huge debate and media scrutiny because of the possibility of collusion between Russia and the Trump campaign.4 Following the election, several investigations were mired in delay and “intense media scrutiny.”5 To make matters worse, U.S. officials posit that Russia and other nations attempted to influence the 2018 midterm elections and continue to do so as the 2020 election approaches.6 The possibility of foreign interference in U.S. elections is frightening and discouraging to the voting public and has led to serious doubts about the safety and legitimacy of election systems.7

These intrusions are not limited to hacking election systems and spreading disinformation. In the summer of 2018, the Federal Bureau of Investigation (FBI) notified the state of Maryland that one of its election contractors was owned by Russian nationals.8 The contractor in question handled voter registration, unofficial election night results, and other important data.9 The Department of Homeland Security (DHS) later found that this contractor did not compromise or interfere with Maryland’s elections. Nevertheless, state officials were concerned that this incident would undermine public trust in Maryland’s election software due to the appearance that foreign agents could influence Maryland’s election infrastructure.10

There are three options the federal government could employ to combat foreign participation in election software contracts. First, the federal government could apply the same rules that restrict foreign participation in campaign finance to election contracts. Second, the federal government could extend the Pentagon security assessment factor (known as Deliver Uncompromised) to state election contracting. Third, the federal government could apply the Kaspersky model and ban foreign companies and their affiliates from all election contracts. This Note will discuss the advantages and shortcomings of each option before suggesting that a combination of options one and two is the best way to protect election infrastructure from foreign participation and possible cyberattack.

This Note focuses on the problem of foreign participation in election systems and contracts as well as increased cyber threats. But these threats are not limited to election systems. In 2007, hackers targeted several Department of Defense (DoD) contractors, including Raytheon and Boeing.11 Similarly, in 2011, hackers targeted a U.S. defense contractor and absconded with 24,000 DoD files.12 In 2014, Chinese operatives hacked the Office of Personnel Management contractor responsible for conducting background checks on individuals seeking security clearances.13 That same year, hackers targeted the DHS contractor responsible for security clearances, thus compromising employee information.14

The list of attacks above is illustrative but not exhaustive of the cyberattacks against U.S. contractors in recent years.15 And cyberattacks have become more frequent.16 This trend has top policymakers and government officials concerned about security, particularly for the U.S. military and its contractors.17 As a result, the Pentagon will now base awards for weapons contracts on security determinations as well as the traditional criteria of cost, past performance, and schedule; this policy is called “Deliver Uncompromised.”18 Contractors with weak cybersecurity could, and often do, deliver compromised products.19 To combat this threat, the Pentagon will review a contractor’s ability to secure its software against cyberattacks before awarding weapons contracts.20

This is a recent policy, and the White House has adopted a similar strategy.21 The National Cyber Strategy calls for improving federal supply chain security by punishing risky vendors whose technology is insecure and unreliable.22 The plan also calls for strengthening cybersecurity for federal contractors and mentions several ways to do so.23 These policies are hopefully just the first steps the government will take to promote cybersecurity.

It is encouraging to see that the federal government has taken active steps regarding cybersecurity and is moving in the right direction. In 2017, the federal government banned Kaspersky Labs (Kaspersky) antivirus software across all federal agencies based on Israeli intelligence that Kaspersky might provide “a back door for Russian intelligence.”24 The DHS and the National Security Agency (NSA) determined that Kaspersky posed security risks because cyber attackers could use its software maliciously.25 Since that determination, Kaspersky products have been banned from all civilian government agencies.26

Clearly, the federal government is acting to safeguard its secrets from cyberattack, but these actions should extend to protect elections as well.27 Foreign interference in elections is a direct threat to democracy28 and national security.29 Democracy requires political participation and informed voters.30 In spreading disinformation and hacking into voting machines, Russian operatives have eroded the trust that U.S. citizens have in election security and in the information they hear.31

The DHS has characterized U.S. election infrastructure as “a critical infrastructure subsector” because it is sufficiently “vital to the United States that [its] incapacity or destruction … would have a debilitating impact on security.”32 State contracts with election software companies are part of this vital structure. To address this issue, the federal government must consider and quickly enact laws that would impact the states.

Part II of this Note will provide background on the current laws regarding foreign participation in U.S. elections, Deliver Uncompromised, and the Kaspersky ban. Part III will discuss the attacks on the 2016 election, the issues with Maryland’s foreign election software contracts, and the current mechanisms for protecting elections. Part IV will discuss the three options stated above in terms of feasibility, strengths, and weaknesses. Finally, Part V will conclude that a combination of options one and two is the best solution to address this issue.

II. Background

Cybersecurity has become a major concern for the U.S government, and U.S. cybersecurity capabilities must be strengthened to address this concern.33 This section provides background information on how cybersecurity issues have recently affected U.S. government procurement and elections. First, this section discusses the statutes that govern foreign participation in U.S. elections. Second, it discusses Deliver Uncompromised and the National Cyber Strategy. Third, this section describes the Kaspersky ban as an example of a government solution to curb foreign exploitation of U.S. secure networks.

A. Foreign National Ban on Campaign Spending

Foreign nationals are prohibited from a variety of election activities.34 This section discusses and explains the prohibition in terms of what foreign nationals can and cannot do regarding election activity. Policy reasons for the ban are also identified and discussed.

1. Statute
The Federal Election Campaign Act (the Act) makes up the body of U.S. campaign finance law and is administered and enforced by the Federal Election Commission (FEC).35 The FEC is an independent agency directed by six Commissioners and charged with reviewing disclosure reports from all federal political committees.36 The FEC interprets the Act and administers its various provisions concerning campaign spending.37 The Act promotes transparency in the political process and covers all aspects of campaign finance.38

The Act and related FEC regulations generally prohibit foreign national involvement in U.S. elections.39 The term “foreign national” commonly refers to people who are not U.S. citizens or nationals,40 but also includes foreign governments, political parties, corporations, associations, and partnerships.41

The Act makes clear that foreign nationals cannot participate in election activity.42 Specifically, foreign nationals cannot make contributions or donations of money or anything of value to U.S. elections at any level.43 They cannot make independent expenditures or disbursements in connection with an election.44 Further, they cannot contribute or donate to any political committee or organization.45 Foreign nationals are also banned from donating to presidential inaugural funds, and they cannot pay for electioneering communications.46 The FEC strictly enforces these provisions through enforcement actions or criminal prosecution.47

The Act and FEC regulations also impose penalties on domestic actors that solicit or receive funds or aid from foreign nationals.48 It is prohibited to “knowingly solicit, accept, or receive” campaign contributions or donations from foreign nationals.49 Additionally, the prohibition extends to providing “substantial assistance” to a foreign national seeking to contribute to an election.50

When a political committee receives a contribution that may be from a foreign national, it has two options.51 First, it can return the contribution to the contributor.52 Second, it can determine whether the contributor is actually a foreigner.53 If the contribution is from a foreign national, it must be refunded within thirty days of the discovery.54 If the political committee fails to do so, the FEC will bring an enforcement action and assess a penalty.55

Finally, and perhaps most importantly, foreign nationals are prohibited from indirectly or directly participating in decisions involving elections or election activities.56 This means that they cannot direct, control, dictate, or take part in any decision regarding contributions and expenditures in connection with an election.57 They also cannot participate in the administration of a political committee.58

Questions about foreign participation would most likely arise if a foreign company with a U.S. subsidiary were to make a separate segregated fund (SSF), also known as a political action committee (PAC).59 Foreign companies are allowed to do so but only if they meet certain standards.60 The parent corporation cannot “finance the SSF’s establishment, administration, or solicitation costs through the subsidiary.”61 Additionally, foreign nationals cannot be involved in the operation of the PAC, the selection of the PAC’s officers, or the decision-making process concerning contributions and expenditures.62 The PAC can make donations and contributions so long as they “are not financed in any part by the foreign parent” and “individual foreign nationals are not involved in any way” with the donation.63 For example, in FEC Advisory Opinion 2000-17, the Commission found that a U.S. subsidiary could establish an SSF because — although the board of directors included foreign nationals — the oversight committee for the SSF was comprised exclusively of U.S. citizens or permanent residents.64

2. Policy reasons for the ban
Beyond the prohibitions outlined in the Act and accompanying FEC regulations, there are numerous policy reasons for the ban. Fear of foreign interference goes back to the founding of the United States.65 The Founding Fathers were concerned about the potential for foreign influence in the country and in the election process.66 Likewise, they discussed the danger of foreign interference in the Federalist Papers, at the Constitutional Convention, and in President Washington’s farewell speech.67

The Founders feared that the United States, as a young nation, was susceptible to and would be weakened by foreign money and interests trying to insert themselves into the U.S. Government.68 The primary concern was with corruption, specifically undue influence and bribery.69 This concern manifested itself in the Constitution in several ways. For instance, most high offices within the U.S. Government have residency requirements because the Founders wanted to ensure that members of the government were not residentially tied to foreign nations.70 Fear of bribery led to clauses designed to limit corruption, including the Foreign Emoluments Clause,71 which prohibits any government office holder from accepting gifts from a foreign government.72

This fear of foreign influence over U.S. politics continued from the founding of the country to present day. Congress acted several times during the twentieth century to remedy the situation.73 The Foreign Agent Registration Act (FARA), passed in 1938, “established disclosure requirements for certain kinds of political expression sponsored by foreign principals” and required foreign principals to register with the government in an attempt to prevent foreign influence in U.S. policy-making.74 In 1966, the FARA was updated to “make it a felony for a foreign principal to use an agent to make campaign contributions or for a candidate to solicit such contributions.”75

The foreign national ban, originally part of the Act, was further updated in 2002 in the Bipartisan Campaign Reform Act (BCRA) in response to a scandal involving the 1996 presidential election where the DNC and President Bill Clinton’s campaign raised over $150,000 from foreign sources.76 In the aftermath, both the DNC and the campaign were heavily fined by the FEC for violating the foreign national ban, which provided the impetus for the 2002 update.77

The constitutionality of the ban was subsequently challenged in the case Bluman v. FEC.78 Plaintiffs were foreign nationals who lived in the United States on temporary work visas.79 They wanted to “donate money to candidates in U.S. federal and state elections,” contribute money to political parties and groups, and make independent expenditures to advocate for particular candidates.80 The foreign national ban prohibited them from making such donations, so the foreign nationals sued, claiming the ban was unconstitutional.81

In a decision later affirmed by the U.S. Supreme Court, the D.C. Circuit upheld the foreign national ban.82 The court examined the history of the foreign national ban, reviewing its enactment and subsequent updates in response to fears that foreigners would interfere with elections by contributing to candidates and engaging in other election activities.83 Using strict scrutiny, the court found that the foreign national ban served a compelling government interest because excluding foreigners from participating in U.S. “democratic political institutions” is part of the government’s duty to “preserve the basic conception of a political community.”84 Relying on precedent, the court explained that by limiting foreign participation in U.S. self-government, the government is preventing foreign influence in the political process.85

B. Deliver Uncompromised and the National Cyber Strategy

Along with the Act’s ban on foreign election activities, an understanding of the DoD’s strategy to deal with cyberattacks is critical. This Note will argue that this strategy must be used to protect U.S. elections at the state level. U.S. military officials and national security experts are convinced that the U.S. supply chain is under attack.86 These attacks do not occur on U.S. soil nor do they claim the lives of U.S. citizens; instead, these attacks take place in cyberspace.87 The cyber incidents described earlier are just a few examples of the widespread efforts of foreign actors to disrupt and hamper the U.S. supply chain.88 U.S. adversaries are exploiting cyber weaknesses in the supply chain to steal technical data, attack “control systems used for critical infrastructure, manufacturing, and weapons systems,” and achieve unauthorized access to top secret defense systems and operations.89 In other words, the U.S. supply chain is vulnerable and at risk.90 A vulnerable supply chain means that the United States is not mission ready, which threatens U.S. national security.91 Alarmingly, the United States has “no comprehensive deterrence” for these cyberattacks.92

The status quo may seem bleak, but the DoD is determined to remedy this situation through a policy called Deliver Uncompromised.93 Problems with the supply chain persist because products and technologies that require code are often attacked by U.S. adversaries who seek to steal intellectual property for their own use and sabotage certain systems through malicious code and other tools.94 Deliver Uncompromised seeks to end this by changing how weapons contracts are awarded.95 Instead of just analyzing cost, schedule, and past performance, the DoD will also consider security, assessing how well contractors keep their data and software secure.96 The DoD hopes that by making security a major factor in the acquisition process, contractors will improve their own security to receive contracts from the DoD and keep their products and networks secure.97

Deliver Uncompromised outlines fifteen “Courses of Action” (COA) for the DoD to remedy supply chain vulnerabilities.98 The first COA is to “Elevate Security as a Primary Metric in DoD Acquisition and Sustainment.”99 Agencies would be required to consider security equally with cost, schedule, and performance when engaging in acquisition planning.100 The second COA calls for creating a National Supply Chain Intelligence Center that would gather and disseminate information about cyberattacks so that contractors can keep abreast of ongoing events and be alert for attacks on their systems.101 The DoD also wants contractors to share information among themselves and with the government, but contractors often resist information sharing for fear that it could expose them to liability.102 Accordingly, the report recommends “liability protection for contractors” as an incentive to share information.103 Another COA recommends having an independent entity constantly monitorvsupply chain systems for security risks.104 Yet another COA calls for using contract terms to ensure security of supply.105 By incorporating certain security requirements in the contract terms, the DoD seeks to incentivize good cybersecurity behavior and ensure that the products and services that it acquires are uncompromised.106

But difficulties will arise with implementing this policy change. For instance, bolstering security will increase costs for contractors.107 Likewise, the increased costs will make it harder for subcontractors and small businesses to meet these security requirements.108 Tax incentives could mitigate this issue, allowing these smaller companies to maintain security and maintain the funds to compete in the procurement process.109 Similarly, the DoD must receive additional funding and promote the value in receiving uncompromised products.110 Furthermore, the DoD should provide incentives for contractors to improve their security.111 This is because contractors will need to proactively meet these increased security standards, as compliance issues arising from such standards will lead to more bid protests and litigation in general.112 Overall, Deliver Uncompromised seeks to improve supply chain security and force the contracting community to take security seriously.113

Concurrently, the White House has a National Cyber Strategy that, while not as detailed as the DoD’s, essentially espouses the same goals.114 The plan is primarily concerned with sharing threat information with supply chain contractors.115 Additionally, the plan calls for streamlining supply chain security management to eliminate risky vendors.116 Finally, the plan calls for monitoring of contractor risk management techniques and security practices.117 Deliver Uncompromised and the National Cyber Strategy demonstrate a desire by the current administration and the DoD to end U.S. cyber vulnerabilities and to actively deter cyberattacks.

C. Government Bans Kaspersky Labs Through Binding Operational Directive and Legislation

The plans discussed above are partly the result of the following scandal.118 In 2015, Israeli intelligence discovered a Russian company, Kaspersky, using hacking programs that appeared to come from the United States.119 Specifically, the Israelis observed Russian government hackers searching the web for U.S. intelligence.120 Israel alerted the NSA, which conducted a search and found that classified material was stolen from an NSA contractor who used Kaspersky products on his computer.121 The NSA discovered that the Russian government was accessing Kaspersky antivirus software to search for U.S. classified information.122 Additionally, Kaspersky’s founder and CEO, Eugene Kaspersky, has close ties to the Kremlin, and the company itself is “subject to Russian laws that allow the Russian government to request or compel assistance from Russian companies.”123

In 2017, the General Services Administration removed Kaspersky from its list of approved vendors, citing the possibility that computers with Kaspersky software could be compromised.124 Later that year, the DHS issued Binding Operative Directive 17-01 (BOD) that ordered all civilian agencies to remove Kaspersky software from their computers.125 The BOD gave the agencies ninety days to identify and remove all Kaspersky products from all “[f]ederal information system[s].”126 Importantly, the BOD only concerned Kaspersky software products, and it was limited to all executive agencies except for the DoD and the Intelligence Community.127

The DHS laid out six reasons to justify the issuance of the BOD.128 First, some federal agencies used Kaspersky products, and Kaspersky sought to expand the use of its products and services to other agencies.129 Second, Kaspersky’s antivirus software enjoyed broad access to secure files and information that cyber attackers could exploit.130 Third, data from computers using Kaspersky software is sent to Kaspersky servers that can be accessed from Russia.131 Fourth, Russia already engaged in cyberattacks on the United States, and it is likely to continue its efforts.132 Fifth, Kaspersky and certain officers in the company have ties to the Russian government and its espionage services.133 Finally, Russia’s laws allow its intelligence apparatus to intercept communications moving through Russian networks and compel Kaspersky to assist the Russian government.134

In response, Kaspersky claimed that it had no inappropriate relationship with the Russian government, that there was no evidence of wrongdoing, that the BOD was based on uncorroborated sources, and that the BOD violated its equal protection rights.135 After compiling more information and meeting with Kaspersky officials, the DHS nevertheless finalized the BOD for the reasons stated above.136 Kaspersky challenged the BOD in a U.S. federal court, which dismissed the case for lack of standing because the BOD was superseded by congressional action.137

Days after the BOD was finalized, Congress and the President took further action in the National Defense Authorization Act for Fiscal Year 2018 (NDAA).138 The NDAA contained a provision that banned the use of Kaspersky products throughout the federal government.139 The ban superseded the BOD because it included all Kaspersky products, not just software, and it applied to all federal entities including the DoD and the Intelligence Community.140

While the NDAA did not originally include the Kaspersky ban, members of Congress became very concerned in the months following the BOD.141 The House of Representatives held several hearings to obtain information on the potential risks associated with using Kaspersky products.142 Members of Congress from both parties pressed agency officials for an explanation as to why the DHS issued the BOD before sharing and addressing concerns about Kaspersky.143 Congress added the Kaspersky ban to the NDAA in response to these concerns.144

Kaspersky filed suit alleging that the ban in the NDAA was unconstitutional because it comprised “a bill of attainder in violation of Section 9 of Article I of the United States Constitution.”145 U.S. Supreme Court precedent holds that “a law is prohibited under the bill of attainder clause ‘if it (1) applies with specificity, and (2) imposes punishment.’”146 Here, Kaspersky argued that (1) it was specifically targeted by the ban and (2) the ban sufficiently damaged its ability to do business in the United States to rise to the level of punishment.147

The district court found that the ban did not constitute a bill of attainder because, while the law specifically targets Kaspersky, the company was not punished.148 Historically, the bill of attainder provision applied to individuals, and Kaspersky is a corporation.149 Furthermore, the law does not implicate the bill of attainder clause because Congress passed it for the nonpunitive purpose of “protecting the United States government’s information systems from the threat of Russian cyber-intrusion.”150 The court held that the ban performed a “prospective, risk-prevention function that is distinct from punishment” in that Congress — faced with the risk of cyberattack from Russia — acted rationally to protect national security.151 Finally, Congress was not motivated by a desire to punish Kaspersky when it passed the legislation.152 The court reasoned that the months of congressional hearings and investigations coupled with executive branch action to oust Kaspersky from its computers show that Congress passed this legislation to protect the United States from Russian cyber aggression.153

In sum, the BOD and the Kaspersky ban came about based on the risks that Kaspersky presented to the safety of U.S. cyberspace. In dismissing Kaspersky’s two cases, the court upheld executive and congressional concerns about Kaspersky’s ties to the Russian government amid fears that U.S. national security was at risk. This episode illustrates that the government can take steps to safeguard U.S. secrets and security.

III. Foreign Interference and Participation in U.S. Elections

Beyond the Kaspersky affair, Russia engaged in a massive effort to disrupt the 2016 election.154 This section discusses the Russian attack on state election systems. Next, the section provides detailed informationabout the Russian-owned Maryland election contractor before summarizing the mechanisms already in place to protect U.S. elections from cyberattack.

A. Russian Hacking of State Election Systems in 2016

Russia disrupted the election in multiple ways. Russian agents hacked into the DNC network and filched thousands of emails belonging to party officials, Hillary Clinton campaign staff, and key supporters of her campaign.155 In the remaining months before the election, the Russians released the documents on WikiLeaks and other websites.156 Russian agents were also accused of conducting a social media “troll” campaign to spread disinformation.157 For instance, they posted false stories and posed as Americans to generate debate over divisive issues and provoke discord.158 Russian agents also bought political ads and staged political rallies.159

The DNC hack and the social media “fake news” campaign are clear examples of Russia’s plan to disrupt the 2016 presidential election. However, Russia’s efforts were not limited to national elections; its agents also tried to hack into twenty-one state election systems.160 Importantly, these attempts did not affect the vote tallying mechanisms.161 Instead, the DHS described the attempted hack as a scan for vulnerabilities.162 The DHS refused to name the states involved, but reports indicate that Russia probed Maryland’s online absentee ballot delivery system.163 Russia also targeted Illinois’s and Arizona’s voter registration systems.164

The NSA further described the extent of these cyberattacks on state election systems.165 The NSA report states that one voting software supplier was attacked and that at least 100 election officials were also targeted.166 These attacks purportedly happened a few days before the 2016 election.167 The Russians apparently targeted voter registration systems and sent phishing emails to individuals who were likely in charge of voter registration.168 The report did not conclude that these attacks were successful, and the NSA does not know if any data was compromised or lost.169 However, the damage may already have been done, as the public now perceives election systems as insecure and easily manipulated.170

B. Foreign Participation in U.S. Elections: Maryland Example

Cyberattacks on state election systems have continued to be a problem even after the 2016 presidential election. In the summer of 2018, the FBI alerted Maryland officials, including Governor Larry Hogan, that a foreign national owned one of its election software contractors.171 The contractor, ByteGrid LLC (ByteGrid), is a U.S. company that runs Maryland’s “voter registration system, candidacy and election management system, online ballot delivery system and [the] unofficial election night results website.”172 The FBI and Maryland officials were concerned because ByteGrid is owned by AltPoint Capital Partners (Altpoint).173 Altpoint’s “fund manager is Russian, and its largest investor is a Russian oligarch named Vladimir Potanin,”174 a rumored associate of Russian President Vladimir Putin.175

After receiving this information from the FBI, Maryland officials immediately reached out to the DHS for technical assistance in securing its election systems.176 Maryland officials also decided to make the information public “to inform other states about Russian involvement and to assure Maryland voters that they [were] working to ensure that the state’s elections [had not been] compromised.”177 The DHS eventually concluded that there was no breach or evidence of wrongdoing.178

Despite no evidence of wrongdoing, Maryland’s officials and representatives in Congress were uneasy about Altpoint’s relationship with ByteGrid.179 Shortly after this story came to light, Maryland Senators Ben Cardin and Chris Van Hollen sent a joint letter to the Secretary of the U.S. Department of the Treasury.180 In the letter, the senators asked the Secretary to authorize the Committee on Foreign Investment in the United States (CFIUS) to review the business relationship between ByteGrid and Altpoint.181 The senators pointed out that foreign access to U.S. election infrastructure can give foreign governments access to information that could be used against the United States.182 They reasoned that because U.S. elections were previously threatened by foreign cyberattacks, foreigners investing in U.S. election infrastructure could potentially exacerbate the problem.183

C. Current Mechanisms in Place to Protect Elections

In light of these potential problems, mechanisms are in place to protect elections at the DHS. Part of that agency’s mission is to “maintain public trust and confidence in America’s election system.”184 The DHS works with election officials across the country to fulfill its mission by offering a variety of resources concerning cybersecurity and threat identification.185 As state and local governments are ultimately responsible for their own election infrastructure, the DHS assumes a supporting role.186 Currently, states decide whether they want election security assistance from the DHS, with few asking for aid.187

If a state reaches out to the DHS, the agency offers three types of assistance.188 First, it shares information about “electoral infrastructure incidents with state and local governments.”189 Second, the DHS provides assistance in discovering and neutralizing cyber threats to election systems.190 Finally, the DHS assists the owners of the election systems with cyber evaluations, risk management, and identification of strengths and weaknesses of the system.191

The DHS has several information sharing programs about incidents that concern election systems.192 With Automated Indicator Sharing, the federal government, state governments, and the private sector share “cyber threat indicators” with each other.193 The Cyber Information Sharing and Collaboration Program allows the federal government and election infrastructure owners to share information about cyber threats and critical weaknesses.194 This program allows the government and election system owners to work together to understand cyber threats and how to prevent them.195

The DHS likewise has several programs that improve cybersecurity by discovering and eliminating threats to election systems.196 For instance, the Continuous Diagnostics and Mitigation Program monitors the election system network and permits users to review the state of the network at any time, thus allowing for a swift response to any potential breaches.197 A separate program notifies network administrators of a breach and then works with them to contain and eliminate it, while another is dedicated to analyzing malware so that administrators can combat it.198

Alongside threat elimination initiatives, the DHS offers a variety of cybersecurity assessment programs, which evaluate the organization’s cyber readiness.199 The DHS can also assess how well the system responds to threats like phishing scams.200 Overall, the DHS initiatives are designed to help state and local officials keep their election systems secure.201

IV. Government Solutions to Eliminate Foreign Participation

Obviously, it is troubling that Maryland contracts with a company owned by foreign nationals for election software. By running election software, Altpoint is participating in the U.S. election process through its subsidiary, ByteGrid. The United States does not want foreigners participating in elections because such foreigners may have different interests and loyalties and it would be an intrusion in the U.S. “political community.”202 This incident is further proof that U.S. election systems are vulnerable. But what can be done? The federal government has three potential options to address this problem with Maryland. First, the federal government could extend the foreign national ban to election contracts. Second, the federal government could require that the states adopt increased cybersecurity standards similar to the Deliver Uncompromised plan. Third, the federal government could apply the Kaspersky model and ban the contractor. The government should implement options one and two in order to end foreign participation in U.S. election contracts.

A. Apply the Foreign National Ban to Election Contracts

The federal government should apply a variation of the foreign national ban that prohibits foreign nationals from engaging in certain election activities.203 Under the current foreign national ban, foreign nationals cannot contribute money or anything of value to candidates, campaigns, or political parties.204 Additionally, they cannot make decisions when it comes to election activity.205 If a foreign company with a U.S. subsidiary establishes a PAC, the foreign company cannot make any decisions for the PAC.206 Here, the federal government should make a similar rule regarding foreign national participation in election contracts.

First, there would be a total ban on foreign companies holding election contracts. This means that Altpoint could not have a U.S. election contract by itself. This facet of the plan would operate similarly to the current foreign national ban that prohibits foreigners from contributing money to campaigns or using funds “to expressly advocate for or against … a candidate.”207 The United States does not want foreign companies holding election contracts for the same reasons that it does not want foreign nationals participating in elections. The U.S. “political community” needs to be preserved and protected from foreign influence.208

Second, if a foreign company with a U.S. subsidiary or a controlling interest in a U.S. company were to win an election contract, the foreign company could not make any decisions or take part in the performance of the contract. For example, ByteGrid could perform the contract provided that Altpoint remained separated. Altpoint could not know the details of the services provided by ByteGrid, and it certainly could not be privy to any data that ByteGrid were to receive from Maryland in performing the contract. ByteGrid would need to operate entirely independently of Altpoint. With strict FEC enforcement, this proposal is similar to the rules governing foreign companies with U.S. subsidiaries that operate PACs.209

This approach is not without fault, as it is difficult to imagine a situation in which a foreign company would allow its subsidiary to acquire and carry out a contract without any data leakage. For example, it is concerning that data from Maryland’s election systems could leak to Altpoint. This proposal would prevent that concern by requiring ByteGrid or the U.S. contractor to have sole access to the data.

Third, the proposed ban should include a firewall provision to prevent data leakage. Firewall provisions are currently used to mitigate an Organizational Conflict of Interest (OCI).210 When a Contracting Officer identifies a potential OCI, they must determine how to mitigate or neutralize the conflict.211 One mitigation technique is to “create[] firewalls within the government and the contractor’s organization” to guarantee that the contractor does not access proprietary or competitive information and gain an unfair competitive advantage.212 Here, Altpoint and ByteGrid could establish a firewall to allow ByteGrid to perform the contract without data leakage to Altpoint.

This new rule requires additional clarification, but it nevertheless lays the foundation to restrict foreign participation in U.S. election contracts. Alarmingly, Maryland did not know that Altpoint owned ByteGrid until it was informed by the FBI.213 Under this new rule, the FEC and state officials would examine these contracts. Altpoint’s acquisition of ByteGrid, for instance, would have been noticed, and the contract would have to be modified to resemble the new rule. Conversely, a provision could be added that would require contractors to disclose if they have been acquired by a foreign company.214 Forcing contractors to disclose this information will provide added vigilance and awareness of any foreign participation in election contracts.215

The foreign national ban makes clear that the United States does not want foreign nationals participating in elections,216 and this framework extends the ban to participation in election infrastructure. This proposed ban is more evenhanded than simply banning Altpoint, but nevertheless achieves the same result. Further, it demonstrates that the ban is not based on perceived wrongdoing, but rather reflects the United States’ desire to protect its “political community” from foreign participation and influence.217 Finally, the proposed ban could model its language and reasoning on that contained in BCRA and FEC regulations, thus accelerating its implementation.218 This option is highly advantageous given the approaching 2020 elections.

B. Require States to Adopt Versions of Deliver Uncompromised and the National Cyber Strategy

Likewise, when it comes to election contracts, the federal government should require states to adopt a version of Deliver Uncompromised and the National Cyber Strategy. This idea is straightforward. The states would have to put a new emphasis on security as they award their election system contracts. Furthermore, the states and the contractors themselves would have to monitor their systems for cyberattacks.

With this new rule, the states would telegraph their readiness to procure secure election software and increase their vigilance. Deliver Uncompromised and the National Cyber Strategy seek to shift the culture to a more careful scrutiny of supply chain contracts so that only secure products are delivered.219 By applying these same rules, state election officials would scrutinize their contracts more carefully and be sure to notice cyber incidents or foreign acquisitions concerning their contractors.

Specifically, the idea would be to require implementation of certain COAs from the Deliver Uncompromised plan at the state level. In line with the first COA, the states would elevate security relative to other selection criteria that they consider when soliciting election contracts.220 Essentially, states would consider the contractor’s ability to keep its data secure and to provide uncompromised services to the state. For information sharing, an independent agency or the DHS, which have programs in place to share threat information with participating states, could disseminate threat prevention techniques and share risk information to keep all states on alert.221 To better implement the COA concerning constant monitoring for cyber threats, states could use the DHS program that provides such monitoring of a state’s election system.222 Finally, states could implement these changes by adding certain cyber standards into the language of election contracts.223

As seen at the federal level, difficulties may arise with implementing Deliver Uncompromised, some of which will be unique to the state level. There are cost and compliance concerns.224 For Deliver Uncompromised, the DoD will have to pay more if it expects contractors to devote significant resources to improving security.225 This is particularly salient at the state level because smaller states may not have the resources or funds to pay their election software contractors to improve security.226 Also, the state-level contractors may not have the resources to comply with all of the cyber standards that the states require.

States also face unique issues of authority and implementation. Is there a federalism issue? How would the states share threat information with each other? How would uniform cyber standards be applied to fifty different states, which may have different election systems? Finally, how could the federal government require the states to address these election concerns given that states are responsible for their own election systems?227

While these concerns are valid, higher cyber standards are viable and necessary to address the problem of foreign participation in elections. First, several federal statutes have been adopted by the states.228 Second, this proposal only concerns election contracts, whereas Deliver Uncompromised and the associated cyber standards are aimed at federal supply chain procurements and involve culture changes in entire industries.229 State election officials could implement changes faster and at a lower cost because election contracts are a smaller field.

Additionally, some of the potential changes are already covered by the DHS. The DHS offers programs that monitor election systems for cyber threats, share threat information with the states, and provide assistance with combating malicious code and other cyberattacks.230 Using DHS programs as a starting point partly solves the problem of how states would share information or adopt uniform standards. States could be farther along with increasing cyber standards for elections if they all accepted DHS assistance.

Ultimately, adopting higher cyber standards for election contractors is a good idea because it is already happening with the supply chain at the federal level.231 Additionally, heightened security within our election infrastructure will ensure that the election systems are well-defended and bolster public perceptions of election security. It also fits within the policy concerns of keeping U.S. elections secure and free from foreign participation.232

C. Applying the Kaspersky Model

In lieu of options one and two, the federal government could apply the Kaspersky model by banning Altpoint and its subsidiaries from election contracts.233 This ban would mirror the Kaspersky ban by excluding Altpoint due to the risk that malicious foreign actors might access or alter data from Maryland’s election systems.234

There are several similarities between Altpoint and Kaspersky. First, like Kaspersky, Altpoint is a Russian-owned company.235 Second, Altpoint’s largest investor has close ties to the Kremlin, similar to Kaspersky’s founder and CEO.236 Third, Altpoint’s motives and capabilities are suspect. This concern is warranted because it is not difficult to imagine that Altpoint could access Maryland’s election data through Bytegrid. Importantly, while there was no evidence of wrongdoing, the risk of data leakage raises concerns about the potential for foreign agents to compromise the data.237 In Kaspersky v. DHS, the court found a sufficient risk of foreign access to U.S. top secret information to justify the Kaspersky ban, which would protect U.S. classified networks.238 The similarities between Altpoint and Kaspersky suggest that a ban is appropriate here.

This option is advantageous because it could be done relatively quickly. When the DHS issued the BOD in September 2017, agencies were given ninety days to remove Kaspersky products from their computers.239 Three months later, President Trump signed the NDAA ban into law.240 A ban on Altpoint should be similarly expeditious. Additionally, the FAR and NDAA contain already the language used for the Kaspersky ban,241 making it efficient to use similar language to ban Altpoint. In short, a general ban on Altpoint for election contracts would move swiftly.

Finally, the policy reasons for restricting foreign participation in U.S. elections are equally compelling here. Altpoint should not have this contract because the contract allows the company to participate in and potentially manipulate U.S. election infrastructure. Russia attempted to hack into that infrastructure before the 2016 election, targeting Maryland in the process.242 Altpoint’s election contract in Maryland goes against policy concerns of “preserving a political community” from foreign influence.243

Despite the advantages of an Altpoint ban, it is not the appropriate remedy to the problem. Before Kaspersky was banned, experts thought for years that the company provided a “backdoor for Russian intelligence.”244 After receiving alerts from Israel, U.S. intelligence officials discussed the matter and investigated Kaspersky’s software and potential ties to the Kremlin.245 Additionally, before finalizing the BOD and passing the NDAA, the DHS and Congress engaged in a comprehensive fact-finding effort with hearings, investigations, and briefings from intelligence experts.246 The Kaspersky ban was the result of years-long suspicion followed by a two-year investigation.247 In the Maryland case, the FBI only discovered that Altpoint owned ByteGrid in 2018.248 The investigation into this issue has not been as robust and substantive as the Kaspersky matter.

Another difference between Altpoint and Kaspersky is the breadth of their government business in the United States. So far, Altpoint is only involved in this single election contract. By contrast, Kaspersky products were running on the computers of fifteen percent of federal agencies.249 Kaspersky’s prevalence within federal networks rendered the risk pervasive, whereas Altpoint had only one contract in Maryland. The risk here is not as clear as it was for Kaspersky. Furthermore, there has been no evidence of wrongdoing by Altpoint.250 With Kaspersky, the investigation showed evidence of a breach,251 but in Maryland, the DHS found no such evidence.252 It would be unfair to ban Altpoint without evidence of wrongdoing.

However, when foreigners participate in U.S. elections, the fear is that they may assert influence and cast doubt on the security of elections.253 Furthermore, there is risk in allowing Altpoint to have this contract. With that in mind, action must be taken to prevent foreign companies from participating in U.S. elections through election contracts. But a flat-out ban on Altpoint would be unfair and would not prevent similar foreign companies from conducting election activity in the future.

D. Looking to November

The Maryland problem is best solved by a combination of options one and two. The federal government should extend the foreign national ban to state election contracting and enforce increased cyber standards for election contractors. However, the issues regarding election contracts exist at only the state and local level.254 Problems with the federal supply chain demand a federal response that will apply across the federal government. But here, the federal government would have to pass legislation that applies to all the states, which would be more difficult. Congress is responsible for the campaign finance laws in the United States, and those statutes apply to the states as well.255 Currently, Congress appropriates some money to the states for election infrastructure.256 Congress could pass a statute or appropriations bill that would codify the foreign national ban and increase cybersecurity standards for election contracts. Since election contracts are such a small aspect of state power, states are not likely to bring a federalism challenge.

Alternatively, Congress could create a dedicated agency or delegate authority to an existing agency to implement these solutions. For instance, the DHS is uniquely situated to do so since it already offers voluntary aid to state election departments.257 Congress could make participation in the DHS’s programs mandatory and give the agency the authority to promulgate uniform cybersecurity standards for election systems.

However these solutions are implemented, action must be taken. The government is currently addressing the problem of supply-chain security with various statutes and programs designed to improve cybersecurity and eliminate the weaknesses in U.S. procurement processes and networks.258 This same energy must be devoted to the issue of keeping U.S. election systems secure and free of foreign participation. The next presidential election is a few months away and, if history is any indication, it is highly likely that Russia and other nations will attempt to interfere.259 These steps require immediate implementation to safeguard U.S. election infrastructure from foreign interference and allow the American public to regain trust in election security.

V. Conclusion

U.S. elections are in danger.260 The 2016 election saw unprecedented levels of foreign participation, and there is no evidence that Russia will cease its malicious activity.261 Something must be done to safeguard U.S. elections and end foreign participation in U.S. election systems. The most effective method to exclude foreign companies from participating in U.S. election infrastructure is to ban foreign participation in election contracts and focus on cybersecurity when awarding these contracts. The ban on direct participation by foreign companies and a separation between U.S. subsidiaries and their foreign parent will ensure that state voting data does not fall into foreign hands. A new focus on cybersecurity will ensure that states stay vigilant to issues arising with their election system contractors. Whatever is done, the federal government and the states must work together to safeguard U.S. election systems and protect American democracy.

Entity:
Topic:
  1. See Ellen Nakashima, Russian Government Hackers Penetrated DNC, Stole Opposition Research on Trump, Wash. Post (June 14, 2016), https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html?utm_term=.618c01d99061 [https://perma.cc/LPF8-UNW5].
  2. See Jonathan Masters, Russia, Trump, and the 2016 U.S. Election, Council on Foreign Rel. (Feb. 26, 2018), https://www.cfr.org/backgrounder/russia-trump-and-2016-us-election [https://perma.cc/5RUL-L5FK].
  3. Id.
  4. Id.
  5. Id.
  6. See generally Press Release, Fed. Bureau of Investigation, Joint Statement on Election Day Preparations (Nov. 5, 2018), https://www.fbi.gov/news/pressrel/press-releases/joint-statement-on-election-day-preparations [https://perma.cc/E5C2-L4H5] (cautioning Americans that foreign actors “continue to try to influence public sentiment and voter perceptions through actions intended to sow discord”); Matthew Rosenberg et al., ‘Chaos Is the Point’: Russian Hackers and Trolls Grow Stealthier in 2020, N.Y. Times (Jan. 10, 2020), https://www.nytimes.com/2020/01/10/us/politics/russia-hacking-disinformation-election.html [https://perma.cc/6EC4-SDQW] (stating that Russia “remains the greatest threat” to the integrity of the 2020 elections).
  7. See Derek Hawkins, The Cybersecurity 202: Voters’ Distrust of Election Security Is Just as Powerful as an Actual Hack, Officials Worry, Wash. Post (June 5, 2018), https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/06/05/the-cybersecurity-202-voters-distrust-of-election-security-is-just-as-powerful-as-an-actual-hack-officials-worry/5b1567091b326b08e883912f/?utm_term=.1f851ffd388d [https://perma.cc/R2CB-KZ7K].
  8. Ovetta Wiggins, Election System Firm with Maryland Contract Has Ties to Russian Oligarch, FBI Tells State, Wash. Post (July 13, 2018), https://www.washingtonpost.com/local/md-politics/marylands-election-system-tied-to-russian-oligarch-fbi-tells-state/2018/07/13/89b8ce56-86fa-11e8-8f6c-46cb43e3f306_story.html?utm_term=.29ea9d13f536 [https://perma.cc/H7CE-KS3C]; Benjamin Freed, Maryland Election Systems Hosted by Russia-Linked Firm Were Not Compromised,DHS Says, StateScoop (Nov. 30, 2018), https://statescoop.com/maryland-election-systems-not-compromised [https://perma.cc/A64B-VVK9] (noting that the contractor in question was purchased by a Russian investment firm in 2015).
  9. Wiggins, supra note 8.
  10. Id.; Freed, supra note 8.
  11. Owen Bowcott, China’s Hackers Stealing US Defence Secrets, Says Congressional Panel, Guardian (Nov. 20, 2008), https://www.theguardian.com/world/2008/nov/20/america-china-hacking-security-obama [https://perma.cc/78GS-HM96]. The hackers sought access to unclassified networks. Id.
  12. Significant Cyber Incidents Since 2006, Ctr. for Strategic & Int’l Stud., https://csis-prod.s3.amazonaws.com/s3fs-public/200108_Significant_Cyber_Events_List.pdf?aj4_VlDq2hSan2U8O5mS29Iurq3G1QKa [https://perma.cc/UYH8-BA5W] (last visited Nov. 18, 2018).
  13. Id.
  14. Id.
  15. See generally id. (detailing numerous attacks on U.S. contractors between 2009 and 2018).
  16. The White House, The National Cyber Strategy of the United States 1-2 (2018) [hereinafter National Cyber Strategy of the United States].
  17. See Ellen Nakashima, Pentagon Is Rethinking its Multibillion-Dollar Relationship with U.S. Defense Contractors to Boost Supply Chain Security, Wash. Post (Aug. 13, 2018), https://www.washingtonpost.com/world/national-security/the-pentagon-is-rethinking-its-multibillion-dollar-relationship-with-us-defense-contractors-to-stress-supply-chain-security/2018/08/12/31d63a06-9a79-11e8-b60b-1c897f17e185_story.html?utm_term=.fddc97d99053&wpisrc=al_local_business__alert-local-business&wpmk=1 [https://perma.cc/SQ4A-5JBB].
  18. Id.
  19. Id.
  20. Id.
  21. National Cyber Strategy of the United States, supra note 16, at 7.
  22. Id.
  23. Id.
  24. See Nicole Perlroth & Scott Shane, How Israel Caught Russian Hackers Scouring the World for U.S. Secrets, N.Y. Times (Oct. 10, 2017), https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html [https://perma.cc/7VQK-M5Q6].
  25. See id.
  26. Ellen Nakashima & Jack Gillum, U.S. Moves to Ban Kaspersky Software in Federal Agencies Amid Concerns of Russian Espionage, Wash. Post (Sept. 13, 2017), https://www.washingtonpost.com/world/national-security/us-to-ban-use-of-kaspersky-software-in-federal-agencies-amid-concerns-of-russian-espionage/2017/09/13/36b717d0-989e-11e7-82e4-f1076f6d6152_story.html?utm_term=.834bdc336bd9 [https://perma.cc/JG69-LEC4].
  27. See Marco Rubio & Chris Van Hollen, Our Elections Are in Danger. Congress Must Defend Them., Wash. Post (Jan. 16, 2018), https://www.washingtonpost.com/opinions/our-elections-are-in-danger-congress-must-defend-them/2018/01/15/c7b3aac8-fa28-11e7-ad8c-ecbb62019393_story.html?utm_term=.41cd9afab133 [https://perma.cc/2H55-WPLG].
  28. See David M. Howard, Can Democracy Withstand the Cyber Age?: 1984 in the 21st Century, 69 Hastings L.J. 1355, 1365 (2018).
  29. See Hearing to Receive Testimony on Foreign Cyber Threats to the United States Before the S. Comm. on Armed Services, 115th Cong. (2017) (statement of John McCain, Chairman, Armed Services Committee), https://www.armed-services.senate.gov/imo/media/doc/1-5-17%20Foreign %20Cyber%20Threats%20(McCain).pdf [https://perma.cc/FP98-5PUP].
  30. See Howard, supra note 28, at 1359–60.
  31. Hawkins, supra note 7.
  32. Dep’t of Homeland Sec., DHS Election Infrastructure Security Resource Guide 5 (2018).
  33. National Cyber Strategy of the United States, supra note 16, at 2.
  34. Myles Martin, Foreign Nationals, FEC Record: Outreach (June 23, 2017), https://www.fec.gov/updates/foreign-nationals [https://perma.cc/W23R-LVNY].
  35. Fed. Election Comm’n, FY 2018–2022 Strategic Plan, at i (2018). See generally 52 U.S.C. § 30101 (2018).
  36. Fed. Election Comm’n, supra note 35, at i, iii.
  37. Id. at ii.
  38. Id. at i.
  39. Martin, supra note 34.
  40. 52 U.S.C. § 30121(b) (2012).
  41. Martin, supra note 34.
  42. Id.
  43. 52 U.S.C. § 30121(a)(1).
  44. Id. § 30121(a)(1)(C).
  45. Martin, supra note 34.
  46. Id.
  47. Id.
  48. Id.
  49. 11 C.F.R. 110.20(g) (2019).
  50. Id. at 110.20(h).
  51. Martin, supra note 34.
  52. Id.
  53. Id. The treasurer has thirty days to determine the legality of the contribution or issue a refund. Id. The treasurer must keep a written record during the inquiry. Id.
  54. Id.
  55. Id.
  56. 11 C.F.R. 110.20(i) (2019).
  57. Id.
  58. Id.
  59. Martin, supra note 34.
  60. Id.
  61. Id.
  62. Id.
  63. Id.
  64. Id.
  65. Trevor Potter, Foreign Interference in the 2016 Election: How Did We Get Here?, in Examining Foreign Interference in U.S. Elections: A Report From the Campaign Legal Center. 6 (2018).
  66. Id.
  67. See id. at 6, 7
  68. Matt A. Vega, The First Amendment Lost in Translation: Preventing Foreign Influence in U.S. Elections After Citizens United v. FEC, 44 Loy. L.A. L. Rev. 951, 960 (2011).
  69. See id. at 960–63.
  70. See id. at 963.
  71. U.S. Const art. I, § 9, cl. 8.
  72. Michael Kagan, When Immigrants Speak: The Precarious Status of Non-Citizen Speech Under the First Amendment, 57 B.C. L. Rev. 1237, 1258 (2016); Vega, supra note 68, at 963.
  73. Vega, supra note 68, at 967–71.
  74. Id. at 968. The FARA is codified at 22 U.S.C. §§ 611–21 (2018).
  75. Vega, supra note 68, at 970.
  76. See generally Bipartisan Campaign Reform Act of 2002, Pub. L. No. 107-155, 116 Stat. 81 (2002); Potter, supra note 65, at 8.
  77. See Potter, supra note 65, at 8.
  78. Bluman v. Fed. Election Comm’n, 800 F. Supp. 2d 281, 281 (D.D.C. 2011), aff'd, 565 U.S. 1104 (2012).
  79. Id. at 282.
  80. Id. at 282–83.
  81. Id. at 283.
  82. Id.
  83. Id. at 283–84.
  84. Id. at 286, 287–89 (quoting Foley v. Connelie, 435 U.S. 291, 295–96 (1978)). Strict scrutiny requires that a statute be “narrowly tailored to advance a compelling government interest.” Id. at 286.
  85. Id. This Note focuses on the fear of foreign interference in the U.S. political system because it clearly lays out the government’s duty, preserving our political community. The author is aware that quid pro quo corruption is a major concern in election law and that there is an argument for that here, but he has chosen not to address it based on the constraints of this Note. For reading on quid pro quo corruption and what it means to election law, see Jonathan S. Berkon & Marc E. Elias, After McCutcheon, 127 Harv. L. Rev. F. 373 (2014).
  86. See Chris A. Nissen et al., Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War 7 (2018) [hereinafter Deliver Uncompromised].
  87. See id.
  88. See id.
  89. Id.
  90. Id.
  91. Id.
  92. Id.
  93. See Nakashima, supra note 17.
  94. Id.
  95. Id.
  96. Id.
  97. Id. The decision to consider a contractor’s security capabilities in addition to traditional criteria marks “a fundamental shift in department culture.” Id.
  98. Deliver Uncompromised, supra note 86, at iv.
  99. Id. at 15.
  100. Id. The goal is for security to become the “4th Pillar” of acquisition planning. Id.
  101. Id. at 22–24.
  102. Moshe Broder, MITRE Report Recommends Critical Changes to Supply Chain Security, Wiley Rein LLP (Sept. 2018), https://www.wiley.law/newsletter-MITRE-Report-Recommends-Critical-Changes-to-Supply-Chain-Security [https://perma.cc/Q7Z2-WRGA].
  103. Id.
  104. Deliver Uncompromised, supra note 86, at 30.
  105. See id. at 31.
  106. See id.
  107. See id. at 18.
  108. Id.
  109. Id.
  110. See id.
  111. Id. at 20.
  112. See Broder, supra note 102.
  113. Deliver Uncompromised, supra note 86, at ii–iv.
  114. National Cyber Strategy of the United States, supra note 16, at 7.
  115. Id. By sharing information, contractors can improve their security and avoid cyberattacks. Id.
  116. Id.
  117. Id.
  118. Nakashima, supra note 17.
  119. Ellen Nakashima, Israel Hacked Kaspersky, Then Tipped the NSA That Its Tools Had Been Breached, Wash. Post (Oct. 10, 2017), https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html?noredirect=on&utm_term=.d32c4eaa7f1e [https://perma.cc/V8VJ-KFXH]. Kaspersky is a popular antivirus software that is used worldwide. Perlroth & Shane, supra note 24. The program scans computers for malware or viruses, removes it if found, and then sends a report back to Kaspersky. Id.
  120. Perlroth & Shane, surpa note 24.
  121. Id.
  122. Id. Alarmingly, at least six federal agencies ran Kaspersky products on their networks. Nakashima & Gillum, supra note 26. Kaspersky is also widely used by state governments and private U.S. citizens. Matthew Rosenberg & Ron Nixon, Kaspersky Lab Antivirus Software Is Ordered off U.S. Government Computers, N.Y. Times (Sept. 13, 2017), https://www.nytimes.com/2017/09/13/us/politics/kaspersky-lab-antivirus-federal-government.html [https://perma.cc/3YJR-FAH6].
  123. Kaspersky Lab, Inc. v. U.S. Dept. of Homeland Sec., 311 F. Supp. 3d 187, 193 (D.D.C. 2018).
  124. Nakashima, supra note 119.
  125. See generally Binding Operational Directive 17-01: Removal of Kaspersky-Branded Products, Dep’t of Homeland Sec. (Sept. 13, 2017), https://cyber.dhs.gov/bod/17-01 [https://perma.cc/9JQQ-3JC3]. Binding Operational Directives are used “for purposes of safeguarding federal information and information systems.” Id.
  126. Id.
  127. Id.
  128. Kaspersky, 311 F. Supp. 3d at 198.
  129. Id.
  130. Id.
  131. Id.
  132. Id.
  133. Id.
  134. Id. The primary motivations for the BOD were that Kaspersky’s software required access to top secret U.S. information and that the software could be hacked to gain information. Id. at 199. Additionally, DHS officials were alarmed by Kaspersky’s ties to the Russian government. Id. at 199–200.
  135. Id. at 201.
  136. Id. at 201–02.
  137. Id. at 218–19. The court noted that the case lacked redressability; Kaspersky’s harms would not be redressed regardless of the outcome of the case. Id.
  138. See generally National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, 131 Stat. 1283.
  139. Id. § 1634, 131 Stat. at 1739.
  140. Kaspersky, 311 F. Supp. 3d at 203.
  141. Id.; Morgan Chalfant, Trump Officials Face Grilling from Lawmakers Over Russian Cyber Firm, Hill (Oct. 25, 2017), https://thehill.com/policy/cybersecurity/357210-trump-officials-grilled-by-lawmakers-over-russian-cyber-firm [https://perma.cc/EGM5-C969].
  142. Chalfant, supra note 141.
  143. Id.
  144. Kaspersky, 311 F. Supp. 3d at 203.
  145. Id. at 205. A bill of attainder is a law that “determines guilt and inflicts punishment upon an identifiable individual” without allowing for protection from the judicial process. Id.
  146. Id. (quoting Foretich v. United States, 351 F.3d 1198, 1217 (D.C. Cir. 2003)).
  147. Derek B. Johnson, Judge Upholds Government Ban on Kaspersky Products, Fed. Computer Week (May 30, 2018), https://fcw.com/articles/2018/05/30/kaspersky-lawsuits-dismissed.aspx [https://perma.cc/PC6D-Z6Q7].
  148. Kaspersky, 311 F. Supp. 3d at 206. To determine if a law is “punishment,” courts apply three distinct tests, which are weighted together. Id. The court found that Kaspersky did not meet any of the thresholds. Id.
  149. Id. at 207–08. Additionally, the loss of business that Kaspersky endured was not high enough because Kaspersky conducts business all over the world and its U.S. contracts are only a “tiny fraction of the company’s overall business.” Id. at 208.
  150. Id. at 211.
  151. Id.
  152. Id. at 215.
  153. See id. at 216–17.
  154. Masters, supra note 2.
  155. Eric Lipton et al., The Perfect Weapon: How Russian Cyberpower Invaded the U.S., N.Y. Times (Dec. 13, 2016), https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html [https://perma.cc/AE22-46SC].
  156. Id.
  157. Masters, supra note 2.
  158. Id.
  159. Id.
  160. Matt Zapotosky & Karoun Demirjian, Homeland Security Official: Russian Government Actors Tried to Hack Election Systems in 21 States, Wash. Post (June 21, 2017), https://www.washingtonpost.com/world/national-security/homeland-security-official-russian-government-actors-potentially-tried-to-hack-election-systems-in-21-states/2017/06/21/33bf31d4-5686-11e7-ba90-f5875b7d1876_story.html?utm_term=.a14dd201deb6 [https://perma.cc/M3JE-SVAY].
  161. Id.
  162. See id.
  163. Mary H. Kiraly, Opinion, Maryland Can’t Protect Its Elections, Wash. Post (July 20, 2018), https://www.washingtonpost.com/opinions/maryland-cant-protect-its-elections/2018/07/20/ee64beb0-89ce-11e8-a345-a1bf7847b375_story.html?utm_term=.8d8002db801e [https://perma.cc/M99B-6Y9E].
  164. Zapotosky & Demirjian, supra note 160.
  165. Matthew Cole et al., Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election, Intercept (June 5, 2017), https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/ [https://perma.cc/4G6E-VWPQ].
  166. Id.
  167. Id.
  168. Id.
  169. Id.
  170. Hawkins, supra note 7.
  171. See Wiggins, supra note 8.
  172. Letter from Ben Cardin & Chris Van Hollen, U.S. Sen., to Steven Mnuchin, Sec’y, U.S. Dep’t of the Treasury (Aug. 7, 2018), https://www.vanhollen.senate.gov/imo/media/doc/letter%20to%20sec%20mnuchin%20re%20Cfius%20review.pdf [https://perma.cc/KL48-HW2S] [hereinafter Maryland Senators Letter].
  173. Freed, supra note 8.
  174. Wiggins, supra note 8.
  175. Editorial Board, Surprise, Maryland—Your Election Contractor Has Ties to Russia, Wash. Post (July 22, 2018), https://www.washingtonpost.com/opinions/surprise-maryland--your-election-contractor-has-ties-to-russia/2018/07/22/fbe57058-8c4d-11e8-85ae-511bc1146b0b_story.html?utm_term=.fb1007bba470 [https://perma.cc/W92H-VMDE].
  176. Wiggins, supra note 8.
  177. Id.
  178. See Freed, supra note 8.
  179. Maryland Senators Letter, supra note 172.
  180. Id.
  181. Id. CFIUS is responsible for investigating foreign investments in U.S. companies that result in foreign control of the company. Id. If foreign control of a U.S. company causes a potential national security problem, CFIUS may require divestment. Id.
  182. Id.
  183. Id.
  184. Dep't of Homeland Sec., supra note 32.
  185. Id.
  186. Id.
  187. See Alfred Ng, DHS Election Cybersecurity Aid Draws Less than Half the States, CNET (Mar. 21, 2018), https://www.cnet.com/news/theres-low-turnout-for-the-dhss-election-cybersecurity-aid [https://perma.cc/7QEH-4CSW]. While the DHS offers cybersecurity assistance for all fifty states, as of March 2018, only nineteen had formally requested it. Id.
  188. See Dep’t of Homeland Sec., supra note 32.
  189. Id. at 6.
  190. Id.
  191. Id.
  192. Id. at 17–19.
  193. Id. at 17–18.
  194. Id. at 18.
  195. Id. The DHS has other programs that alert users to cyber and national security threats. Id. at 18–19.
  196. Id. at 13–17.
  197. Id. at 13–14.
  198. Id. at 15–17.
  199. Id. at 7–13.
  200. Id. at 10.
  201. Id. at 5.
  202. See Bluman v. Fed. Election Comm’n, 800 F. Supp. 2d 281, 288 (D.D.C. 2011), aff’d, 565 U.S. 1104 (2012).
  203. See supra Part II.A.1.
  204. Id.
  205. Id.
  206. Id.
  207. Id.
  208. See supra Part II.A.2.
  209. See supra Part II.A.1.
  210. FAR 9.5; Douglas P. Hibshman, Organizational Conflict of Interest (“OCI”)—What Is It?, Fox Rothschild LLP (Dec. 8, 2014), https://governmentcontracts.foxrothschild.com/2014/12/articles/false-claims-act/organizational-conflict-of-interest-oci-what-is-it[https://perma.cc/D5GW-UUEP]. An OCI exists when “work performed by a contractor on a federal contract may: (a) result in an unfair competitive advantage for the contractor; or (b) impair the contractor’s objectivity in performing federal contract work.” Id.
  211. See id.
  212. See id. For example, if a contractor were drafting contract specifications for an upcoming government procurement but also wanted to bid for the contract, a firewall between the personnel responsible for drafting the contract and the personnel in charge of the proposal would mitigate an OCI because the teams would not share information despite working within the same company. Id.
  213. Editorial Board, supra note 175.
  214. The Foreign Investment Review Modernization Act of 2018 broadens the authority of CFIUS to investigate foreign investments in U.S. businesses. See U.S. Dep’t. of the Treasury, Off. of Pub. Affairs, Fact Sheet: Final CFIUS Regulations Implementing FIRRMA (Jan. 13, 2020), https://home.treasury.gov/system/files/206/Final-FIRRMA-Regulations-FACT-SHEET.pdf [https://perma.cc/C4PP-GMA8]. One aspect of the new law is that “any transaction by or with any foreign person that could result in foreign control of a specified U.S. critical technologies business, or any covered non–control investment by a foreign person in such a U.S. business, is subject to mandatory notification to CFIUS.” Mandatory CFIUS Filings for Foreign Investment in Specified Critical Technologies Companies, Sullivan & Cromwell LLP (Oct. 18, 2018), https://www.sullcrom.com/files/upload/SC-Publication-Mandatory-CFIUS-Filings-for-Critical-Technology-Investments.pdf [https://perma.cc/R6SL-HBZ7].
  215. Incorporating election software contractors into the mandatory filing requirements from CFIUS and FIRRMA would alert CFIUS and state governments to any possibilities that foreign companies are participating in the U.S. election infrastructure.
  216. See supra Part II.A.
  217. See id. at Part II.A.2.
  218. 11 C.F.R. 110.20(g), (i) (2019).
  219. See supra Part II.B.
  220. See Deliver Uncompromised, supra note 86, at 15.
  221. See id. at 22–24; Dep’t of Homeland Sec., supra note 32, at 17–19.
  222. See Deliver Uncompromised, supra note 86, at 30; Dep’t of Homeland Sec., supra note 32, at 13–14.
  223. See Deliver Uncompromised, supra note 86, at 31.
  224. See Broder, supra note 102.
  225. See Deliver Uncompromised, supra note 86, at 18.
  226. See Mike Kelly, The Cyber Threat to the Public Sector: Considerations for Federal, State and Local Governments, J.P. Morgan (2018), https://commercial.jpmorganchase.com/jpmpdf/13207 44745539.pdf [https://perma.cc/U733-HHSY].
  227. See Dep’t of Homeland Sec., supra note 32.
  228. Federal statutes that apply to the states include the Civil Rights Act and the National Environmental Policy Act. See generally Richard Cole et. al., Reversing Directions: A Ranking and Comparison of Key U.S. Intergovernmental Events, 1960–1980 and 1980–1995, 26 Publius J. Federalism 25, 37 (1996).
  229. See Nakashima, supra note 17.
  230. See supra Part III.C.
  231. See supra Part II.B.
  232. See id. at Part II.A.2.
  233. See National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, §1634, 131 Stat. at 1739 (2017).
  234. See supra Part II.C.
  235. Perlroth & Shane, supra note 24; Editorial Board, supra note 175; Freed, supra note 8.
  236. Editorial Board, supra note 175; Nakashima & Gillum, supra note 26.
  237. Freed, supra note 8.
  238. Kaspersky Lab, Inc. v. U.S. Dept. of Homeland Sec., 311 F. Supp. 3d 187, 211 (D.D.C. 2018).
  239. Rosenberg & Nixon, supra note 122.
  240. Dustin Volz, Trump Signs into Law U.S. Government Ban on Kaspersky Lab Software, Reuters (Dec. 12, 2017), https://www.reuters.com/article/us-usa-cyber-kaspersky/trump-signs-into-law-u-s-government-ban-on-kaspersky-lab-software-idUSKBN1E62V4 [https://perma.cc/WJH8-JGR9].
  241. See FAR 52.204–23; National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, § 1634, 131 Stat. 1740.
  242. Kiraly, supra note 163.
  243. See supra Part II.A.2.
  244. See supra Part II.C.
  245. Id.
  246. Id.
  247. Id.
  248. Editorial Board, supra note 175; Wiggins, supra note 8.
  249. Joseph Marks, Kaspersky Software Found at 15% of Federal Agencies, Nextgov (Nov. 14, 2017), https://www.nextgov.com/cybersecurity/2017/11/kaspersky-software-found-15-federal-agencies/142533 [https://perma.cc/5CCT-BN4X].
  250. Freed, supra note 8.
  251. See supra Part II.C.
  252. Freed, supra note 8.
  253. See Hawkins, supra note 7 (stating that mere “fear of digital sabotage” is sufficient to erode confidence in election security).
  254. Dep’t of Homeland Sec., supra note 32.
  255. See generally R. Sam Garret, Cong. Research Serv., R45302, Federal Role in U.S. Campaigns and Elections: An Overview (Sept. 4, 2018) (summarizing the federal role in U.S. elections).
  256. Id. at 8.
  257. See id. at 21–22.
  258. See supra Part II.B.
  259. Rosenberg, supra note 6.
  260. See Masters, supra note 2. As discussed at length in this Note, U.S. democracy faces a myriad of threats, including hacking, disinformation, and other types of election interference by foreign entities. Id.
  261. Id.