Jedidiah Blake II (firstname.lastname@example.org) is a third-year law student at The George Washington University Law School and served as the Senior Notes Editor for the Public Contract Law Journal for the 2019 – 2020 academic year. He would like to thank Professor Sonia Tabriz, Meghan McConnell, and Roxanne Cassidy for their assistance during this process. Additionally, he would like to thank his family for their love and prayers.
U.S. elections are under attack. U.S. officials have confirmed that Russian hackers attempted to subvert the 2016 presidential election. Russians hacked into the Democratic National Committee network and released thousands of documents. They used social media to spread disinformation and attempted to hack state voting systems. While investigations were ongoing following the election, the FBI discovered that one of Maryland’s election software contractors was owned by a Russian company. This discovery presents a unique problem about how to react to foreign participation in U.S. election infrastructure. This Note considers two contracting options and one option borrowed from election law. The first option is to apply the foreign national ban from campaign finance law to election contracts. Another option is to apply the new DoD security assessment “pillar” to election contracts. The third option is to ban the company at issue in Maryland, similar to the ban on Kaspersky. The best solution, however, is a combination of the first and second options because they are in keeping with policy ideals of fairness and the preservation of the United States’ “political community.”
In late 2015, Russian government hackers targeted the Democratic National Committee (DNC) network, gaining access to emails, other communications, and opposition research on then-presidential candidate Donald Trump.1 This attack was part of a concerted effort by Russia to subvert and “sow discord” in the U.S. political system.2 This attack was not limited to political party networks: the Russians also attempted to hack into state election systems, illegally paid for political advertisements, and used trolls and fake social media accounts to spread disinformation and create controversy.3
Despite consensus in the intelligence community that Russia deliberately sought to interfere in the 2016 presidential election, these accusations generated huge debate and media scrutiny because of the possibility of collusion between Russia and the Trump campaign.4 Following the election, several investigations were mired in delay and “intense media scrutiny.”5 To make matters worse, U.S. officials posit that Russia and other nations attempted to influence the 2018 midterm elections and continue to do so as the 2020 election approaches.6 The possibility of foreign interference in U.S. elections is frightening and discouraging to the voting public and has led to serious doubts about the safety and legitimacy of election systems.7
These intrusions are not limited to hacking election systems and spreading disinformation. In the summer of 2018, the Federal Bureau of Investigation (FBI) notified the state of Maryland that one of its election contractors was owned by Russian nationals.8 The contractor in question handled voter registration, unofficial election night results, and other important data.9 The Department of Homeland Security (DHS) later found that this contractor did not compromise or interfere with Maryland’s elections. Nevertheless, state officials were concerned that this incident would undermine public trust in Maryland’s election software due to the appearance that foreign agents could influence Maryland’s election infrastructure.10
There are three options the federal government could employ to combat foreign participation in election software contracts. First, the federal government could apply the same rules that restrict foreign participation in campaign finance to election contracts. Second, the federal government could extend the Pentagon security assessment factor (known as Deliver Uncompromised) to state election contracting. Third, the federal government could apply the Kaspersky model and ban foreign companies and their affiliates from all election contracts. This Note will discuss the advantages and shortcomings of each option before suggesting that a combination of options one and two is the best way to protect election infrastructure from foreign participation and possible cyberattack.
This Note focuses on the problem of foreign participation in election systems and contracts as well as increased cyber threats. But these threats are not limited to election systems. In 2007, hackers targeted several Department of Defense (DoD) contractors, including Raytheon and Boeing.11 Similarly, in 2011, hackers targeted a U.S. defense contractor and absconded with 24,000 DoD files.12 In 2014, Chinese operatives hacked the Office of Personnel Management contractor responsible for conducting background checks on individuals seeking security clearances.13 That same year, hackers targeted the DHS contractor responsible for security clearances, thus compromising employee information.14
The list of attacks above is illustrative but not exhaustive of the cyberattacks against U.S. contractors in recent years.15 And cyberattacks have become more frequent.16 This trend has top policymakers and government officials concerned about security, particularly for the U.S. military and its contractors.17 As a result, the Pentagon will now base awards for weapons contracts on security determinations as well as the traditional criteria of cost, past performance, and schedule; this policy is called “Deliver Uncompromised.”18 Contractors with weak cybersecurity could, and often do, deliver compromised products.19 To combat this threat, the Pentagon will review a contractor’s ability to secure its software against cyberattacks before awarding weapons contracts.20
This is a recent policy, and the White House has adopted a similar strategy.21 The National Cyber Strategy calls for improving federal supply chain security by punishing risky vendors whose technology is insecure and unreliable.22 The plan also calls for strengthening cybersecurity for federal contractors and mentions several ways to do so.23 These policies are hopefully just the first steps the government will take to promote cybersecurity.
It is encouraging to see that the federal government has taken active steps regarding cybersecurity and is moving in the right direction. In 2017, the federal government banned Kaspersky Labs (Kaspersky) antivirus software across all federal agencies based on Israeli intelligence that Kaspersky might provide “a back door for Russian intelligence.”24 The DHS and the National Security Agency (NSA) determined that Kaspersky posed security risks because cyber attackers could use its software maliciously.25 Since that determination, Kaspersky products have been banned from all civilian government agencies.26
Clearly, the federal government is acting to safeguard its secrets from cyberattack, but these actions should extend to protect elections as well.27 Foreign interference in elections is a direct threat to democracy28 and national security.29 Democracy requires political participation and informed voters.30 In spreading disinformation and hacking into voting machines, Russian operatives have eroded the trust that U.S. citizens have in election security and in the information they hear.31
The DHS has characterized U.S. election infrastructure as “a critical infrastructure subsector” because it is sufficiently “vital to the United States that [its] incapacity or destruction … would have a debilitating impact on security.”32 State contracts with election software companies are part of this vital structure. To address this issue, the federal government must consider and quickly enact laws that would impact the states.
Part II of this Note will provide background on the current laws regarding foreign participation in U.S. elections, Deliver Uncompromised, and the Kaspersky ban. Part III will discuss the attacks on the 2016 election, the issues with Maryland’s foreign election software contracts, and the current mechanisms for protecting elections. Part IV will discuss the three options stated above in terms of feasibility, strengths, and weaknesses. Finally, Part V will conclude that a combination of options one and two is the best solution to address this issue.
Premium Content For:
- Public Contract Law Section