In late 2015, Russian government hackers targeted the Democratic National Committee (DNC) network, gaining access to emails, other communications, and opposition research on then-presidential candidate Donald Trump. This attack was part of a concerted effort by Russia to subvert and “sow discord” in the U.S. political system. This attack was not limited to political party networks: the Russians also attempted to hack into state election systems, illegally paid for political advertisements, and used trolls and fake social media accounts to spread disinformation and create controversy.
Despite consensus in the intelligence community that Russia deliberately sought to interfere in the 2016 presidential election, these accusations generated huge debate and media scrutiny because of the possibility of collusion between Russia and the Trump campaign. Following the election, several investigations were mired in delay and “intense media scrutiny.” To make matters worse, U.S. officials posit that Russia and other nations attempted to influence the 2018 midterm elections and continue to do so as the 2020 election approaches. The possibility of foreign interference in U.S. elections is frightening and discouraging to the voting public and has led to serious doubts about the safety and legitimacy of election systems.
These intrusions are not limited to hacking election systems and spreading disinformation. In the summer of 2018, the Federal Bureau of Investigation (FBI) notified the state of Maryland that one of its election contractors was owned by Russian nationals. The contractor in question handled voter registration, unofficial election night results, and other important data. The Department of Homeland Security (DHS) later found that this contractor did not compromise or interfere with Maryland’s elections. Nevertheless, state officials were concerned that this incident would undermine public trust in Maryland’s election software due to the appearance that foreign agents could influence Maryland’s election infrastructure.
There are three options the federal government could employ to combat foreign participation in election software contracts. First, the federal government could apply the same rules that restrict foreign participation in campaign finance to election contracts. Second, the federal government could extend the Pentagon security assessment factor (known as Deliver Uncompromised) to state election contracting. Third, the federal government could apply the Kaspersky model and ban foreign companies and their affiliates from all election contracts. This Note will discuss the advantages and shortcomings of each option before suggesting that a combination of options one and two is the best way to protect election infrastructure from foreign participation and possible cyberattack.
This Note focuses on the problem of foreign participation in election systems and contracts as well as increased cyber threats. But these threats are not limited to election systems. In 2007, hackers targeted several Department of Defense (DoD) contractors, including Raytheon and Boeing. Similarly, in 2011, hackers targeted a U.S. defense contractor and absconded with 24,000 DoD files. In 2014, Chinese operatives hacked the Office of Personnel Management contractor responsible for conducting background checks on individuals seeking security clearances. That same year, hackers targeted the DHS contractor responsible for security clearances, thus compromising employee information.
The list of attacks above is illustrative but not exhaustive of the cyberattacks against U.S. contractors in recent years. And cyberattacks have become more frequent. This trend has top policymakers and government officials concerned about security, particularly for the U.S. military and its contractors. As a result, the Pentagon will now base awards for weapons contracts on security determinations as well as the traditional criteria of cost, past performance, and schedule; this policy is called “Deliver Uncompromised.” Contractors with weak cybersecurity could, and often do, deliver compromised products. To combat this threat, the Pentagon will review a contractor’s ability to secure its software against cyberattacks before awarding weapons contracts.
This is a recent policy, and the White House has adopted a similar strategy. The National Cyber Strategy calls for improving federal supply chain security by punishing risky vendors whose technology is insecure and unreliable. The plan also calls for strengthening cybersecurity for federal contractors and mentions several ways to do so. These policies are hopefully just the first steps the government will take to promote cybersecurity.
It is encouraging to see that the federal government has taken active steps regarding cybersecurity and is moving in the right direction. In 2017, the federal government banned Kaspersky Labs (Kaspersky) antivirus software across all federal agencies based on Israeli intelligence that Kaspersky might provide “a back door for Russian intelligence.” The DHS and the National Security Agency (NSA) determined that Kaspersky posed security risks because cyber attackers could use its software maliciously. Since that determination, Kaspersky products have been banned from all civilian government agencies.
Clearly, the federal government is acting to safeguard its secrets from cyberattack, but these actions should extend to protect elections as well. Foreign interference in elections is a direct threat to democracy and national security. Democracy requires political participation and informed voters. In spreading disinformation and hacking into voting machines, Russian operatives have eroded the trust that U.S. citizens have in election security and in the information they hear.
The DHS has characterized U.S. election infrastructure as “a critical infrastructure subsector” because it is sufficiently “vital to the United States that [its] incapacity or destruction … would have a debilitating impact on security.” State contracts with election software companies are part of this vital structure. To address this issue, the federal government must consider and quickly enact laws that would impact the states.
Part II of this Note will provide background on the current laws regarding foreign participation in U.S. elections, Deliver Uncompromised, and the Kaspersky ban. Part III will discuss the attacks on the 2016 election, the issues with Maryland’s foreign election software contracts, and the current mechanisms for protecting elections. Part IV will discuss the three options stated above in terms of feasibility, strengths, and weaknesses. Finally, Part V will conclude that a combination of options one and two is the best solution to address this issue.
II. Background
Cybersecurity has become a major concern for the U.S government, and U.S. cybersecurity capabilities must be strengthened to address this concern. This section provides background information on how cybersecurity issues have recently affected U.S. government procurement and elections. First, this section discusses the statutes that govern foreign participation in U.S. elections. Second, it discusses Deliver Uncompromised and the National Cyber Strategy. Third, this section describes the Kaspersky ban as an example of a government solution to curb foreign exploitation of U.S. secure networks.
A. Foreign National Ban on Campaign Spending
Foreign nationals are prohibited from a variety of election activities. This section discusses and explains the prohibition in terms of what foreign nationals can and cannot do regarding election activity. Policy reasons for the ban are also identified and discussed.
1. Statute
The Federal Election Campaign Act (the Act) makes up the body of U.S. campaign finance law and is administered and enforced by the Federal Election Commission (FEC). The FEC is an independent agency directed by six Commissioners and charged with reviewing disclosure reports from all federal political committees. The FEC interprets the Act and administers its various provisions concerning campaign spending. The Act promotes transparency in the political process and covers all aspects of campaign finance.
The Act and related FEC regulations generally prohibit foreign national involvement in U.S. elections. The term “foreign national” commonly refers to people who are not U.S. citizens or nationals, but also includes foreign governments, political parties, corporations, associations, and partnerships.
The Act makes clear that foreign nationals cannot participate in election activity. Specifically, foreign nationals cannot make contributions or donations of money or anything of value to U.S. elections at any level. They cannot make independent expenditures or disbursements in connection with an election. Further, they cannot contribute or donate to any political committee or organization. Foreign nationals are also banned from donating to presidential inaugural funds, and they cannot pay for electioneering communications. The FEC strictly enforces these provisions through enforcement actions or criminal prosecution.
The Act and FEC regulations also impose penalties on domestic actors that solicit or receive funds or aid from foreign nationals. It is prohibited to “knowingly solicit, accept, or receive” campaign contributions or donations from foreign nationals. Additionally, the prohibition extends to providing “substantial assistance” to a foreign national seeking to contribute to an election.
When a political committee receives a contribution that may be from a foreign national, it has two options. First, it can return the contribution to the contributor. Second, it can determine whether the contributor is actually a foreigner. If the contribution is from a foreign national, it must be refunded within thirty days of the discovery. If the political committee fails to do so, the FEC will bring an enforcement action and assess a penalty.
Finally, and perhaps most importantly, foreign nationals are prohibited from indirectly or directly participating in decisions involving elections or election activities. This means that they cannot direct, control, dictate, or take part in any decision regarding contributions and expenditures in connection with an election. They also cannot participate in the administration of a political committee.
Questions about foreign participation would most likely arise if a foreign company with a U.S. subsidiary were to make a separate segregated fund (SSF), also known as a political action committee (PAC). Foreign companies are allowed to do so but only if they meet certain standards. The parent corporation cannot “finance the SSF’s establishment, administration, or solicitation costs through the subsidiary.” Additionally, foreign nationals cannot be involved in the operation of the PAC, the selection of the PAC’s officers, or the decision-making process concerning contributions and expenditures. The PAC can make donations and contributions so long as they “are not financed in any part by the foreign parent” and “individual foreign nationals are not involved in any way” with the donation. For example, in FEC Advisory Opinion 2000-17, the Commission found that a U.S. subsidiary could establish an SSF because — although the board of directors included foreign nationals — the oversight committee for the SSF was comprised exclusively of U.S. citizens or permanent residents.
2. Policy reasons for the ban
Beyond the prohibitions outlined in the Act and accompanying FEC regulations, there are numerous policy reasons for the ban. Fear of foreign interference goes back to the founding of the United States. The Founding Fathers were concerned about the potential for foreign influence in the country and in the election process. Likewise, they discussed the danger of foreign interference in the Federalist Papers, at the Constitutional Convention, and in President Washington’s farewell speech.
The Founders feared that the United States, as a young nation, was susceptible to and would be weakened by foreign money and interests trying to insert themselves into the U.S. Government. The primary concern was with corruption, specifically undue influence and bribery. This concern manifested itself in the Constitution in several ways. For instance, most high offices within the U.S. Government have residency requirements because the Founders wanted to ensure that members of the government were not residentially tied to foreign nations. Fear of bribery led to clauses designed to limit corruption, including the Foreign Emoluments Clause, which prohibits any government office holder from accepting gifts from a foreign government.
This fear of foreign influence over U.S. politics continued from the founding of the country to present day. Congress acted several times during the twentieth century to remedy the situation. The Foreign Agent Registration Act (FARA), passed in 1938, “established disclosure requirements for certain kinds of political expression sponsored by foreign principals” and required foreign principals to register with the government in an attempt to prevent foreign influence in U.S. policy-making. In 1966, the FARA was updated to “make it a felony for a foreign principal to use an agent to make campaign contributions or for a candidate to solicit such contributions.”
The foreign national ban, originally part of the Act, was further updated in 2002 in the Bipartisan Campaign Reform Act (BCRA) in response to a scandal involving the 1996 presidential election where the DNC and President Bill Clinton’s campaign raised over $150,000 from foreign sources. In the aftermath, both the DNC and the campaign were heavily fined by the FEC for violating the foreign national ban, which provided the impetus for the 2002 update.
The constitutionality of the ban was subsequently challenged in the case Bluman v. FEC. Plaintiffs were foreign nationals who lived in the United States on temporary work visas. They wanted to “donate money to candidates in U.S. federal and state elections,” contribute money to political parties and groups, and make independent expenditures to advocate for particular candidates. The foreign national ban prohibited them from making such donations, so the foreign nationals sued, claiming the ban was unconstitutional.
In a decision later affirmed by the U.S. Supreme Court, the D.C. Circuit upheld the foreign national ban. The court examined the history of the foreign national ban, reviewing its enactment and subsequent updates in response to fears that foreigners would interfere with elections by contributing to candidates and engaging in other election activities. Using strict scrutiny, the court found that the foreign national ban served a compelling government interest because excluding foreigners from participating in U.S. “democratic political institutions” is part of the government’s duty to “preserve the basic conception of a political community.” Relying on precedent, the court explained that by limiting foreign participation in U.S. self-government, the government is preventing foreign influence in the political process.
B. Deliver Uncompromised and the National Cyber Strategy
Along with the Act’s ban on foreign election activities, an understanding of the DoD’s strategy to deal with cyberattacks is critical. This Note will argue that this strategy must be used to protect U.S. elections at the state level. U.S. military officials and national security experts are convinced that the U.S. supply chain is under attack. These attacks do not occur on U.S. soil nor do they claim the lives of U.S. citizens; instead, these attacks take place in cyberspace. The cyber incidents described earlier are just a few examples of the widespread efforts of foreign actors to disrupt and hamper the U.S. supply chain. U.S. adversaries are exploiting cyber weaknesses in the supply chain to steal technical data, attack “control systems used for critical infrastructure, manufacturing, and weapons systems,” and achieve unauthorized access to top secret defense systems and operations. In other words, the U.S. supply chain is vulnerable and at risk. A vulnerable supply chain means that the United States is not mission ready, which threatens U.S. national security. Alarmingly, the United States has “no comprehensive deterrence” for these cyberattacks.
The status quo may seem bleak, but the DoD is determined to remedy this situation through a policy called Deliver Uncompromised. Problems with the supply chain persist because products and technologies that require code are often attacked by U.S. adversaries who seek to steal intellectual property for their own use and sabotage certain systems through malicious code and other tools. Deliver Uncompromised seeks to end this by changing how weapons contracts are awarded. Instead of just analyzing cost, schedule, and past performance, the DoD will also consider security, assessing how well contractors keep their data and software secure. The DoD hopes that by making security a major factor in the acquisition process, contractors will improve their own security to receive contracts from the DoD and keep their products and networks secure.
Deliver Uncompromised outlines fifteen “Courses of Action” (COA) for the DoD to remedy supply chain vulnerabilities. The first COA is to “Elevate Security as a Primary Metric in DoD Acquisition and Sustainment.” Agencies would be required to consider security equally with cost, schedule, and performance when engaging in acquisition planning. The second COA calls for creating a National Supply Chain Intelligence Center that would gather and disseminate information about cyberattacks so that contractors can keep abreast of ongoing events and be alert for attacks on their systems. The DoD also wants contractors to share information among themselves and with the government, but contractors often resist information sharing for fear that it could expose them to liability. Accordingly, the report recommends “liability protection for contractors” as an incentive to share information. Another COA recommends having an independent entity constantly monitorvsupply chain systems for security risks. Yet another COA calls for using contract terms to ensure security of supply. By incorporating certain security requirements in the contract terms, the DoD seeks to incentivize good cybersecurity behavior and ensure that the products and services that it acquires are uncompromised.
But difficulties will arise with implementing this policy change. For instance, bolstering security will increase costs for contractors. Likewise, the increased costs will make it harder for subcontractors and small businesses to meet these security requirements. Tax incentives could mitigate this issue, allowing these smaller companies to maintain security and maintain the funds to compete in the procurement process. Similarly, the DoD must receive additional funding and promote the value in receiving uncompromised products. Furthermore, the DoD should provide incentives for contractors to improve their security. This is because contractors will need to proactively meet these increased security standards, as compliance issues arising from such standards will lead to more bid protests and litigation in general. Overall, Deliver Uncompromised seeks to improve supply chain security and force the contracting community to take security seriously.
Concurrently, the White House has a National Cyber Strategy that, while not as detailed as the DoD’s, essentially espouses the same goals. The plan is primarily concerned with sharing threat information with supply chain contractors. Additionally, the plan calls for streamlining supply chain security management to eliminate risky vendors. Finally, the plan calls for monitoring of contractor risk management techniques and security practices. Deliver Uncompromised and the National Cyber Strategy demonstrate a desire by the current administration and the DoD to end U.S. cyber vulnerabilities and to actively deter cyberattacks.
C. Government Bans Kaspersky Labs Through Binding Operational Directive and Legislation
The plans discussed above are partly the result of the following scandal. In 2015, Israeli intelligence discovered a Russian company, Kaspersky, using hacking programs that appeared to come from the United States. Specifically, the Israelis observed Russian government hackers searching the web for U.S. intelligence. Israel alerted the NSA, which conducted a search and found that classified material was stolen from an NSA contractor who used Kaspersky products on his computer. The NSA discovered that the Russian government was accessing Kaspersky antivirus software to search for U.S. classified information. Additionally, Kaspersky’s founder and CEO, Eugene Kaspersky, has close ties to the Kremlin, and the company itself is “subject to Russian laws that allow the Russian government to request or compel assistance from Russian companies.”
In 2017, the General Services Administration removed Kaspersky from its list of approved vendors, citing the possibility that computers with Kaspersky software could be compromised. Later that year, the DHS issued Binding Operative Directive 17-01 (BOD) that ordered all civilian agencies to remove Kaspersky software from their computers. The BOD gave the agencies ninety days to identify and remove all Kaspersky products from all “[f]ederal information system[s].” Importantly, the BOD only concerned Kaspersky software products, and it was limited to all executive agencies except for the DoD and the Intelligence Community.
The DHS laid out six reasons to justify the issuance of the BOD. First, some federal agencies used Kaspersky products, and Kaspersky sought to expand the use of its products and services to other agencies. Second, Kaspersky’s antivirus software enjoyed broad access to secure files and information that cyber attackers could exploit. Third, data from computers using Kaspersky software is sent to Kaspersky servers that can be accessed from Russia. Fourth, Russia already engaged in cyberattacks on the United States, and it is likely to continue its efforts. Fifth, Kaspersky and certain officers in the company have ties to the Russian government and its espionage services. Finally, Russia’s laws allow its intelligence apparatus to intercept communications moving through Russian networks and compel Kaspersky to assist the Russian government.
In response, Kaspersky claimed that it had no inappropriate relationship with the Russian government, that there was no evidence of wrongdoing, that the BOD was based on uncorroborated sources, and that the BOD violated its equal protection rights. After compiling more information and meeting with Kaspersky officials, the DHS nevertheless finalized the BOD for the reasons stated above. Kaspersky challenged the BOD in a U.S. federal court, which dismissed the case for lack of standing because the BOD was superseded by congressional action.
Days after the BOD was finalized, Congress and the President took further action in the National Defense Authorization Act for Fiscal Year 2018 (NDAA). The NDAA contained a provision that banned the use of Kaspersky products throughout the federal government. The ban superseded the BOD because it included all Kaspersky products, not just software, and it applied to all federal entities including the DoD and the Intelligence Community.
While the NDAA did not originally include the Kaspersky ban, members of Congress became very concerned in the months following the BOD. The House of Representatives held several hearings to obtain information on the potential risks associated with using Kaspersky products. Members of Congress from both parties pressed agency officials for an explanation as to why the DHS issued the BOD before sharing and addressing concerns about Kaspersky. Congress added the Kaspersky ban to the NDAA in response to these concerns.
Kaspersky filed suit alleging that the ban in the NDAA was unconstitutional because it comprised “a bill of attainder in violation of Section 9 of Article I of the United States Constitution.” U.S. Supreme Court precedent holds that “a law is prohibited under the bill of attainder clause ‘if it (1) applies with specificity, and (2) imposes punishment.’” Here, Kaspersky argued that (1) it was specifically targeted by the ban and (2) the ban sufficiently damaged its ability to do business in the United States to rise to the level of punishment.
The district court found that the ban did not constitute a bill of attainder because, while the law specifically targets Kaspersky, the company was not punished. Historically, the bill of attainder provision applied to individuals, and Kaspersky is a corporation. Furthermore, the law does not implicate the bill of attainder clause because Congress passed it for the nonpunitive purpose of “protecting the United States government’s information systems from the threat of Russian cyber-intrusion.” The court held that the ban performed a “prospective, risk-prevention function that is distinct from punishment” in that Congress — faced with the risk of cyberattack from Russia — acted rationally to protect national security. Finally, Congress was not motivated by a desire to punish Kaspersky when it passed the legislation. The court reasoned that the months of congressional hearings and investigations coupled with executive branch action to oust Kaspersky from its computers show that Congress passed this legislation to protect the United States from Russian cyber aggression.
In sum, the BOD and the Kaspersky ban came about based on the risks that Kaspersky presented to the safety of U.S. cyberspace. In dismissing Kaspersky’s two cases, the court upheld executive and congressional concerns about Kaspersky’s ties to the Russian government amid fears that U.S. national security was at risk. This episode illustrates that the government can take steps to safeguard U.S. secrets and security.
III. Foreign Interference and Participation in U.S. Elections
Beyond the Kaspersky affair, Russia engaged in a massive effort to disrupt the 2016 election. This section discusses the Russian attack on state election systems. Next, the section provides detailed informationabout the Russian-owned Maryland election contractor before summarizing the mechanisms already in place to protect U.S. elections from cyberattack.
A. Russian Hacking of State Election Systems in 2016
Russia disrupted the election in multiple ways. Russian agents hacked into the DNC network and filched thousands of emails belonging to party officials, Hillary Clinton campaign staff, and key supporters of her campaign. In the remaining months before the election, the Russians released the documents on WikiLeaks and other websites. Russian agents were also accused of conducting a social media “troll” campaign to spread disinformation. For instance, they posted false stories and posed as Americans to generate debate over divisive issues and provoke discord. Russian agents also bought political ads and staged political rallies.
The DNC hack and the social media “fake news” campaign are clear examples of Russia’s plan to disrupt the 2016 presidential election. However, Russia’s efforts were not limited to national elections; its agents also tried to hack into twenty-one state election systems. Importantly, these attempts did not affect the vote tallying mechanisms. Instead, the DHS described the attempted hack as a scan for vulnerabilities. The DHS refused to name the states involved, but reports indicate that Russia probed Maryland’s online absentee ballot delivery system. Russia also targeted Illinois’s and Arizona’s voter registration systems.
The NSA further described the extent of these cyberattacks on state election systems. The NSA report states that one voting software supplier was attacked and that at least 100 election officials were also targeted. These attacks purportedly happened a few days before the 2016 election. The Russians apparently targeted voter registration systems and sent phishing emails to individuals who were likely in charge of voter registration. The report did not conclude that these attacks were successful, and the NSA does not know if any data was compromised or lost. However, the damage may already have been done, as the public now perceives election systems as insecure and easily manipulated.
B. Foreign Participation in U.S. Elections: Maryland Example
Cyberattacks on state election systems have continued to be a problem even after the 2016 presidential election. In the summer of 2018, the FBI alerted Maryland officials, including Governor Larry Hogan, that a foreign national owned one of its election software contractors. The contractor, ByteGrid LLC (ByteGrid), is a U.S. company that runs Maryland’s “voter registration system, candidacy and election management system, online ballot delivery system and [the] unofficial election night results website.” The FBI and Maryland officials were concerned because ByteGrid is owned by AltPoint Capital Partners (Altpoint). Altpoint’s “fund manager is Russian, and its largest investor is a Russian oligarch named Vladimir Potanin,” a rumored associate of Russian President Vladimir Putin.
After receiving this information from the FBI, Maryland officials immediately reached out to the DHS for technical assistance in securing its election systems. Maryland officials also decided to make the information public “to inform other states about Russian involvement and to assure Maryland voters that they [were] working to ensure that the state’s elections [had not been] compromised.” The DHS eventually concluded that there was no breach or evidence of wrongdoing.
Despite no evidence of wrongdoing, Maryland’s officials and representatives in Congress were uneasy about Altpoint’s relationship with ByteGrid. Shortly after this story came to light, Maryland Senators Ben Cardin and Chris Van Hollen sent a joint letter to the Secretary of the U.S. Department of the Treasury. In the letter, the senators asked the Secretary to authorize the Committee on Foreign Investment in the United States (CFIUS) to review the business relationship between ByteGrid and Altpoint. The senators pointed out that foreign access to U.S. election infrastructure can give foreign governments access to information that could be used against the United States. They reasoned that because U.S. elections were previously threatened by foreign cyberattacks, foreigners investing in U.S. election infrastructure could potentially exacerbate the problem.
C. Current Mechanisms in Place to Protect Elections
In light of these potential problems, mechanisms are in place to protect elections at the DHS. Part of that agency’s mission is to “maintain public trust and confidence in America’s election system.” The DHS works with election officials across the country to fulfill its mission by offering a variety of resources concerning cybersecurity and threat identification. As state and local governments are ultimately responsible for their own election infrastructure, the DHS assumes a supporting role. Currently, states decide whether they want election security assistance from the DHS, with few asking for aid.
If a state reaches out to the DHS, the agency offers three types of assistance. First, it shares information about “electoral infrastructure incidents with state and local governments.” Second, the DHS provides assistance in discovering and neutralizing cyber threats to election systems. Finally, the DHS assists the owners of the election systems with cyber evaluations, risk management, and identification of strengths and weaknesses of the system.
The DHS has several information sharing programs about incidents that concern election systems. With Automated Indicator Sharing, the federal government, state governments, and the private sector share “cyber threat indicators” with each other. The Cyber Information Sharing and Collaboration Program allows the federal government and election infrastructure owners to share information about cyber threats and critical weaknesses. This program allows the government and election system owners to work together to understand cyber threats and how to prevent them.
The DHS likewise has several programs that improve cybersecurity by discovering and eliminating threats to election systems. For instance, the Continuous Diagnostics and Mitigation Program monitors the election system network and permits users to review the state of the network at any time, thus allowing for a swift response to any potential breaches. A separate program notifies network administrators of a breach and then works with them to contain and eliminate it, while another is dedicated to analyzing malware so that administrators can combat it.
Alongside threat elimination initiatives, the DHS offers a variety of cybersecurity assessment programs, which evaluate the organization’s cyber readiness. The DHS can also assess how well the system responds to threats like phishing scams. Overall, the DHS initiatives are designed to help state and local officials keep their election systems secure.
IV. Government Solutions to Eliminate Foreign Participation
Obviously, it is troubling that Maryland contracts with a company owned by foreign nationals for election software. By running election software, Altpoint is participating in the U.S. election process through its subsidiary, ByteGrid. The United States does not want foreigners participating in elections because such foreigners may have different interests and loyalties and it would be an intrusion in the U.S. “political community.” This incident is further proof that U.S. election systems are vulnerable. But what can be done? The federal government has three potential options to address this problem with Maryland. First, the federal government could extend the foreign national ban to election contracts. Second, the federal government could require that the states adopt increased cybersecurity standards similar to the Deliver Uncompromised plan. Third, the federal government could apply the Kaspersky model and ban the contractor. The government should implement options one and two in order to end foreign participation in U.S. election contracts.
A. Apply the Foreign National Ban to Election Contracts
The federal government should apply a variation of the foreign national ban that prohibits foreign nationals from engaging in certain election activities. Under the current foreign national ban, foreign nationals cannot contribute money or anything of value to candidates, campaigns, or political parties. Additionally, they cannot make decisions when it comes to election activity. If a foreign company with a U.S. subsidiary establishes a PAC, the foreign company cannot make any decisions for the PAC. Here, the federal government should make a similar rule regarding foreign national participation in election contracts.
First, there would be a total ban on foreign companies holding election contracts. This means that Altpoint could not have a U.S. election contract by itself. This facet of the plan would operate similarly to the current foreign national ban that prohibits foreigners from contributing money to campaigns or using funds “to expressly advocate for or against … a candidate.” The United States does not want foreign companies holding election contracts for the same reasons that it does not want foreign nationals participating in elections. The U.S. “political community” needs to be preserved and protected from foreign influence.
Second, if a foreign company with a U.S. subsidiary or a controlling interest in a U.S. company were to win an election contract, the foreign company could not make any decisions or take part in the performance of the contract. For example, ByteGrid could perform the contract provided that Altpoint remained separated. Altpoint could not know the details of the services provided by ByteGrid, and it certainly could not be privy to any data that ByteGrid were to receive from Maryland in performing the contract. ByteGrid would need to operate entirely independently of Altpoint. With strict FEC enforcement, this proposal is similar to the rules governing foreign companies with U.S. subsidiaries that operate PACs.
This approach is not without fault, as it is difficult to imagine a situation in which a foreign company would allow its subsidiary to acquire and carry out a contract without any data leakage. For example, it is concerning that data from Maryland’s election systems could leak to Altpoint. This proposal would prevent that concern by requiring ByteGrid or the U.S. contractor to have sole access to the data.
Third, the proposed ban should include a firewall provision to prevent data leakage. Firewall provisions are currently used to mitigate an Organizational Conflict of Interest (OCI). When a Contracting Officer identifies a potential OCI, they must determine how to mitigate or neutralize the conflict. One mitigation technique is to “create[] firewalls within the government and the contractor’s organization” to guarantee that the contractor does not access proprietary or competitive information and gain an unfair competitive advantage. Here, Altpoint and ByteGrid could establish a firewall to allow ByteGrid to perform the contract without data leakage to Altpoint.
This new rule requires additional clarification, but it nevertheless lays the foundation to restrict foreign participation in U.S. election contracts. Alarmingly, Maryland did not know that Altpoint owned ByteGrid until it was informed by the FBI. Under this new rule, the FEC and state officials would examine these contracts. Altpoint’s acquisition of ByteGrid, for instance, would have been noticed, and the contract would have to be modified to resemble the new rule. Conversely, a provision could be added that would require contractors to disclose if they have been acquired by a foreign company. Forcing contractors to disclose this information will provide added vigilance and awareness of any foreign participation in election contracts.
The foreign national ban makes clear that the United States does not want foreign nationals participating in elections, and this framework extends the ban to participation in election infrastructure. This proposed ban is more evenhanded than simply banning Altpoint, but nevertheless achieves the same result. Further, it demonstrates that the ban is not based on perceived wrongdoing, but rather reflects the United States’ desire to protect its “political community” from foreign participation and influence. Finally, the proposed ban could model its language and reasoning on that contained in BCRA and FEC regulations, thus accelerating its implementation. This option is highly advantageous given the approaching 2020 elections.
B. Require States to Adopt Versions of Deliver Uncompromised and the National Cyber Strategy
Likewise, when it comes to election contracts, the federal government should require states to adopt a version of Deliver Uncompromised and the National Cyber Strategy. This idea is straightforward. The states would have to put a new emphasis on security as they award their election system contracts. Furthermore, the states and the contractors themselves would have to monitor their systems for cyberattacks.
With this new rule, the states would telegraph their readiness to procure secure election software and increase their vigilance. Deliver Uncompromised and the National Cyber Strategy seek to shift the culture to a more careful scrutiny of supply chain contracts so that only secure products are delivered. By applying these same rules, state election officials would scrutinize their contracts more carefully and be sure to notice cyber incidents or foreign acquisitions concerning their contractors.
Specifically, the idea would be to require implementation of certain COAs from the Deliver Uncompromised plan at the state level. In line with the first COA, the states would elevate security relative to other selection criteria that they consider when soliciting election contracts. Essentially, states would consider the contractor’s ability to keep its data secure and to provide uncompromised services to the state. For information sharing, an independent agency or the DHS, which have programs in place to share threat information with participating states, could disseminate threat prevention techniques and share risk information to keep all states on alert. To better implement the COA concerning constant monitoring for cyber threats, states could use the DHS program that provides such monitoring of a state’s election system. Finally, states could implement these changes by adding certain cyber standards into the language of election contracts.
As seen at the federal level, difficulties may arise with implementing Deliver Uncompromised, some of which will be unique to the state level. There are cost and compliance concerns. For Deliver Uncompromised, the DoD will have to pay more if it expects contractors to devote significant resources to improving security. This is particularly salient at the state level because smaller states may not have the resources or funds to pay their election software contractors to improve security. Also, the state-level contractors may not have the resources to comply with all of the cyber standards that the states require.
States also face unique issues of authority and implementation. Is there a federalism issue? How would the states share threat information with each other? How would uniform cyber standards be applied to fifty different states, which may have different election systems? Finally, how could the federal government require the states to address these election concerns given that states are responsible for their own election systems?
While these concerns are valid, higher cyber standards are viable and necessary to address the problem of foreign participation in elections. First, several federal statutes have been adopted by the states. Second, this proposal only concerns election contracts, whereas Deliver Uncompromised and the associated cyber standards are aimed at federal supply chain procurements and involve culture changes in entire industries. State election officials could implement changes faster and at a lower cost because election contracts are a smaller field.
Additionally, some of the potential changes are already covered by the DHS. The DHS offers programs that monitor election systems for cyber threats, share threat information with the states, and provide assistance with combating malicious code and other cyberattacks. Using DHS programs as a starting point partly solves the problem of how states would share information or adopt uniform standards. States could be farther along with increasing cyber standards for elections if they all accepted DHS assistance.
Ultimately, adopting higher cyber standards for election contractors is a good idea because it is already happening with the supply chain at the federal level. Additionally, heightened security within our election infrastructure will ensure that the election systems are well-defended and bolster public perceptions of election security. It also fits within the policy concerns of keeping U.S. elections secure and free from foreign participation.
C. Applying the Kaspersky Model
In lieu of options one and two, the federal government could apply the Kaspersky model by banning Altpoint and its subsidiaries from election contracts. This ban would mirror the Kaspersky ban by excluding Altpoint due to the risk that malicious foreign actors might access or alter data from Maryland’s election systems.
There are several similarities between Altpoint and Kaspersky. First, like Kaspersky, Altpoint is a Russian-owned company. Second, Altpoint’s largest investor has close ties to the Kremlin, similar to Kaspersky’s founder and CEO. Third, Altpoint’s motives and capabilities are suspect. This concern is warranted because it is not difficult to imagine that Altpoint could access Maryland’s election data through Bytegrid. Importantly, while there was no evidence of wrongdoing, the risk of data leakage raises concerns about the potential for foreign agents to compromise the data. In Kaspersky v. DHS, the court found a sufficient risk of foreign access to U.S. top secret information to justify the Kaspersky ban, which would protect U.S. classified networks. The similarities between Altpoint and Kaspersky suggest that a ban is appropriate here.
This option is advantageous because it could be done relatively quickly. When the DHS issued the BOD in September 2017, agencies were given ninety days to remove Kaspersky products from their computers. Three months later, President Trump signed the NDAA ban into law. A ban on Altpoint should be similarly expeditious. Additionally, the FAR and NDAA contain already the language used for the Kaspersky ban, making it efficient to use similar language to ban Altpoint. In short, a general ban on Altpoint for election contracts would move swiftly.
Finally, the policy reasons for restricting foreign participation in U.S. elections are equally compelling here. Altpoint should not have this contract because the contract allows the company to participate in and potentially manipulate U.S. election infrastructure. Russia attempted to hack into that infrastructure before the 2016 election, targeting Maryland in the process. Altpoint’s election contract in Maryland goes against policy concerns of “preserving a political community” from foreign influence.
Despite the advantages of an Altpoint ban, it is not the appropriate remedy to the problem. Before Kaspersky was banned, experts thought for years that the company provided a “backdoor for Russian intelligence.” After receiving alerts from Israel, U.S. intelligence officials discussed the matter and investigated Kaspersky’s software and potential ties to the Kremlin. Additionally, before finalizing the BOD and passing the NDAA, the DHS and Congress engaged in a comprehensive fact-finding effort with hearings, investigations, and briefings from intelligence experts. The Kaspersky ban was the result of years-long suspicion followed by a two-year investigation. In the Maryland case, the FBI only discovered that Altpoint owned ByteGrid in 2018. The investigation into this issue has not been as robust and substantive as the Kaspersky matter.
Another difference between Altpoint and Kaspersky is the breadth of their government business in the United States. So far, Altpoint is only involved in this single election contract. By contrast, Kaspersky products were running on the computers of fifteen percent of federal agencies. Kaspersky’s prevalence within federal networks rendered the risk pervasive, whereas Altpoint had only one contract in Maryland. The risk here is not as clear as it was for Kaspersky. Furthermore, there has been no evidence of wrongdoing by Altpoint. With Kaspersky, the investigation showed evidence of a breach, but in Maryland, the DHS found no such evidence. It would be unfair to ban Altpoint without evidence of wrongdoing.
However, when foreigners participate in U.S. elections, the fear is that they may assert influence and cast doubt on the security of elections. Furthermore, there is risk in allowing Altpoint to have this contract. With that in mind, action must be taken to prevent foreign companies from participating in U.S. elections through election contracts. But a flat-out ban on Altpoint would be unfair and would not prevent similar foreign companies from conducting election activity in the future.
D. Looking to November
The Maryland problem is best solved by a combination of options one and two. The federal government should extend the foreign national ban to state election contracting and enforce increased cyber standards for election contractors. However, the issues regarding election contracts exist at only the state and local level. Problems with the federal supply chain demand a federal response that will apply across the federal government. But here, the federal government would have to pass legislation that applies to all the states, which would be more difficult. Congress is responsible for the campaign finance laws in the United States, and those statutes apply to the states as well. Currently, Congress appropriates some money to the states for election infrastructure. Congress could pass a statute or appropriations bill that would codify the foreign national ban and increase cybersecurity standards for election contracts. Since election contracts are such a small aspect of state power, states are not likely to bring a federalism challenge.
Alternatively, Congress could create a dedicated agency or delegate authority to an existing agency to implement these solutions. For instance, the DHS is uniquely situated to do so since it already offers voluntary aid to state election departments. Congress could make participation in the DHS’s programs mandatory and give the agency the authority to promulgate uniform cybersecurity standards for election systems.
However these solutions are implemented, action must be taken. The government is currently addressing the problem of supply-chain security with various statutes and programs designed to improve cybersecurity and eliminate the weaknesses in U.S. procurement processes and networks. This same energy must be devoted to the issue of keeping U.S. election systems secure and free of foreign participation. The next presidential election is a few months away and, if history is any indication, it is highly likely that Russia and other nations will attempt to interfere. These steps require immediate implementation to safeguard U.S. election infrastructure from foreign interference and allow the American public to regain trust in election security.
V. Conclusion
U.S. elections are in danger. The 2016 election saw unprecedented levels of foreign participation, and there is no evidence that Russia will cease its malicious activity. Something must be done to safeguard U.S. elections and end foreign participation in U.S. election systems. The most effective method to exclude foreign companies from participating in U.S. election infrastructure is to ban foreign participation in election contracts and focus on cybersecurity when awarding these contracts. The ban on direct participation by foreign companies and a separation between U.S. subsidiaries and their foreign parent will ensure that state voting data does not fall into foreign hands. A new focus on cybersecurity will ensure that states stay vigilant to issues arising with their election system contractors. Whatever is done, the federal government and the states must work together to safeguard U.S. election systems and protect American democracy.