October 02, 2017

Proposal for 2018 Paris Sessions: Cybersecurity Best Practices in Elections

This is an excerpt from the program proposal submitted to the Planning Committee for the ABA 2018 Paris Sessions to be held June 7–10, 2018, at the InterContinental Grand Hotel in Paris. This proposed program will be an integral part of the overall 12 CLE sessions.

Program Appeal on an International Level: This program will appeal to a global audience and explore the cyber threat matrix around electronic political communication and voting systems and implications for the future of democracy. It will reflect favorably upon the American Bar Association as the leading voice of the legal profession in matters central to the rule of law, democratic fairness and equal access to justice.

Cybersecurity context of this subject: Actual and threatened cyber breaches in the electoral context have ranged from

►hackers who in 2016 orchestrated cyberintrusions into the Democratic National Committee’s database and emails, ►hackers who accessed the Illinois Board of Elections database of over 200,000 personal voter records including voter names, addresses, birthdates and other information, and ►widespread concerns about the integrity of voting machines and the ability of hackers to exploit online vulnerabilities in America’s voting network comprised of software companies, online registration sites, and vital information that election officials send to each other via email; ►hacking attacks before the 2017 national elections in France that prompted remedial measures to be taken; ►the Netherlands’ return to a manual vote tally in 2017 over concerns that software in use for the past decade was no longer secure enough; ►the 2015 hacking of computers of parliamentarians in Germany that continue to use a tabulation system very similar to the one abandoned by the Netherlands in 2017; ►large-scale attacks on Estonia’s e-government infrastructure that brought down much of that country’s online infrastructure in 2007; ►hacking of elections in the Republic of Georgia in 2008 and 2012; ►hacking of Ukraine’s Central Election Commission website just days before the 2014 parliamentary elections that made the website unavailable while attempts were made to publish fake election results; ►the hacking of Bulgaria’s Central Election Commission during the 2015 referendum and local elections.

Need for Best Practices and Standards: There is a need on an international scale for clear standards and identification of best practices to manage and minimize the risks incident to cyber breaches that impact the electoral process. Cybersecurity best practices and mitigation strategies identified in the NCCIC/FBI’s December 29, 2016 Joint Analysis Report (“Grizzly Steppe – Russian Malicious Cyber Activity”), JAR-16-20296A, range from backups, risk analysis, staff training, vulnerability scanning and patching, regularly updating and patching production servers, application whitelisting, incident response, and business continuity, to restricting administrative privileges, network segmentation and segregation into security zones, input validation, file reputation, understanding and using firewalls to block attacks, and penetration testing, and much more.

Sponsorship to Date: The proposed program has the support of multiple ABA entities, including the ABA Section of State and Local Government Law (International Committee, Election Law & Reapportionment Committee) which has agreed to serve as the primary sponsoring ABA entity, and the following co-sponsoring entities:

  1. ABA Government and Public Sector Lawyers Division;
  2. ABA Section of Science and Technology Law;
  3. ABA Task Force on Cybersecurity;
  4. ABA Standing Committee on Election Law;
  5. ABA Senior Lawyers Division;
  6. ABA Section of Public Contract Law;
  7. ABA Young Lawyers Division;
  8. ABA Section of Administrative Law & Regulatory Practice;
  9. ABA Standing Committee on Disaster Response & Preparedness.

Panel: The panel for this proposed program shall consist of four persons including a moderator. Panelists will include Shalva Tskhakaia, International Federation of Electoral Systems (IFES), Republic of Georgia; Steve Zack, Partner in Boies Schiller Flexner and the first Hispanic American to assume the ABA Presidency; John Hardin Young, member of Sandler Reiff, ABA Senior Lawyers Division Chair, Past-Chair of ABA Standing Committee on Election Law, and past member of the Board of Governors; and Sven Kohlmeier, Member of Parliament of the City of Berlin (SPD), Fachanwalt für IT-Recht. The program will be moderated by Myles V. Lynk, Peter Kiewit Foundation Professor of Law and the Legal Profession, Sandra Day O’Connor College of Law, Arizona State University, and member of the ABA Board of Governors.

Session Length: The length of this session is 1.5 hour.

Program Content: We propose to use an innovative program format that will entail an interactive lecture, audience participation and specific case studies. One of the four speakers in this proposed program will cover the ethics component in a comprehensive fashion that focuses on cyberethics in the electoral context and incorporates applicable rules of professional conduct or codes of professional responsibility applicable to attorneys in domestic as well as international contexts. The program materials will be deliverable and replicated in digital as well as written documents (hard copy) format.

Possible Subtopics for Panel Discussion:

  1. Identification and management of global cyber risks in the electoral context;
  2. Cyberethics, accountability and assessment of the cyber threat environment in the electoral context;
  3. Securing voter registration data and election night reporting systems;
  4. Election security preparedness, access control, detection and data backup;
  5. Cybersecurity infrastructure, law and policy in the electoral context;
  6. The role of contractors in providing governmental entities with reliable security and equipment for elections;
  7. Cyber-risk management, investigation and enforcement across national borders, and intergovernmental cooperation and shared experience among different nations through election administration and law enforcement agencies;
  8. Political parties as recipients, targets or beneficiaries of cyber threats, and the regulatory and policy framework for prevention;
  9. Maintaining the security of aging voting technology.

Respectfully Submitted this 18th day of August, 2018.

Benjamin E. Griffith, Program Chair

E-mail: ben@glawms.com

Office mailing address: P.O. Box 2248, Oxford, MS 38655