Michael Garcia is the director for external outreach and engagement for Task Force 2 at the U.S. Cyberspace Solarium Commission. The author wrote this post in his personal capacity and comments within this post do not reflect the opinion of the U.S. Cyberspace Solarium Commission.
With the election season fully underway, the recent stories of voting application security blunders are a reminder of just how susceptible elections are to technological flaws and vulnerabilities. The IowaReporterApp and an app made by Voatz, which allowed voters to cast votes remotely, have both been found to have security vulnerabilities that malicious actors could have exploited. While the decision for deploying these apps sometimes rests with a state’s political party (e.g., Iowa Democratic Party), the onus of preparing for a cyber incident against election infrastructure, and potentially responding to one, falls squarely on states. Increasingly, states are relying on one of their oldest and most reliable assets: the National Guard (the Guard).
A greater reliance on the Guard, however, raises serious policy questions: What activities should the Guard perform to secure elections? Who bears the burden of financing those activities? And, more important, is this a sustainable solution to protecting the Nation’s elections?
The public’s interaction with the Guard conjures up images of military-garbed personnel preparing sandbags for a hurricane or conducting search and rescue operations in the wake of a natural disaster. States have, however, recently activated Guard units to respond to cyber incidents that have impacted state and local networks. Most notably, Texas activated fifty Guard members to assist twenty-two cities and counties to recover from a ransomware attack. Those fifty Guard members comprise a small part of the 3,900 cyber personnel in the Guard that are spread across the country.
Before describing how states use the Guard for election security, a primer on how the Guard operates will be useful. While the Guard is a component of the Department of Defense (DOD), the governor of each state acts as the Guard’s Commander in Chief. As a result, the Guard can be “activated” in:
- State Active Duty (SAD) Status, wherein the Guard is controlled by the governor, performs activities for the state, and is reimbursed by the state;
- Title 32 Status, wherein the Guard is controlled by the governor, performs federal or shared federal-state activities, and is reimbursed by the federal government; and
- Title 10 Status, wherein the Guard is controlled by the president, performs federal activities, and is reimbursed by the federal government.
There are also some specific cyber restrictions applied to the Guard. According to the National Guard Bureau’s (NGB) 2019 Domestic Operations Law and Policy, “DoD rules generally do not apply to SAD personnel…[however] Some of the cyberspace equipment or programs may be limited to federal use for federal systems and therefore would not be authorized for State use in a [SAD] status or outside of the [Department of Defense Information Network].”
Yet if the Guard is activated under SAD status and is not using certain “cyberspace equipment,” a governor retains the authority to use the Guard as they so choose. In fact, the DOD issued a non-public memorandum on how Guard units can “coordinate, train, advise, and assist” for cybersecurity-related activities outside of the DOD. Further, the Chief of the NGB said that cybersecurity is “just another military skill set that we have that can be used,” and that “[e]lection network security is a very state-centric thing. We’re an additive measure that can augment state response entities … and we’re trying to grow it.”
With these assets and authorities, twenty-seven states activated units in 2018 to assist election officials in protecting elections. In Illinois, Guard members scanned networks for suspicious activities and offered initial fixes, when necessary. Colorado Governor Jared Polis signed an executive order to provide “election cyber support” to the state’s secretary of state. Washington’s secretary of state signed a memorandum of understanding (MOU) in 2018, and then again in 2020, between her office and the Guard to “conduct ongoing cybersecurity assessments of the state’s elections infrastructure, monitor activity during the election cycle, and fine-tune response plans in the event of a cyber attack.”
Most recently, the Governor of Ohio signed a law creating a “cyber security reserve” force within the National Guard to “educate and protect state, county, and local government entities, critical infrastructure, including election systems, businesses, and citizens of this state from cyber attacks [emphasis added].”
Using the Guard, however, is not free. Under SAD status, the state is responsible for paying for these activities. Ohio tackled this by appropriating $650,000 for Fiscal Years 2020-21 to support their new cybersecurity reserve in the Guard. Washington, on the other hand, plans on using funds from the Help America Vote Act (HAVA) to support their 2020 MOU, and joins forty other states who are using these funds to improve election security (Note: it is unclear how many states are using these funds to support Guard activities).
Bolstering the Guard’s capacity is useful, but there are opportunity costs. Spending state general and HAVA funds means that they cannot be spent for other preventive measures, such as expanding employee cybersecurity training and purchasing updated voting machines. While a crude analogy, it is akin to spending money to bolster fire fighters’ capacities to fight wildfires rather than spending money on policies to prevent wildfires in the first place. Both are necessary, and both have their pros and cons. If the Guard is the answer, the question arises if states should bear the sole burden of enhancing and sustaining their capacities through SAD status? Or should the cost be co-shared with the federal government through Title 32 operations?
Regardless of the answer to these questions, one thing is certain: states will deploy the National Guard in 2020 to secure our elections. It is not too late to address these issues and make changes, if necessary, but time is of the essence. The election is approaching quickly.