President Donald Trump’s reluctance to punish Russia for meddling in the 2016 election — documented in detail in special counsel Robert Mueller’s report — has alarmed many cybersecurity experts, who have warned that, without action, the U.S. faces even greater threats in 2020.
Those concerns were heightened Wednesday by a report in The New York Times that detailed how Kirstjen Nielsen, then secretary of homeland security, had abandoned efforts to organize a Cabinet meeting to discuss how to protect the upcoming election because of Trump’s disdain for the topic.
Acting White House chief of staff Mick Mulvaney pushed back on the report, saying that the Trump administration “will not tolerate foreign interference in our elections, and we’ve already taken many steps to prevent it in the future.”
NBC News spoke with several former White House and government cybersecurity experts who said that while the Department of Homeland Security has taken a variety of steps to protect against foreign election interference, there is still much more that could be done if the federal government were fully committed to stopping it.
Their comments centered on five major areas:
Lead and coordinate
The U.S. election system includes federal agencies, state and local election offices, political parties and campaigns, and tech companies that each have a role to play in ensuring the integrity of the voting process.
And the White House should be the one to coordinate these groups and set priorities, said Michael Daniel, president and CEO of the Cyber Threat Alliance, a nonprofit coalition of cybersecurity companies.
Without that kind of coordination, agencies that see threats may not communicate with agencies that can thwart them — or they may fail to warn potential targets, such as local election officials and campaigns.
“It makes it a lot harder for the U.S. federal government to support state and local governments across the board,” said Daniel, who served as cybersecurity coordinator in the Obama administration.
R. David Edelman, director of the Project on Technology, the Economy and National Security at MIT’s Internet Policy Research Initiative, said that Homeland Security needs to coordinate the efforts of agencies in order to maximize federal resources addressing election meddling.
“DHS runs the risk alone of being consistently on the backfoot, of being reactive, of fighting the last war, of preventing the last instance of meddling,” said Edelman, who was previously the special assistant to President Barack Obama on digital economy and national security issues. “What we need is to be more forward looking, anticipatory and strategic, and that’s going to require more than just DHS.”
Support the state and local election system
Each U.S. election is made up of many smaller local elections, an approach that can be resistant to individual cyberattacks but susceptible to more targeted efforts.
With votes logged in thousands of places, hackers have a large number of relatively unsophisticated targets. And with presidential elections often decided by only a few districts in a handful of states, the prospect of election meddling becomes more pressing.
Theresa Payton, founder and CEO of security company Fortalice Solutions and White House chief information officer under George W. Bush, said that local and state election authorities often do not have the technical expertise necessary to counter sophisticated foreign actors.
She said that solving this talent gap and providing ongoing support and training would help make sure that vital information flows between federal and local groups.
“We’ve had a 20-year deficit in cybersecurity staff across governments and corporate America,” Payton said. “What I would love to see is an ongoing bootcamp ... that would be sharing of best practices, things that the government is seeing, things that the states are seeing, tips, tools, tricks, what’s working, what’s not working.”
April Doss, who spent almost 13 years as a lawyer at the National Security Agency, said protecting election infrastructure — much of which is made up of antiquated voting machines and tallying equipment — is something that the White House can help spearhead.
“Ideally what we would see is a really robust effort being led by the administration to pull together all of the resources and expertise needed to tackle that,” said Doss, who is currently chair of the cybersecurity and data privacy practice at the law firm of Saul Ewing Arnstein & Lehr in Baltimore.
Empower and protect campaigns
The most consequential cyberattack on the 2016 U.S. election was not on Facebook or a crucial piece of antiquated election infrastructure. It was on the Gmail account of John Podesta, Hillary Clinton’s campaign chairman.
Campaigns will remain the targets of attacks, and they can be particularly vulnerable, experts said. Thomas Kellermann, chief cybersecurity officer of the security firm Carbon Black, said major presidential campaigns should be offered digital protection, in much the way a candidate gets Secret Service protection upon becoming the nominee.
“The same amount of digital security must be provided to the campaign’s website ... and that should come out of DHS,” said Kellermann, who was a commissioner on the Commission on Cyber Security under Obama.
Other experts suggested that DHS could help put together a series of tools and resources for campaigns to use, noting that some agencies already provide a variety of recommendations on digital security. Those tools might also push candidates to begin taking cybersecurity more seriously from the start of their campaigns.
“It really does require a mindshift in how cybersecurity gets approached,” Doss said. “And that is a challenge because it requires an investment in resources but also requires getting people to think and behave in a different way."
Put aside politics
The prospect of leaked documents looms over the 2020 election. The Democratic National Committee, along with many of the party’s candidates, has already pledged not to use hacked information for political gain, and has called for the Republican National Committee to do the same.
But a call from the White House for more candidates and even media outlets to agree not to use hacked materials could provide the kind of united front that helps ensure hackers don’t have incentive to attack campaigns.
The Trump campaign has already declined to promise to avoid using hacked materials, as has the RNC. Edelman questioned whether the media or the Trump administration would be willing to agree to those terms.
“Will we see the same commitment from mainstream media outlets?” Edelman said. “Will we see both parties commit not to make use of this stolen material?”
Payton noted that trying to depoliticize election security could also help improve relations between local and national politicians and agencies.
“It’s always tough because there’s politics with a lower-case ‘p’ and politics with an upper-case ‘P’ between state and federal [authorities],” Payton said.
Defensive actions, such as those cited above, are a crucial part of combating foreign election meddling, but the experts who spoke with NBC News also stressed the importance of a robust offensive operation by the U.S. that can make countries think twice before launching interference efforts.
Deterrence can take a variety of forms, from traditional government tools, like diplomatic efforts and economic sanctions, to more modern tools such as cyberweapons that can disrupt meddling attempts.
But deterrence must be a credible threat. With the Mueller report detailing Russia’s meddling effort, and the president not offering much in the way of consequences, the U.S. risks welcoming more meddling efforts.
“The No. 1 rule with the Russians is, when you get punched in the face, you have to punch back,” Kellermann said.