DOD Has Enduring Role in Election Defense

Voting has begun for the 2020 presidential election primary season — but it’s not the beginning of the U.S. government’s defense against foreign interference and influence in our elections.

At the Reagan National Defense Forum in December 2019, Army Gen. Paul M. Nakasone, U.S. Cyber Command commander and director of the National Security Agency, laid out the Defense Department’s role in election security. “We began the ability for us to defend the presidential elections not today, not six months from now. We began it the day after the midterm elections,” he said, “We have not let up in terms of our ability to understand what our adversaries are doing.”

The Defense Department plays an important role in that whole-of-government partnership, spearheaded by the NSA and Cybercom’s Election Security Group, formed in the wake of the successes of the Russia Small Group during the 2018 midterms.

David Imbordino, the NSA election security lead, and Army Brig. Gen. William Hartman, Cybercom’s election security lead and commander of Cyber National Mission Force, co-lead the joint Election Security Group. Its purpose is to align the two organizations’ resources, efforts and actions to disrupt, deter and degrade adversaries’ ability to interfere and influence the U.S. elections.

“The biggest success out of 2018 wasn’t the 2018 midterms,” Hartman said. “The biggest success was we put in place, both organizationally and from a business practice standpoint, a focus on an enduring mission to protect the democratic process.”

The Election Security Group’s primary objectives are to generate insights on foreign adversaries that lead to improved cyber defenses and to impose costs on countries that seek to interfere. It directly supports partners, such as the Department of Homeland Security and the FBI, by collecting, declassifying and sharing vital information to enable agencies’ efforts in election security.

“[The FBI will] engage with social media companies,” Imbordino said. “That information can enable a social media company to then use their platform, where they have very unique insights that we don’t have, to mitigate and potentially unravel [malicious] social media influence campaigns.”

When NSA and Cybercom see a cyberattack happening against a certain victim, they communicate that information to appropriate government offices, which, in turn, work with private-sector partners to provide notification and enable future cyber defense.

“We look at adversary meddling in an election on two different fronts. One is covert influence, and then there’s interference,” Imbordino said. “For interference, what we’re talking about is an adversary trying to go change a vote total, targeting election infrastructure, voter rolls. Influence is more of the social media component of trying to influence public opinion.”

“It’s not enough to just know and understand what our adversaries are doing,” he continued. “The nation expects us to do something about it. Enabling our partners with the right information at the right classification level they need to take action to defend our democracy against these threats is essential and allows all of the tools of the government to be employed in this fight.”

Guiding all of Cybercom’s efforts is their underlying framework for the continuous execution of cyberspace operations, known as persistent engagement — the concept of constant contact with adversaries in cyberspace, engaging beyond DOD networks to “defend forward,” officials said, noting that persistent engagement enables Cybercom to be postured to impose cost against foreign malicious actors before they reach the homeland.

An example of persistent engagement in action is “hunt forward” operations that involve deploying defensive cyber teams around the world at the invitation of allies and partners to look for adversaries’ malicious cyber activity. These teams send insights back from these missions, enabling defense for U.S. and partner networks, and providing real-time situational awareness for Cybercom to better protect the nation from foreign attacks in cyberspace.

“In a hunt forward operation, we are able to work with partner nations and receive an invitation to execute operations in their country,” Hartman said. “These are generally countries that are in the near abroad of adversaries that we’re potentially concerned about.”

Hunt forward operations produce detailed information identifying risks and threats to critical infrastructure, networks and data. These insights will enable the U.S. to detect and defend against potential cyber threats to the upcoming 2020 elections, he explained.

If malware is discovered on hunt forward operations, Cybercom can publicize malicious software through antivirus portals, imposing costs of time, money and access on the adversary.

Another way the combined Cybercom and NSA Election Security Group enables defense is through the National Guard Bureau.

National Guard members supporting their state and local elections have the ability to share information to various organizations within the Election Security Group. The group will then use national-level intelligence to assess whether there is a foreign threat before providing that information to the National Guard, DHS and FBI.

“The primary way that we work with the states is really working by, with and through DHS and FBI, which is absolutely a critical component of how we interact,” Hartman said. “And the National Guard is present in all 50 states, three territories, and District of Columbia, which allows us to potentially look at something that may be occurring in the United States and see if we can track that activity to any foreign actor or to any foreign space.”

As election security continues to be an enduring mission of the DOD, national security officials stress the importance of allowing Americans to exercise their right to vote — a vote cast is a vote counted.

Defense.gov (February, 2020) DOD Has Enduring Role in Election Defense