Former Secretary of Homeland Security Jeh Johnson testified Wednesday before the House Intelligence Committee as part of the House investigation into Russian interference in the 2016 election. Much of the hearing focused on Johnson’s decision, announced on January 6, to designate election infrastructure as “critical infrastructure.” Both Rep. Mike Conaway (R-TX) and Rep. Joaquin Castro (D-TX) questioned whether that designation includes political parties, and Johnson repeatedly clarified that it does not.
It might seem obvious that political parties and campaigns should be covered as critical infrastructure. After all, it was the hack of the Democratic National Committee (DNC) that started the Russian hacking scandal. But the question of whether to include political parties and related entities as critical infrastructure is tied into the broader, ongoing debate about how to treat information operations designed to influence democratic elections. That’s a harder question than simply whether political entities are critical infrastructure or not.
When asked why designating election infrastructure as critical infrastructure was important, Johnson gave three reasons. He explained first that “critical infrastructure receives a priority in terms of the assistance [DHS] give[s] on cybersecurity,” and second that communications between critical infrastructure and DHS receive “a certain level of . . . confidentiality.” Johnson’s third reason goes to the international implications of the designation. He explained, “[W]hen you’re part of critical infrastructure, you get the protection of the international cyber norms. Thou shalt not attack critical infrastructure in another country.”
Johnson is right to emphasize that the designation isn’t purely a domestic issue, but rather one with international implications. As I argued last summer, specifying what counts as critical infrastructure is an important step toward adding substance to the broad peacetime norm against attacking critical infrastructure that the United States, Russia, China, and other members of the U.N. Group of Governmental Experts (GGE) agreed to in 2015. Announcing that the United States considers election infrastructure to be critical infrastructure is a way of telling foreign governments to back off, making clear that the United States will consider interference with election infrastructure to be a violation of the norm that could bring political or possibly legal consequences.
Given this implication of designating infrastructure as “critical,” designating political parties and campaigns as critical infrastructure has some intuitive appeal. Political parties and campaigns have been the victims of hacks that then facilitate influence operations. And this has happened not just in the United States, but also in France. On the eve of the French presidential election, now-President Emmanuel Macron’s campaign suffered a massive hack, resulting in the release of actual and fraudulently altered campaign documents in the days immediately preceding the vote.
Read the full post at Just Security.
Source: Cyber Law
Source: Privacy Online