Editor’s Note: Christopher Krebs served as the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Part of this op-ed is adapted from his written congressional testimony. The views expressed in this commentary are his own. View more opinion at CNN.
On Wednesday, I will testify before the Senate Committee on Homeland Security and Governmental Affairs. Though I am no longer a public servant, it remains an honor to serve the public, and I am proud to heed the call of our Senate leaders to tell the public about the methodology of the agency I led, the Cybersecurity and Infrastructure Security Agency (CISA), to secure the 2020 presidential election.
I joined the Department of Homeland Security in March of 2017. I believe, then and now, that the Russian Federation attempted to interfere in our 2016 election to disparage Hillary Clinton to the advantage of then-presidential candidate Donald Trump, as laid out in the 2017 Intelligence Community Assessment. Russia attempted to advance its candidate of choice and to corrode public faith in American democracy through cyberattacks and a coordinated disinformation campaign.
Our democratic institutions are facing targeted, calculated threats from without, and from within. This is why we prioritized election security as the primary focus of CISA. I made that mission clear at my confirmation hearing when I took an oath to defend the Constitution from enemies foreign and domestic. Our task was to work with state and local election officials to secure from hacking their election infrastructure, including the machines, equipment and information systems.
It was also central to our mission, and is still central to my own values, to protect the American public from disinformation warfare. This is why on November 12, CISA joined an election security community statement assuring people that “there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.” Today, this statement remains true, and I will continue to clarify and correct this onslaught of false information alleging systems interference where none has occurred.
Our initial strategy to secure the 2020 election centered on defensive measures against the kind of three-pronged Russian attack that was activated in 2016, targeting systems supporting elections, political candidates and public perception. Across the nation’s security agencies, there was unanimous agreement that we could not let it happen again.
Our planning was not just focused on preventing a repeat of the Russian 2016 efforts. We worked with partners in the intelligence community to anticipate diverse tactics that Russia, Iran, China and non-state cyber criminals could attempt to disrupt the election. We prepared for efforts that included a disinformation component, or what is known as a “perception hack,” in which the malicious actor either falsely claims a cyberattack that never happened or claims that an insignificant incident wreaked much more damage than it actually did. In these scenarios, which include the current false claims of voter fraud, those on defense are caught playing catch-up, trying to disprove a negative.
Disinformation targeting elections is one of the hardest problems that remains before the US government. While there are multiple ways to tackle disinformation, we viewed it as a “supply and demand” problem. Some government agencies sought to disrupt the supply of disinformation, but we worked to minimize demand by making the American people more critical of information they encountered in social and news media, and therefore more resilient to it. Ours was an effort to inoculate people from false information.
One innovation in our efforts to counter perception hacks was a program called “Rumor Control.” The idea was simple. We would share our scenario planning efforts with American voters in a straightforward, digestible way. In doing so, we could preempt disinformation campaigns and perception hacks by providing facts to help American voters make their own decisions. We were looking to protect the public from misleading disinformation before it took root and became perceived as true. This, and other measures to counter disinformation were successful in maintaining voter confidence and squelching false information before it spread. But these efforts must be fortified and properly funded to defend our information ecosystems from more aggressive, coordinated attacks in the future.
As Election Day came and went, we continued to monitor networks across the country and work with our partners, with them reporting any suspicious activity to us. As I said in a news briefing, Election Day was “just another Tuesday on the internet.” Normal sorts of scanning and probing were happening, but we did not see any successful attacks or damaging disruptions.
Unfortunately, as we moved on from November 3, we began to see wild and baseless claims of domestic origin, about hackers and malicious algorithms that flipped the vote in states across the country, singling out election equipment vendors for having ties to deceased foreign dictators. None of these claims matched up with the intelligence we had, based on reporting from election officials or how elections actually work in this country.
To address this scenario, we once again took to Rumor Control, to correct public perception by highlighting facts about security controls and checks in place that would prevent such attacks. Before, during and after the election, our team held regular briefings with congressional staff, political campaigns, and state and local election officials. I personally led member-level, unclassified phone briefings for both chambers of Congress. This was a continuation of our commitment to transparent, non-partisan work.
All authorities and elected representatives have a duty to inform themselves of these facts, and to reinforce them to the American people, as our team did, in the face of false allegations that election machines have been used to change millions of votes across the country. These claims are not only inaccurate and “technically incoherent” according to 59 election security experts, but they are also dangerous and only serve to confuse, scare and ultimately undermine confidence in the election.
To understand CISA’s relationship to the issue of fraud, it is important to define a key distinction between two issues that are often conflated, sometimes intentionally: the security of elections and election-related fraud. My team at CISA had lead responsibility for working with state and local election officials to secure from hacking the election infrastructure, including the machines, equipment and systems supporting elections. We also led a centralized, interagency effort among the National Security Agency, Office of the Director of National Intelligence, FBI and others at the federal level to combat the pernicious effects of disinformation campaigns on our elections. The FBI, state and local law enforcement are responsible for investigating voter fraud and other criminal election activity.
In order to maintain American resiliency, Congress and the incoming administration must continue to reinvent, fortify and fund the American defense on the battlefield of disinformation through both centralized and regionalized interagency cooperation.
Rumor Control was part of CISA’s collaboration with the FBI, and I urge the transition team and the FBI leadership to expand this program in order to remain resilient against increasingly aggressive threats from foreign state actors and private domestic interests. It is also critical going forward for CISA to designate and embed field personnel in each FBI field office. CISA is currently piloting that concept in a Southeastern US field office. I urge Congress to support and fund expansion of these critical FBI-CISA programs.
Moving forward, CISA should also augment its partnerships with the NSA Cybersecurity Directorate leadership by assigning a senior representative to Fort Meade to advise and consult.
Elections in this country are, and should continue to be, run by state and local officials as prescribed by state legislatures in accordance with congressional oversight. But they cannot do their jobs if they do not have adequate support, including a stable stream of funding from Congress so that election officials can work with state legislatures to craft budgets they can depend on to complete the critical transition to paper ballot systems, institute post-election audits, and to implement other appropriate infrastructure and personnel investments.
As foreign and domestic interests attack our democracy for political and financial gain, attempting to infiltrate American public opinion and confidence in our most sacred institutions, our elected representatives must now show true leadership in defending the people by defending the truth.