We brought together a panel of more than 100 cybersecurity leaders from across government, the private sector, academia and the research community for a new feature called The Network — an ongoing, informal survey in which experts will weigh in on some of the most pressing issues of the field. (You can see the full list of experts here.) Our first survey revealed deep concerns that states aren’t prepared to defend themselves against the types of cyberattacks that disrupted the 2016 presidential election, when Russian hackers targeted election systems in 21 states. “We are going to need more money and more guidance on how to effectively defend against the sophisticated adversaries we are facing to get our risk down to acceptable levels,” said one of the experts, Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus. Congress in March approved $380 million for all 50 states and five territories to secure their election systems, but Langevin says he wants more. He introduced legislation with Rep. Mark Meadows (R-N.C.) that would provide election security funding to states if they adhere to new federal guidelines for identifying weaknesses in their systems and auditing election results. “I hope Congress continues to work to address this vital national security issue,” Langevin said.
Each state is responsible for running its own elections, and many state officials view attempts by the federal government to intervene with skepticism — if not outright opposition. But some experts said the magnitude of the threats from state-sponsored adversaries is too great for states to deal with alone.
“Given the gravity of the nation-state threats we face, much more needs to be done at every level — including a strong declarative policy that this activity is unacceptable and will trigger a strong response,” said Chris Painter, who served as the State Department’s top cyber diplomat during the Obama and Trump administrations.
Dave Aitel, chief executive of Immunity Inc. and a former National Security Agency security scientist, went further: “Protecting systems from cyberthreats from nation-states can really only be done on a national level. It’s insane we have state-level control of these systems.”