TRUSTING THE FEDERALISM PROCESS UNDER UNIQUE CIRCUMSTANCES: UNITED STATES ELECTION ADMINISTRATION AND CYBERSECURITY.

• Author: Lynch, Eric S.

TABLE OF CONTENTS INTRODUCTION 1980 I. A SHORT HISTORY OF AFRICAN AMERICAN DISENFRANCHISEMENT AND THE VOTING RIGHTS ACT OF 1965 1984 A. African American Suffrage in the Reconstruction Era. 1985 B. The Civil Rights Movement and the VRA 1988 C. The VRA's Enactment and Authority 1991 II. AMERICAN ELECTION SYSTEMS AND THE 2016 ELECTION. 1994 A. Security Breach in the 2016 Election 1995 B. Modern Election Systems and Cybersecurity 2000 Vulnerabilities III. How CONGRESS CAN FORCE STATES TO UPDATE ELECTION 2004 CYBERSECURITY SYSTEMS AND STANDARDS A. Analogizing the VRA with Election Cybersecurity 2005 B. Challenges to the Analogy 2011 1. Shelby County and the VRA's Coverage Formula. 2011 2. Malfeasance Versus Nonfeasance: Intent's Role 2013 Within the Analogy CONCLUSION 2014 INTRODUCTION

In October 2016, the Department of Homeland Security (DHS) revealed that various state-based election systems were breached prior to Election Day. (1) In a postelection audit, seventeen United States intelligence agencies agreed that Russian hackers perpetrated the breach. (2) Later, a leaked National Security Agency (NSA) document demonstrated that the Russian government also directed a spear-phishing (3) attack against a third-party American voting machine company. (4) Ultimately, a DHS official testified that twenty-one states' election systems were targeted prior to the 2016 election, (5) but independent reporting suggests that the breach extended to a total of thirty-nine states. (6)

In July 2017, one in four American voters said they would consider not voting in upcoming elections due to cybersecurity concerns. (7) In response, various legislators and interest groups presented ideas and plans to fix gaps in election cybersecurity. (8) But these reforms were offered well after many election administration and cybersecurity experts had already expected America's aging election systems to fail. (9)

Although many agree that America's election cybersecurity needs an overhaul, (10) there is disagreement as to how far Congress may go to require these changes. The United States Constitution delegates much of Congress's authority in this area to the states through the Elections Clause: "The Times, Places and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof; but the Congress may at any time by Law make or alter such Regulations, except as to the Places of chusing Senators." (11)

This Note recognizes that the Elections Clause grants Congress the authority to regulate states' election procedures, (12) and therefore it does not question Congress's power to regulate states' cybersecurity procedures in elections. Rather, this Note explores the boundary of Congress's authority; specifically, whether Congress can enact legislation that permits federal oversight onto specific states and not others.

To determine the extent to which Congress has the authority to target certain states with election cybersecurity oversight, this Note compares the present issue with one that the Court debated over fifty years ago. (13) In 1965, Congress implemented the Voting Rights Act (VRA), an election administration reform bill targeted at states that denied African Americans the right to vote. (14) This Note illustrates a parallel between how states failed to ensure African Americans access to the ballot prior to the VRA (15) and how states failed to establish secure elections. (16) The analogy demonstrates that Congress can force states with obsolete election cybersecurity systems to submit to federal cybersecurity audits just as Congress enacted the VRA to force states with a history of race-based voter disenfranchisement to preclear any election changes through federal oversight. (17) Although these situations differ in that one concerns voter access to the polls and the other involves election cybersecurity, a comparison is helpful because both test the extent to which the federal government may oversee specific states' election administration procedures.

The federal election cybersecurity audit is a concept based on several proposals and reports published after the 2016 election. (18) The Election Infrastructure and Security Act of 2017, a bill proposed in the 115th Congress, "require[d that] the voting systems used in elections for Federal office ... comply with national standards developed by the National Institute of Standards and Technology [(NIST)]." (19) If Congress adopted legislation like this to establish a threshold standard, then it could further enforce those standards through a coverage formula--similar to the VRA's--that triggers federal oversight of noncompliant jurisdictions. (20) DHS or NIST officials could serve as auditors because both agencies share expertise in election cybersecurity. (21) The audits could be modeled after any of the eight election cybersecurity assessments that DHS already offers, (22) or the eighty-eight "best practices" suggested by the Center for Internet Security. (23) The audits would identify weaknesses in the states' election systems and oversee updates to cybersecurity vulnerabilities. (24)

In Part I, this Note details the history of African American voter disenfranchisement, focusing on the period between the Civil War and the Civil Rights Movement. Studying this period demonstrates how states failed to ensure African Americans access to the ballot, thereby providing Congress the authority to intervene through the VRA. Part II explains the cybersecurity breach that occurred during the 2016 election cycle, outlines how state-based voter registration databases and voting machines are outdated and susceptible to hackers, and details how states have responded since 2016. Part III reviews the Supreme Court's decision in South Carolina v. Katzen-bach, which upheld the VRA and found that Congress could focus federal oversight onto certain states due to "unique circumstances." (25) This Part then analogizes Katzenbach's legal reasoning to the cybersecurity context to explain why Congress has the authority to force states that fail to meet minimum election security standards to submit to federal cybersecurity audits. Finally, Part III also acknowledges some challenges to this analogy--such as whether the analogy is consistent with Shelby County v. Holder, (26) and whether a valid analogy requires malfeasance in both circumstances--and then responds to those critiques.

1. A SHORT HISTORY OF AFRICAN AMERICAN DISENFRANCHISEMENT AND THE VOTING RIGHTS ACT OF 1965

   Although the United States federal government never explicitly denied the right to vote based on race, African Americans have struggled to gain equal access to the ballot box. (27)

   In early, postcolonial America, free African Americans could vote in most states. (28) But by the early 1800s, most African Americans were disqualified through voting eligibility requirements such as race, sex, slavery, or property ownership. (29) Southern slaves were eventually freed through the Emancipation Proclamation, (30) but slavery was not abolished throughout the Union until after the Civil War. (31) This created a problem: what rights did newly freed persons hold? Specifically, could they vote?

   This Part summarizes African Americans' struggle to achieve access to the ballot box after the Civil War and details how the federal government justified its intervention to assist in that effort. First, Part I.A reviews the Reconstruction Era's initial success, but ultimate failure, in securing African Americans the ability to vote. Next, Part I.B studies how the Civil Rights Movement's incremental accomplishments led to federal government intervention to end African American disenfranchisement. Finally, Part I.C briefly explains how Congress enacted the VRA and examines the VRA's underlying authority.

   1. African American Suffrage in the Reconstruction Era

      During the Reconstruction Era, Republicans intended to address many fundamental issues stemming from slavery--specifically newly freed slaves' voting rights. (32) President Abraham Lincoln's Reconstruction plan included a measure to "control postwar politics and administration." (33) This strategy repackaged the Civil War's "Ironclad Test Oath" to guarantee that Reconstruction would be managed by those who intended to incorporate the newly freed slaves into American society. (34)

      But when President Andrew Johnson assumed Reconstruction's management, he did not follow President Lincoln's plan. (35) Instead, President Johnson pardoned those who perpetrated the Southern rebellion. (36) This action allowed the South to elect anti-secessionist representatives and govern itself without oversight. (37) President Johnson's pardon allowed several former slave states to enact the Black Codes, a series of laws that "sought to circumvent the Thirteenth Amendment and replace the individual slave holder with the state as master of this servant race." (38)

      Because states failed to ensure African Africans' access to the ballot, (39) Congress enacted the Reconstruction Acts of 1867, (40) which established a military presence in the South. (41) Federal intervention advocates drafted this legislation to protect African Americans from former slaveholders. (42) While these military forces served many roles, they were specifically tasked with protecting the right to vote. (43) Shortly thereafter, Congress further protected African American suffrage through new constitutional amendments. The Fourteenth Amendment provided Congress the authority to make laws that could safeguard rights such as suffrage, (44) and the Fifteenth Amendment ensured that no law could disenfranchise an otherwise eligible voter based on his or her race. (45)

      The federal government's military occupation briefly succeeded in registering African Americans to vote (46) and propelled African Americans into powerful political positions, (47) but pre-Civil War power dynamics returned after military...