Why Election Security Matters

Cyberattacks on U.S. voting systems are a threat to democracy. They are also a test of the country’s will and ability to solve a big 21st-century problem.

Voters cast ballots in Los Angeles, California, November 8, 2016 (Patrick T. Fallon/Bloomberg)

Voters cast ballots in Los Angeles, California, November 8, 2016

(Patrick T. Fallon/Bloomberg)

While running for president in 2016, Donald Trump said he reserved the right to not accept the election result, as if his possible defeat could only be explained by vote-rigging or corruption. His opponent, Hillary Clinton, retorted in a debate, “That’s horrifying . . . He is denigrating — he is talking down our democracy.”

Call it cynical, undignified, or unsportsmanlike, but Trump was being consistent with other campaign themes that tapped into an undercurrent of mistrust in government. Calling the electoral process into question struck at the heart of the matter. While the Trump camp blamed legions of illegal voters for threatening election integrity — allegations that various studies have debunked — a legitimate and still unresolved issue was not remarked upon in that heated political moment: The nation’s voting machines and software are aging and riddled with security flaws.

To be sure, all information technology has weaknesses. A massive buildup of commercial and government defenses has not prevented spectacular breaches such as those exposing more than 40 million Target customers’ credit and debit cards in 2013; data on more than 21 million background investigations at the U.S. Office of Personnel Management in 2015; and nearly 150 million Equifax consumer credit records in 2017.

But at least there are continuing efforts by the IT security industry and allied federal agencies to bolster threat detection and prevention. Voting infrastructure, which lacks a central authority, sorely needs this kind of help. It represents an urgent test for cybersecurity mobilization. Neglect and failure aren’t options.

Just before Trump took office, outgoing Department of Homeland Security secretary Jeh Johnson declared voting to be a critical infrastructure, a status shared by energy, financial services, and 14 other sectors “eligible to receive prioritized cybersecurity assistance” from the DHS. “Election infrastructure is vital to our national interests,” Johnson, now a Paul, Weiss, Rifkind, Wharton & Garrison partner, said in a January 2017 statement. “Cyberattacks on this country are becoming more sophisticated, and bad cyber actors” - he mentioned nation states, cyber criminals, and hacktivists - “are becoming more sophisticated and dangerous.”

The National Association of Secretaries of State opposed designating election infrastructure as critical, so Johnson sought to reassure those officials that it “does nothing to change the role state and local governments have in administering and running elections.

Something has to be done. In February, citing results of a survey of 229 officials in 33 states, New York University School of Law’s Brennan Center for Justice said, “Election officials across the country say they are heading into the 2018 midterms with outdated voting machines and computer systems, and many of them do not have the resources to replace them” with updated, more secure technology.

A recent study by the Center for American Progress concluded that “all 50 states have taken at least some steps to provide security in their election administration,” but under the center’s grading system for security and reliability, “no state received an A; 11 states received a B; 23 states received a C; 12 states received a D; and five states received an F.”

According to Douglas W. Jones, a University of Iowa professor who is one of a cadre of computer scientists raising alarms in recent years about election-system vulnerabilities, the responsibility is spread among some 5,000, mostly county-level, offices.

The decentralization could be a security advantage; adversaries prefer big targets with high returns on their investment. Congressional and Justice Department investigations of alleged Russian meddling in U.S. politics have centered on so-called influence operations, often exploiting social media. Last year, in a retrospective on the 2016 election, Jones said that influence operations “could change more votes at a lower cost than any alternative” including attempts to alter vote counts.

But there are new concerns. Top officials of U.S. intelligence agencies warned at a February 13 Senate hearing that Russia would be escalating its attempts to influence the November midterm elections, when control of the House and Senate is at stake. On February 20, Attorney General Jeff Sessions announced the creation of a Cyber-Digital Task Force assigned, in part, “to prioritize its study of efforts to interfere with our elections” and with critical infrastructure.

The University of Iowa’s Jones now believes he may have “underestimated the resources that Russia has devoted” to discrediting democracy in France, the U.K., and the U.S. He says relatively few precincts in battleground states dictate the outcome of a close national election, and hackers would know which ones to target.

“Strengthening electoral systems will require bipartisan support, so unfortunately it may not happen,” says Kenneth Geers, senior research scientist at cybersecurity company Comodo and NATO Cooperative Cyber Defense Center of Excellence ambassador. Political parties and corporations “are powerful but not impartial” Internet stakeholders, he says. “Therefore, the U.S. government should fund a broad-based commission, heavy on academic and technological expertise, to help guide the way forward.”

The government spending bill that President Trump signed on March 23 — two days after Johnson and current DHS secretary Kirstjen Neilsen were criticized at a Senate Intelligence Committee hearing for moving too slowly on election security — included $380 million for technology, training, and audits at the state level. It’s a start.

Jeffrey Kutler is editor-in-chief of Risk Professional magazine, published by the Global Association of Risk Professionals.

Related