As the 2018 midterm elections loom closer, challenges facing the security of America’s electoral infrastructure are drawing increasingly more attention from policy makers.
The last US presidential election brought the vulnerabilities of election grids to the fore. During the elections and after the race had ended, reports began to flood Western media revealing the attempts by Russian government-connected actors to influence the US electoral system. This included hacking suppliers of software used in digital voting machines, along with organizing the infamous troll armies that conducted social engineering operations in the hopes of swaying voters.
Signs of threat actors targeting election-related assets has persisted. In mid-December, local US media reported that personal details of over 19 million California voters ended up in the hands of hackers after being stolen from an insecure cloud server. Hackers who had penetrated the cloud had deleted all of the content and left a message on the account demanding ransom money in Bitcoin for its return. The database contained personal details of these individuals, including contact and voting precinct information.
The technology used in elections has also been shown to contain serious vulnerabilities. At a recent DEF CON hackers conference in Las Vegas, participants were able to pull off a number of hacks on several commonly used voting machines, including gaining remote access.
All of these revelations served as a major wake-up call. Officials began scrambling to develop solutions for this new threat that they were only beginning to understand. One of the first important milestones in this effort came in September, when a number of Senators arranged a conference with former top cyber officials from the Obama administration, dubbed the “Congressional Task Force on Election Security.”
The meeting featured appearances by former Department of Homeland Security (DHS) officials such as Jeh Johnson and Suzanne Spaulding. In arranging the panel, Senators were already signaling their readiness to take action to secure the cyber infrastructure of election processes.
Then came the legislation proposals.
Over the past several months, Congress has produced a number of bills aimed at protecting elections from future tampering. At the end of September, Senators Martin Heinrich (D-N.M.) and Susan Collins (R-Maine) introduced a comprehensive cybersecurity bill aimed at securing all forms of technology used in US elections. The bill includes funded a bug bounty program for systems manufacturers and a grant program for states to upgrade technology. The bill was almost certainly motivated, at least in part, by the above-mentioned voting machine flaws discovered at DEF CON.
Lawmakers in the House have recently introduced a bipartisan-backed bill aimed at deterring foreign interference in US elections. The bill titled the Defending Elections from Threats by Establishing Redlines (DETER) Act was introduced to the House floor by Reps. Ileana Ros-Lehtinen (R-Fla.) and Brad Schneider (D-IL). The legislation essentially sets down rules for punishing international actors that try to influence public opinion toward candidates.
While the bill subjects all countries to the same penalties, the primary target of the legislation was Russia. Ros-Lehtinen told media in a statement, “Russia blatantly meddled in our 2016 elections, as well as previous elections, in an attempt to erode public trust in our electoral process and undermine our democratic institutions. It will undoubtedly do so again.”
There are clear signs that this bill, or some version of it, will soon become law. The Senate version of DETER was introduced by Senators Marco Rubio (R-Fla.) and Chris Van Hollen (D-Md.) just two weeks ago. At the time, Rubio said in an official statement that the purpose of the bill was nothing less than protecting the integrity of American democracy. “We cannot be a country where foreign intelligence agencies attempt to influence our political process without consequences,” read the document posted to Rubio’s website. “This bill will help to ensure the integrity of our electoral process by using key national security tools to dissuade foreign powers from meddling in our elections.”
While the concerns cited by the supporters of these bills and other measures are certainly legitimate, the important question is what the long-term consequences of establishing these solutions into the US governmental framework will be. The implicit basis of SAVE, DETER, and other proposals is the assertion that data systems and other technologies used for elections constitute critical national infrastructure, and must be treated by the government as such.
This was first asserted by President Obama’s last Department of Homeland Security Head Jeh Johnson in January of last year, when suspicions of Russian meddling in the presidential election were beginning to coalesce. At the time, this categorization faced intense opposition by state governments and election officials, who feared that such a designation would give the federal government powers to oversee and regulate the election process. Johnson tried to quell those fears by insisting that the designation only meant prioritizing election machines in cybersecurity, and did “not mean a federal takeover … concerning elections in this country.”
Regardless of Johnson’s sincerity, there have been clear signs that the program of securing the country’s election grids has brought about an almost unprecedented federal involvement at the state level. Dozens of state governments have been lining up to have DHS’s Risk and Vulnerability Assessment (RVA) — the mother of all system penetration tests — administered on their election grids. States have opted to bring in the feds not only out of fear for security, but also due to the tremendous value that the service provides them.
It is the norm in the private industry to pay cybersecurity companies exorbitant sums, which state governments can now largely avoid, to conduct these tests. Regardless of the reasons for states taking the RVA, the fact remains that election grid security has promoted a much more strongly interconnected relationship between the federal government and local governments.
If this is the result of one single DHS program being made optionally available, what will be the result of a series of laws designed to regulate and monitor elections?
SAVE, for instance, will certainly bring a slew of compliance laws on the types of hardware and software that can be utilized in elections. DETER, which requires some method of detecting election interference, would likely go even further and establish monitoring rules for voting that would likely include federal officials.
The trend of election security measures does more than threaten state government autonomy in their electoral processes; it could produce a complete revamping of election systems throughout the United States, with security from foreign meddling now becoming the top priority.
Scanning some of the trends in election security, a few specific changes to the electoral system could be expected. The first might be the complete abandonment of digital vote casting, resorting instead to paper ballots that can be marked and identified by every individual voter. Some states have already begun to independently adopt this measure.
Another could be the establishment of federal committees in charge of overseeing elections and sampling votes post election to confirm the accuracy of the ballots count. This was one of the features that stood out in another recently proposed bill, the Secure Elections Act, a piece of legislation quitely brought to the floor at the end of December by a bipartisan group of Senators. Even if the specific recommendations of the Act do not end up becoming law, the prospect of federal oversight becoming a dominant feature of US elections is looking like a very real possibility.
There is at least one immediate benefit America has gained from this series of election-defending policies, namely the return of a measure of confidence in election procedures. As Mississippi Rep. Bennie Thompson stated in response to the designation of elections as critical infrastructure over a year ago, “In the long term, this will put our electoral systems on a more secure footing and maintain public confidence in our elections.”
In 2016, the US was blindsided by a series of deliberate attacks against the election grid. Maintaining its integrity in the eyes of the American people will require decisive action on the part of policymakers. Such action should, in most cases, be welcomed, even if it brings with it some unforeseen consequences.