Two Key Tips to Cyber-securing the U.S. Election
Regardless of policy or political position, all parties involved in the United States 2016 presidential election are focused on cyber-securing the election next week. Back in August, Homeland Security Secretary Jeh Johnson held a conference call with election officials across the country, stressing the importance of securing the voting technology used in the nation’s elections and offering federal help for the job.
It was recently revealed that 30 states took up Secretary Johnson’s offer, and have Homeland Security actively helping them to monitor the process in their states.
It’s all about the infrastructure with the presidential election, not to mention the countless state and local elections. And it is never too late or too early to think about the security of our electoral infrastructure. In many places, our nation’s electoral infrastructure is moving from physical paper and punch-card ballots to networked electronic technology. Networked electronic technology is subject to all of the threats and risks of our existing IT networks and systems, and if history has taught us anything, it’s that any system can be breached.
Complicating the ability to secure the electoral system is the fact that there is no one system that makes up the electoral technological back-end network. Although we elect national leaders, the federal government does not run elections. That is left to the states and there are over 9,000 election jurisdictions throughout the country. These conduct polling in densely populated urban areas, sparsely settled rural towns and everywhere in-between. They have different requirements and challenges and operate under different laws and policies. There are many types of voting systems in place, relying in varying degrees on electronic technology, with different implementations of each technology. The result is a patchwork of systems rather than a single coherent infrastructure.
Sec. Johnson can offer local officials the help of the U.S. Election Assistance Commission and the National Institute of Standards and Technology, but that’s about as far as he can go. Whether states, counties and cities accept his offer is up to them. But there is something that every state, even the 20 that have thus far refused Homeland’s help, can do. The National Institute of Standards and Technology (NIST), working with the U.S. Election Assistance Commission, has developed technical Voluntary Voting System Guidelines to help ensure the security of voting systems. But these are voluntary, and like all guidelines cannot by themselves ensure complete security.
There is a nugget of good news in all of this, however. The same diversity that complicates securing voting systems also complicates an effective nationwide attack.
A “rigged election” by hacking would not be easy. It would require strategically targeting vulnerable systems in key precincts and counties in key states. Effective exploits would have to be developed for different systems, and attackers would have a limited window of opportunity. Voting systems are not operating online continuously; even if an attack is made through a county or city’s IT network, the voting system could not be in danger of compromise until it is connected. Once successfully compromised, attackers would have to carefully cover their tracks and monitor projected voting results so that changes could be made to achieve the desired outcome without creating suspicion.
All of this would be resource intensive, with a small margin of error. Shifting too many votes in too few places could draw attention, so all or most of the hacks would have to be successful. And the attackers would have to hope that someone on the opposite side was not doing the same thing and cancelling out their efforts.
This is not to say that such an attack is not possible. There have been instances in which a national election has been determined by the votes—legitimate or not—in a single key area (Chicago in 1960 and Miami-Dade County in 2000). And a United States presidential election would be a high-value target for attackers—possibly high enough to make it worthwhile for another nation to invest in an attack.
Top Tips for election commissions:
- Pay attention to security. Use the Voluntary Voting System Guidelines, talk to other counties and states, and accept Homeland Security’s offers of help.
- It’s not just your voting system. Whatever your system is connected to also has to be secured. This probably means all of your networks and IT systems need to be hardened as critical infrastructure, which probably means they will require a higher level of security than they currently have.
Regardless of policy or political position, everyone involved in this election needs to continue to be focused on cyber-securing the election. By doing so, we can prevent any type of a contested election result due to cyber-attacks and data breaches, and continue the peaceful transition of power that has existed in this country since its democratic founding.