By Mike Martin
The recent cyberattack on the Democratic National Committee and the Democratic Congressional Campaign Committee has led to confusion on how to protect against potential future hacks. In the wake of these attacks, Homeland Security Secretary Jeh Johnson said the Department was looking at designating elections as critical infrastructure. This move would put elections on par with the electricity grid and the banking system. It’s a subject the Obama administration is exploring.
Johnson explained that bumping up elections to that level would raise several implications. This is because under Presidential Decision Directive 21 (the directive that assigned the titles of critical infrastructure), assigning elections as critical infrastructure would mean designating one lead agency to serve as a federal liaison with election officials and offer them a range of assistance. That agency would also stay in touch with DHS (assuming DHS doesn’t take the “sector-specific agency” label for itself), which would offer broad strategic guidance and vulnerability assessments.
This move has been widely supported on Capitol Hill, even though elections are already covered in a way, so the change might not be necessary. According to a DHS official, “Election infrastructure is a complex system of assets managed at the state and local level. While not officially designated as a separate critical infrastructure sector under PPD-21, it is an important aspect of state and local infrastructure and is critical to the functioning of our democracy, and therefore it is covered.”
In addition, an old school hacker who was part of the L0pht hacking collective says such a change might do more harm than good because “classifying voting computers as critical infrastructure is going to cause a lot of headaches at the local level.” According to Cris Thomas, who is now a strategist at Tenable Network Security, “National elections have always been historically treated as a local event, and having a federal designation as critical infrastructure will fundamentally change how we have handled our elections for the last 240 years.”
Thomas also says that we need to focus on the security concerns of the current system, which stem from a lack of testing. Manufacturers do not test systems well enough before sending them to municipalities, which leads to the use of off-the-shelf hardware with minimal security coding. In addition, local government certification agencies are often short on the capacity to test for vulnerabilities and so accept a manufacturer’s claims on the security of their products. As such, says Thomas, “the result is a system that our entire democracy depends on, which is run with minimal, easily bypassed security.”
To sum this up, not only can one argue that these elections are already supposed to be considered critical infrastructure, but the categorization of elections as critical infrastructure may do more harm than good. Therefore, questions remain as to what to do with election security.
The importance of elections is unquestionable. Elections are one of the most crucial practices in America. They determine the future of the country. If one is able to manipulate polls and change voter data to elect a certain official over another, they could potentially manipulate the direction in which our country heads. That being said, this is not something that our government should rush into.
Fundamentally changing our election process less than 80 days before our Presidential election could be disastrous to the fluidity and efficiency of the election, and because of this, we should aim to fix the flaws of our current system first. If the United States government uses better software and does better testing of the system’s vulnerabilities, as Cris Thomas recommended, our election system would be much less susceptible to these reoccurring hacks. Because of this, our first option should be to revamp the broken system, not to blow it up.
Michael Martin is a Juris Doctor candidate at the University of Maryland Francis King Carey School of Law. He is also pursuing a specialization in cyber and homeland security through Maryland’s new cyber-security certificate program, and he is pursuing a career in the field of homeland security.