The information age has brought with it a host of cybersecurity challenges, perhaps the most important of which is threatening the American electoral infrastructure. This article lays out three important, foundational steps the U.S. needs to take to secure the next election.
In an era of hyper-partisan politics, it is easy to get lost in the bickering emanating from the Capitol. From the Affordable Care Act to tax reform, one would be forgiven for thinking that there is no possibility for agreement. In times like these, it is important to remember the importance of strong democratic institutions – in particular, the ability for Americans to fairly choose their own leaders. As Abraham Lincoln said: “Elections belong to the people. It’s their decision.” This right is under threat from malicious cyber-attackers targeting election systems. It is crucial to our democracy that we protect this critical infrastructure with state and federal standards, updates to outdated equipment, and increased federal funding.
Damage from cyber attacks
Malicious users on the internet are nothing new (the infamous Morris worm, the first to gain wide public notoriety, emerged in 1988), but the prevalence of computer technology means that cyberattacks have a much wider impact, particularly among critical infrastructure – assets that are vital for a functioning economy and society. In May 2017, the WannaCry ransomware attack impacted over 200,000 computers across 150 countries, affecting a diverse range of industries, including hospitals, car manufacturers, universities, and government ministries. Contemporary estimates suggested the costs could reach up to $4 billion. In 2013, malicious actors targeted the Rye Brook Dam via cellular modem, raising national concerns. This attack – which the U.S. Justice Department attributed to Iran – exposed the vulnerability of power and industrial plants to cyber risks. Between 2015 and 2016, North Korean hackers stole millions of dollars from banks by targeting their security systems to initiate fraudulent transfers on the SWIFT global messaging network. And in October 2016, state election administrators uncovered the targeting of election infrastructure. Later revealed to be the work of Russia, this attack amounted to a direct assault on a cornerstone of democratic society: the right to fair elections.
It is not difficult to imagine what a future attack on U.S. voting infrastructure might look like: Ukraine offers a startling example.
The cautionary tale of Ukraine
Nestled in Eastern Europe between Russia and the European Union, Ukraine has been under siege from hackers for the past four years. Ukraine’s geopolitical position, as well as Russia’s territorial aspirations, have made the Eastern European country a proving ground for cyber warfare. Hackers have repeatedly and systematically attacked Ukraine’s politics, transportation, energy, finance, media, and military sectors, deleting, corrupting, and destroying critical infrastructure along the way. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cybersecurity. Hackers have used both basic and sophisticated methods to infiltrate key infrastructure, leading to rolling blackouts across the country. Over successive attempts, hackers have refined their attack techniques with an eye toward potentially employing them elsewhere. Hackers considering striking the U.S. grid could find a wider and more convenient set of targets.
Although U.S. firms are more updated and modern than their Ukrainian counterparts, they present a larger “attack surface” – that is, their greater scale means there is a larger total sum of vulnerabilities accessible to a hacker. The threat of U.S. retaliation has largely deterred widespread attacks. Still, as the previous examples show, the threat remains, and voting infrastructure is particularly vulnerable.
DHS has noted that Russian hackers targeted or probed voting systems in at least 21 states, including breaking into the registration system in Illinois, and stealing the username and password of an election official in Arizona. Since 2016, DHS has designated voting infrastructure as “critical infrastructure.” To be sure, it is vital to U.S. national interests to maintain a secure and resilient electoral process, which is why the formation of policy and regulations is so important. Three important foundational steps will go a long way in securing our next election.
Steps to protect the next election
First and foremost, Congress should set legal standards. The Securing America’s Voting Equipment (SAVE) Act represents a bipartisan attempt to combat hacking, online propaganda, and other interference into U.S. elections. Introduced by Republican Senator Susan Collins and Democratic Senator Martin Heinrich, the bill intends to increase the security of voting systems in the United States by defending against the manipulation, theft, and deletion of voter registration data and ballots. In addition, the bill establishes programs to identify cybersecurity vulnerabilities in voting infrastructure. This represents a powerful step forward. However, without additional funding, states’ voting equipment will still be vulnerable
Most states use antiquated equipment, which presents a security risk. According to the Brennan Center 41 states will be using systems that are at least a decade old; machines in 33 states will need to be replaced before the presidential election in 2020. In a majority of these cases, inadequate funding prevents system updates. In addition, the voting machines in 13 states do not have a voter-verifiable paper record – a crucial step in undercutting hackers attempting to wipe voter data. Congress has appropriated $380 million to the states; however, that amount is not nearly enough to replace paperless voting systems across all states. Clearly, states need more federal funding.
The information age has brought along with it a host of cybersecurity challenges which will only intensify as new technologies are introduced. Yet, voting is a basic principle of our democracy; it gives Americans from all walks of life a say in determining the direction of our country. To quote President Lyndon Johnson: “A man without a vote is a man without protection.” This right is under siege by malicious actors intent on subverting and twisting an inherent democratic cornerstone. Fixing voting infrastructure in the United States is critical in ensuring the protection of future elections and guaranteeing that this cornerstone of democracy remains intact.
.
Note: An earlier version of this article inaccurately stated that North Korean hackers had breached the SWIFT global messaging system for banks. We regret this error and have updated the article accordingly.
Photo via Flickr/Yuri Samoilov
Nathan Smith is a MPP Candidate at the Georgetown McCourt School of Public Policy. His areas of interest are in technology policy, in particular cyber security challenges to democratic institutions. He holds a BA in International Studies from the University of Iowa.