cybersecurity

The Elephant in the Room - Election Security

The recent revelation by the Senate Intelligence Committee concluded that election systems in all 50 states were targeted during the 2016 election by Russian operatives. This should come as no surprise considering 2016 was likely only a reconnaissance mission. The stage is set for deeper and more insidious intrusions to grow over time without significant investment in election security. 

We need to acknowledge that the technology which gives us unprecedented access to one another through constant news updates, the ability to control home appliances and yes - even voting - are all lucrative targets for both individual hackers looking to make money and state agencies wishing to sow discord. In many ways, our greatest technological achievement of the past half-century has also become our Achilles heel. 

The sad fact is that the perpetrators don’t necessarily have to do much other than claim access those systems to create a sense of distrust in the security of the election system. Without changing a single vote, the mere knowledge that they claim to have accessed the system creates doubt and uncertainty regarding the outcome of the election. On top of that, the reality is that the majority of potential paths to a successful intrusion can be prevented with security enhancements that exist in the market today.  

  Election interference has the potential to do more than just throw results into doubt, it could also destabilize our democracy as we know it. In an age of misinformation, foreign-state sponsored propaganda and doubt, one of the few things that Americans are able to count on is the legitimacy of our elections. Without appropriate attention and investment that will be thrown into question as well, something we simply can’t afford in the current climate.

Fortunately, there are a series of common-sense steps we can take to increase our election security and strengthen our system. First, a uniform standard needs to be adopted for the security of voting machines and the networks on which they operate. A good baseline is the NIST Cybersecurity Framework which is widely considered to be the gold standard for security in the industry. A 2002 law called HAVA (Help America Vote Act) tasked NIST with creating voluntary guidelines for election machine security. While not as comprehensive as the Cybersecurity Framework, at a minimum these must be made mandatory. 

Secondly, voting machine manufacturers must be held to a higher standard. Since 2016 we have seen multiple instances of manufacturers recommending officials set up voting machines with less than optimal security practices. This must change. Not only in terms of the security controls which they recommend but also the ones they implement on their own networks. Supply chain security is critical. Default passwords, insecure networks, and lack of security consciousness are not acceptable for companies that work on critical election infrastructure. 

Finally, these rules and practices must be enforced just as rigorously and with as much emphasis as other security regulations such as PCI, HIPAA, HITECH, NERC, and FERC among others. The sanctity of our elections is too important for anything less. We have the tools, technology, and knowledge to solve the problem - now all that is required is the will. As a society, we have all been taught to treat emails, downloads, and phone calls with some modicum of suspicion. If we lose the integrity of our elections we will be forced to treat them with the same misgivings.