Homeland Security increases focus on cybersecurity at the polls
Robert Silvers, assistant secretary for cybersecurity at Homeland Security, said the agency is helping states fortify voting systems against digital tampering before November's presidential election.
Cambridge — Department of Homeland Security officials may not expect malicious hackers to sway November's election, but the agency is offering more protections to help states secure voting systems.
After this summer's Democratic National Committee breach, and a recent FBI warning of digital tampering with state election boards, Homeland Security has stepped up efforts bolster cybersecurity at the polls and for state election boards.
"We are working with election stakeholders to offer assistance on a voluntary basis," said Robert Silvers, the agency's assistant secretary for cyber policy. "We want to leave no stone unturned."
Mr. Silvers said DHS will coordinate efforts through the National Association of Secretaries of State, a Washington organization that represents the elected officials who certify state vote counts around the US.
More than 9,000 US jurisdictions will work together to add up digital and paper ballots on Election Day. Silvers said that DHS is working with state election officials involved in that process to provide on-site scans of voting software for potential vulnerabilities.
In August, Homeland Security Secretary Jeh Johnson said his agency would "carefully consider" labeling US election systems as critical infrastructure. The move, championed by some US lawmakers, would put federal dollars toward digital security measures for electronic voting machines.
After cyberattacks on voter databases in Illinois, Arizona, and potentially other states, the agency published a list of best practices that officials can use to secure voter registration data against would-be hackers. Those measures include applying software updates and restricting high-level technical privileges to key officials.
Silvers would not confirm whether DHS is still considering labeling voting as critical infrastructure. In a survey of Passcode's Influencers, a group of digital security and privacy experts, 62 percent of respondents said the protection is not enough to safeguard voting from hackers.
"Designating the US electoral system as critical infrastructure is little more than security theater," says Rodney Joffe, senior vice president at Neustar, a Virginia-based technology company. "For the 2016 cycle, [it's] game over.”
But with election forecasters predicting a tight race between Hillary Clinton and Donald Trump this November, some experts suggest even minimal tampering at the polls could have a major impact.
"An attacker only needs to target swing counties in one or two swing states to impact a national election," said James Scott, a senior fellow at The Institute for Critical Infrastructure Technology.
Mr. Scott says most US states haven't accepted DHS's offer to secure the polls, leaving many jurisdictions using "dilapidated systems" and in need of better security protections, including simulated hacks conducted by cybersecurity professionals.
Without those measures in place, he says, digital tallies "may not be secured if the state is not willing to cooperate. The security of election systems should not be a bureaucratic game." Watchdog group Verified Voting says that so far, nine states have adopted DHS protections, but agency has not confirmed that number, or identified any participants.
Homeland Security's attention on cybersecurity at the polls comes as the department is increasingly focused on bolstering nationwide digital defenses in the face of ever-increasing data breaches.
On Thursday at the Security of Things Forum in Cambridge, Mass., Silvers announced that DHS would spearhead a government plan to develop strategic principles for securing internet-connected devices.
The strategy, scheduled for release before the end of 2016, aims to build on federal efforts led by agencies such as the National Institute of Standards and Technology, which published a framework to help secure critical infrastructure – to help companies building web-connected products secure those devices for consumers.
"We are counting on networks functioning to drive more of our live-sustaining activities, from medical devices to control systems. We're growing a national dependency," Silvers said at the forum cohosted by Passcode. "Internet of Things security is a public safety issue, it’s a homeland security issue, and we have to treat it as such."
This story was updated after publication.