Modern field guide to security and privacy
A woman exited a voting booth after filling out her ballot for the US presidential election at the James Weldon Johnson Community Center in the East Harlem in New York City.
Andrew Kelly/Reuters | Caption

Why it matters to call voting booths 'critical infrastructure'

search for solutions

The Department of Homeland Security designated 'election infrastructure' among the country's most valuable and critical industries and sectors. That could trigger greater protections at the ballot box against malicious hackers.

While state and federal officials scrambled this summer to understand the full impact of the political cyberattack blamed on Russia, Department of Homeland Security Secretary Jeh Johnson surfaced a novel idea.

What if the US designated the digital and physical assets that support elections as "critical infrastructure," similar to how it categorizes America's most vital sectors such as banking and power utilities.

It's time for the US government to "carefully consider" whether the US election system should have the same classification, Mr. Johnson said in August, meaning that federal authorities would commit more resources to protect the mechanisms that underpin American democracy.

Last week, amid further allegations that the Russian government orchestrated a cyberattack to support President-elect Donald Trump's campaign, Johnson announced a new critical infrastructure moniker for "election infrastructure," which includes polling booth storage facilities, polling places, voter registration databases, voting machines, and other systems to manage the election process. There are 16 US sectors labeled critical infrastructure, including the financial, water treatment and chemical sectors. Election infrastructure will fall under the "government facilities" sector.

"The designation makes clear both domestically and internationally that election infrastructure enjoys all the benefits and protections of critical infrastructure that the US government has to offer," he said. 

In other words, the critical infrastructure label puts all foreign countries on notice that disrupting or breaching election systems now will be viewed as a violation of international norms, a DHS official explained on Wednesday. An attack on critical infrastructure would trigger a coordinated response among federal agencies, state and local authorities, and the organizations that operate physical and information technology assets. Additionally, the government may sanction individuals or states that strike computers that underpin critical infrastructure.

While the recent intelligence report on Moscow's hacking activities to disrupt the presidential election said that voting systems weren't targeted or affected, the FBI revealed earlier this year that hackers linked to Russia breached voter registration systems in Arizona and Illinois. The incident didn't change any voter data or compromise any tabulating networks.

There's still much to be worked out regarding the new classification for voting systems, such as what that means for state election authorities that currently oversee voting. 
In July 2015, a United Nations group report proposed voluntary rules of behavior for cyberspace forbidding nations from messing with each other's critical infrastructure that were agreed to by 20 governments, including China, Israel, Russia, and the US.

"A state should not conduct or knowingly support [information communications technology] activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public," the UN Group of Governmental Experts report states.

It's unclear whether the UN group's voluntary ban on cyberintruding into key sectors will stop signatories such as Russia from trying to manipulate the democratic process, or how America will respond if they do.

"All these diplomatic efforts are unlikely to engage with states such as Iran and North Korea, which have been among the most active nations in developing cyber capabilities for political and military purposes. They are likely to ignore any global initiatives to introduce cyber norms, especially given that they lack a seat at the decision-making table," Tim Maurer, colead of the Cyber Policy Initiative at the Carnegie Endowment for International Peace, said after the debut of the 2015 UN cyber norms.

When Johnson first floated the idea this summer, many state and local officials, as well as security experts, doubted that rebranding the US electoral system a high-value property would help secure the integrity of the vote ahead of the recent presidential election, partly because that would require training 9,000 US jurisdictions to put in place protections on each of their unique balloting operations.

"What we really need from the government is clear declaratory and escalatory policy in the cyber domain," Nate Fick, chief executive officer at the cybersecurity firm Endgame, said at the time. "What is espionage? What is war? And what will the government do to bring the full force of American power – diplomatic, economic, military – to bear in order to strengthen deterrence?"

About 62 percent of Passcode's Influencers said categorizing the US electoral system as critical infrastructure will not protect American democracy from hackers.

In addition, some states voiced concerns about federal overreach, since the constitution grants states the power to govern presidential elections. Battleground states that were expected to decide the race's outcome, such as Georgia, first recoiled when Johnson suggested the federal government tag state-run election systems as critical infrastructure.

On Aug. 23, Georgia Secretary of State Brian Kemp’s said, "The question remains whether the federal government will subvert the constitution to achieve the goal of federalizing elections under the guise of security. In my opinion, designating voting systems or any other election system as critical infrastructure would be a vast federal overreach, the cost of which would not equally improve the security of elections in the United States."

After last week's statement, Johnson acknowledged that there is state and local government opposition to DHS declaring election assets critical infrastructure. With those concerns in mind, he stressed, "This designation does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country."

Critical infrastructure protection is an opt-in service, meaning DHS will only step in if state and local officials request help from the federal government. "Particularly in these times, this designation is simply the right and obvious thing to do," Johnson said.

"Election infrastructure is vital to our national interests, and cyber attacks on this country are becoming more sophisticated, and bad cyber actors – ranging from nation states, cyber criminals and hacktivists – are becoming more sophisticated and dangerous."