On the heels of the Democratic National Convention hack and the political fallout that is ensuing months before the presidential election, the country's Homeland Security chief said he's considering measures that would strengthen cybersecurity protections for voting.
It’s time for the US government to "carefully consider" whether America’s election system should be considered as critical infrastructure, which would trigger greater digital security measures for electronic voting machines, said Jeh Johnson on Aug. 3 at a Monitor-hosted breakfast for reporters.
Like exciting critical infrastructure sectors such as electric utilities and water treatment plants, “There’s vital interest in our election process,” said Mr. Johnson. "We’re actively thinking about the election and cybersecurity right now."
If the US considered the election process as a critical infrastructure, the designation would have significant implications to how federal officials would respond to a possible cyberattack. There is no timeline yet for making that designation, but Johnson said he's considering reaching out to election officials.
There is not one federal election system, but rather 9,000 jurisdictions involved in voting across America that collect, tally, and report of votes. And as more voting machines are automated and election districts rely more heavily on computers to count votes, elections are more susceptible to cyberattacks, many cybersecurity experts warn.
The DNC hack brought the dangers associated with hackers meddling in the US political process into focus. After the organization discovered the intrusion, they did not seek the assistance of Homeland Security.
Johnson noted that a recent White House directive on how the nation should respond to significant cyberattacks named Homeland Security as the agency for “fixing and patching” vulnerabilities that could affect critical infrastructure.
"I’m the fireman," Johnson said, adding that FBI Director James Comey "is the cop."
But while the White House has pointed to Homeland Security as the leading agency for responding to digital intrusions and attacks, the agency's capabilities for handing such incidents has been questioned by both experts and politicians.
Last year, Sen. Tom Coburn, then the ranking member of the Senate Homeland Security Committee, sharply criticized DHS efforts to ensure sufficient cybersecurity protections for critical infrastructure.
If the agency's responsibilities for cybersecurity are expanded to US election systems, the DHS would have some work on its hands.
Take, for example, voting machines. “Unfortunately, we’re not treating voting machines as the core pieces of critical infrastructure that they are,” cybersecurity expert Scott Shackelford noted in Passcode last week. "So far, the machinery undergirding our democratic institutions has not received the same level of scrutiny as other critical infrastructure sectors such as our power lines and wastewater plants."
There are a number of voting machines in districts across the country that are digital and connected to the internet.
In a 2012 pilot program to test online voting in Washington, for example, researchers from the University of Michigan were able to hack the government website “so that the university’s fight song would play after a vote was cast,” added Dr. Schackelford, an associate professor at Indiana University.
"To put it plainly," he said, "voting is in many ways just as important to our long-term prosperity as functioning telecom networks and financial systems."
Editor's note: This story was updated after publication to correct the date of Homeland Security Secretary Jeh Johnson's comments. He spoke on Aug. 3 at a Monitor breakfast in Washington.