Modern field guide to security and privacy

Opinion: How to make democracy harder to hack

Designating the machinery underpinning our democracy – such as voting booths – as critical infrastructure would trigger protections for voting and better safeguard it from meddling hackers.

Keith Bedford/Reuters/File

With the alleged Russian government hack of the Democratic National Convention email servers, and further leaks expected over the coming months that could influence an election, the drama of the 2016 US presidential race highlights an important point: Nefarious hackers don't just pose a risk to vulnerable companies, cyberattacks can potentially effect the future of the free world. 

And the trouble does not stop with the DNC. As The Washington Post and other outlets reported, what has been lost in the torrent of reporting on attributing the DNC hack are the latent vulnerabilities replete throughout our election infrastructure – including voting machines.

Unfortunately, we're not treating voting machines as the core pieces of critical infrastructure that they are, on either a national or global level. 

What counts as “critical infrastructure” is often in the eye of the beholder. In the US, there are 16 critical infrastructure sectors designated by the Department of Homeland Security, ranging from finance to healthcare. In the European Union, the number is 11. The distinction matters because when something is designated as “critical,” regulation is more likely to follow.

Yet, so far, the machinery undergirding our democratic institutions has not received the same level of scrutiny as other critical infrastructure sectors such as our power lines and wastewater plants. That is despite a long, international history of attacks on voting machines and databases going back as far as 1994 in South Africa (when Nelson Mandela’s victory was initially diluted because of fraud). Even in the US as recently as 2012 during a pilot program in DC to test online voting, researchers from the University of Michigan were able to hack the government website so that the University’s fight song would play after a vote was cast.

To put it plainly, voting is in many ways just as important to our long-term prosperity as functioning telecom networks and financial systems. A first step in recognizing this reality would be for the DHS to explicitly include voting booths and affiliated networks as democratic critical infrastructure, potentially as part of the already recognized “government facilities” sector.

This move would help pave the way for National Institute for Standards and Technology, in collaboration with industry, to craft cybersecurity best practices to help jurisdictions across the nation navigate the often confusing choices between voting technology providers. In fact, the choice is so muddled that some cities — including Los Angeles — have developed their own systems incorporating various combinations of touch screens and paper ballots.

At the global level, it's time to build on the positive progress that has been made in international cybersecurity norm building (e.g., establishing rules of the road for how nations – and companies under their jurisdiction – should behave online) by adding in election machinery to our emerging understanding of critical infrastructure.

 The G2 Cybersecurity Code of Conduct between the US and China, for example, calls for mutual restraint in economic cyberespionage, particularly the theft of trade secrets. It could be expanded to include mutual respect for one another’s political parties and election infrastructure; a topic held dearly by the Chinese leadership. 

Similarly, the G7 continued its work on cybersecurity in 2016, publishing its view that “no country should conduct or knowingly support [information and communication technology-enabled] theft of intellectual property” and that all G7 nations should work to "preserve the global nature of the Internet" including the free flow of information in a nod to the notion of cyberspace as a “global networked commons.” Such information could explicitly include data on candidates and norms against outside interference with domestic elections.

Finally, the US proposed three peacetime norms that were accepted for inclusion in the 2015 UN Group of Governmental Experts consensus report, which included language on protecting critical infrastructure, safeguarding computer security incident response teams, and collaborating on cybercrime investigations. This critical infrastructure norm — to which many of the cyberpowers, including Russia, have already agreed — could be leveraged to explicitly include elections.

When we flip a switch, we expect the lights to come on. When we pull a lever, or touch a screen, we expect our vote to accurately be recorded. And when we debate about the next US president, we expect that dialogue to be free of foreign entanglements. A first step in realizing these goals – and ensuring that the 2016 DNC hack, or worse, is not repeated in 2020, and 2024 – is by recognizing our democratic machinery as being at least as important as our industrial machinery. 

Scott Shackelford is an associate professor at Indiana University as well as a research fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, and a senior fellow at the Center for Applied Cybersecurity Research. Professor Shackelford’s research is available here.


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: How to make democracy harder to hack
Read this article in
QR Code to Subscription page
Start your subscription today