With the alleged Russian government hack of the Democratic National Convention email servers, and further leaks expected over the coming months that could influence an election, the drama of the 2016 US presidential race highlights an important point: Nefarious hackers don't just pose a risk to vulnerable companies, cyberattacks can potentially effect the future of the free world.
And the trouble does not stop with the DNC. As The Washington Post and other outlets reported, what has been lost in the torrent of reporting on attributing the DNC hack are the latent vulnerabilities replete throughout our election infrastructure – including voting machines.
Unfortunately, we're not treating voting machines as the core pieces of critical infrastructure that they are, on either a national or global level.
What counts as “critical infrastructure” is often in the eye of the beholder. In the US, there are 16 critical infrastructure sectors designated by the Department of Homeland Security, ranging from finance to healthcare. In the European Union, the number is 11. The distinction matters because when something is designated as “critical,” regulation is more likely to follow.
Yet, so far, the machinery undergirding our democratic institutions has not received the same level of scrutiny as other critical infrastructure sectors such as our power lines and wastewater plants. That is despite a long, international history of attacks on voting machines and databases going back as far as 1994 in South Africa (when Nelson Mandela’s victory was initially diluted because of fraud). Even in the US as recently as 2012 during a pilot program in DC to test online voting, researchers from the University of Michigan were able to hack the government website so that the University’s fight song would play after a vote was cast.
To put it plainly, voting is in many ways just as important to our long-term prosperity as functioning telecom networks and financial systems. A first step in recognizing this reality would be for the DHS to explicitly include voting booths and affiliated networks as democratic critical infrastructure, potentially as part of the already recognized “government facilities” sector.
This move would help pave the way for National Institute for Standards and Technology, in collaboration with industry, to craft cybersecurity best practices to help jurisdictions across the nation navigate the often confusing choices between voting technology providers. In fact, the choice is so muddled that some cities — including Los Angeles — have developed their own systems incorporating various combinations of touch screens and paper ballots.
At the global level, it's time to build on the positive progress that has been made in international cybersecurity norm building (e.g., establishing rules of the road for how nations – and companies under their jurisdiction – should behave online) by adding in election machinery to our emerging understanding of critical infrastructure.
The G2 Cybersecurity Code of Conduct between the US and China, for example, calls for mutual restraint in economic cyberespionage, particularly the theft of trade secrets. It could be expanded to include mutual respect for one another’s political parties and election infrastructure; a topic held dearly by the Chinese leadership.
Similarly, the G7 continued its work on cybersecurity in 2016, publishing its view that “no country should conduct or knowingly support [information and communication technology-enabled] theft of intellectual property” and that all G7 nations should work to "preserve the global nature of the Internet" including the free flow of information in a nod to the notion of cyberspace as a “global networked commons.” Such information could explicitly include data on candidates and norms against outside interference with domestic elections.
Finally, the US proposed three peacetime norms that were accepted for inclusion in the 2015 UN Group of Governmental Experts consensus report, which included language on protecting critical infrastructure, safeguarding computer security incident response teams, and collaborating on cybercrime investigations. This critical infrastructure norm — to which many of the cyberpowers, including Russia, have already agreed — could be leveraged to explicitly include elections.
When we flip a switch, we expect the lights to come on. When we pull a lever, or touch a screen, we expect our vote to accurately be recorded. And when we debate about the next US president, we expect that dialogue to be free of foreign entanglements. A first step in realizing these goals – and ensuring that the 2016 DNC hack, or worse, is not repeated in 2020, and 2024 – is by recognizing our democratic machinery as being at least as important as our industrial machinery.
Scott Shackelford is an associate professor at Indiana University as well as a research fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, and a senior fellow at the Center for Applied Cybersecurity Research. Professor Shackelford’s research is available here.