AS THE UNITED States barrels toward November elections, officials are still looking for last-minute fixes to ensure that the patchwork of voting technology used around the country can fend off the increasingly troubling prospect of hacker attacks. And in the latest of those efforts, Georgia representative Hank Johnson is set to introduce two bills today designed to shore up that fragile system’s security.
The Election Infrastructure and Security Promotion Act of 2016 would mandate that the Department of Homeland Security classify voting systems as critical infrastructure, and the Election Integrity Act would limit which voting machines states can buy and also create a plan for handling system failures. The bills reflect a growing debate about whether designating voting tech as critical infrastructure (like the public water supply, energy systems, transportation, communication grid, and the financial sector) would help to secure the U.S.’s highly decentralized voting setup. In the wake of the Democratic National Committee breach and increasingly brazen Russian cyberespionage attacks, concern is mounting about the potential for election hacking in the 2016 presidential race and beyond. Voting registries and election board websites have been compromised, security researchers have shown that electronic voting machines are vulnerable, and agencies like the FBI are on alert.
For now, the methods and equipment used for voting in America’s federal elections—and the responsibility for those maintaining systems’ digital security—are established on a state-by-state and county-by-county basis. Designating voting tech as critical infrastructure would allow DHS to directly oversee and standardize measures like voting machine testing and audit procedures. Not surprisingly, though, the question of whether to introduce federal intervention has raised fierce concerns among lawmakers and government officials: Some say that federal oversight is antithetical to the historical state-level control of U.S. voting. Others question how DHS, an agency that doesn’t specialize in voting systems and implementation, can help and argue that other types of federal involvement could be more productive. Some still aren’t convinced there’s a credible threat to the current voting system at all.
For this coming election, DHS assistant secretary for cybersecurity Andy Ozment said at a summit last week that the agency isn’t considering a critical infrastructure designation for voting before November. DHS does seem interested in pursuing the idea eventually, but Ozment emphasized that the agency’s priority is maintaining an ongoing dialogue with states and local governments, and added that a critical infrastructure classification “does not put DHS in charge.”
It’s very unlikely that Johnson’s bill or any other initiatives could come together to compel designation before the election, or effect any real security changes if it did. Despite the seeming urgency of Johnson’s proposal less than two months before a presidential election, any substantial fixes it enacts would probably come together to benefit federal elections years from now.
But aside from that question of timing, there’s an even more fundamental debate at the core of Johnson’s proposal: whether the DHS would even have the authority to take so much leadership of federal elections on its own, since the Constitution specifically gives states the responsibility of dictating the “times, places and manner” of federal elections. The Constitution adds, though, that Congress has the power to alter federal voting regulations, so a bill like Johnson’s could potentially give the DHS-focused critical infrastructure approach more legitimacy.
In the meantime, DHS announced in August that it’s offering assistance to states that want additional help vetting their voting systems and taking final precautions ahead of the upcoming election.”Because some attention was drawn to this issue a couple of months ago, more people know that DHS does offer services,” like security testing and audits, says Pamela Smith, the president of Verified Voting, a non-profit group that promotes transparent elections. “All the election jurisdiction has to do is ask. And it went from three states to nine states as of a week ago that were availing themselves of some of the services that DHS is offering. I don’t think that would have happened had it not come up in a very public way.”
For some critics, though, the idea that DHS could become more substantially involved is worrying. Louisiana Secretary of State Tom Schedler said at a hearing of the House Science, Space and Technology Committee in early September, “I don’t think critical infrastructure protection is needed at all.” He added, “I don’t mean to be flippant, but do we really want to create a new TSA for elections?”
The digital threats to voting systems are real. More than half of states use some type of electronic voting—in the case of Alaska all voting is digital—and much of the equipment and software in use is old, buggy, and unpatched. Researchers have shown that attacks are possible both on election day when a hacker could go into the voting booth and use portable hardware to vote more than once, or after voting when data travels unencrypted to a central location for further audits and counting. And federal agencies are aware of those dangers. Many robust vetting and auditing initiatives do already exist around the country, such as recommended voting machine test standards published by the National Institute of Standards and Technology. The fear is that there isn’t a mandatory minimum benchmark. As a result, there’s currently no way to know for certain whether jurisdictions have security vulnerabilities due to resource scarcity or management issues.
But there are already some forms of collaboration between federal agencies and the states in running elections, argues Denise Merrill, Connecticut’s Secretary of State and the president of the National Association of Secretaries of State. States work with the FBI to guard against potential security threats, and operate under the Help America Vote Act of 2002, a federal law that earmarked money for upgrading voting technology and established the Election Assistance Commission to help state governments with federal elections. Merrill suggests that rather than DHS control, a new version of HAVA could earmark funds for strengthening digital security. “There’s a history of working with the federal government,” she says. “It’s just we don’t really know what the critical infrastructure [designation] means. Does this mean there’s going to be more federal involvement in a way that we can’t control?”
Though the controversy around potential DHS involvement in voting is far from resolved, the process of debating a bill like Johnson’s could help to clarify what the agency’s role would be and how far its influence would extend. But without some type of updated mandatory security standards, the danger of a weak link in the U.S.’s 9,000-plus voting jurisdictions seems inevitable. “It’s the whole country that has a stake in how safe those systems are,” says Verified Voting’s Smith. “So when we’re talking about state and local elections, yeah, you do you. But if we’re talking about federal elections where there is a factor that has an impact on everybody, then I think it’s fair to have a baseline.”