In the wake of hacks that infiltrated the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign, in addition to the political fallout and the multiple warnings from cybersecurity experts about the potential for hacking to disrupt the election, state and national leaders are finally weighing in and proposing measures to protect parties’ sensitive information and the security of the entire election system.
Secretary of Homeland Security Jeh Johnson is said to be considering whether to designate the US election system itself as critical infrastructure, which could heighten cybersecurity at the ballot box and have significant implications on how federal officials would respond to potential cyber attacks. The DNC recently announced that it has assembled a cybersecurity advisory board in response to the recent hack “to prevent future attacks and ensure that the DNC’s cybersecurity capabilities are best-in-class.”
Simply deeming the US election system a new critical infrastructure (the US already considers 16 different sectors as so called ‘critical infrastructures’) or hiring a few experts and a more sophisticated IT team, however, won’t be enough to ensure voters’ trust and confidence in our national security and in the integrity of our election process. If the nation’s politicians and political campaigns don’t improve their overall cyber defenses and develop new approaches and advanced techniques to strengthen our collective security, mitigate cyber risks, and help us prepare today for tomorrow’s challenges, not only will American’s personal data be at greater risk but the entire democratic process could be compromised.
Many cybersecurity and political experts have connected the recent hacks and subsequent leak of sensitive emails back to the Russian government. If the cyber intrusions were indeed orchestrated by the Kremlin, it would be the first known state-backed cyber attack to harness the power of the Internet to manipulate a presidential election. The idea that a foreign or other power can deliberately manipulate voters and parties with targeted data breaches in an attempt to influence a presidential election would be insidious on an unprecedented level, and would open a whole new front in information warfare that could fundamentally change the value of data in national security.
What the US government needs to do is prioritize the use of the limited resources available to first and foremost protect and increase the resilience of those critical infrastructures and services that our society and nation depend upon—power, telecommunications, and financial services—and, at the same time, make clear to any adversary that there will be serious consequences for cyber attacks that disrupt both national critical infrastructures or attempt to manipulate domestic electoral politics. As Jason Healey rightly stated, “the administration needs to be ironclad on the evidence [of the DNC hack] to convince the American people that this is about policy, not politics. This has got to be about defending a constitutional process, not a party.” Moreover, as Passcode’s contributor Bob Hansmann suggested, what “both the Democratic and Republican parties—as well as the Hillary Clinton and Donald Trump campaigns—should [do is] hire chief information security officers (CISO)” to better protect their sensitive information from unauthorized disclosure and “share intelligence on breach attempts and other malicious activity.” That’s not a cure-all by any means. But putting someone in charge of safeguarding their vast collections of sensitive data—whether on political strategies, the candidates themselves, or voters—would vastly improve their defenses against cyber criminals and the prying eyes of foreign intelligence operatives.
Voters, donors, and the media need to keep up the pressure on politicians and candidates to work harder to prevent cyber attacks. After all, whoever the next President, Senators, and Representatives are, they will face immense challenges in updating policies, strategies, and laws to protect our country’s most valuable, sensitive information, systems, and infrastructure—including the computer networks and systems that operate our nuclear power plants, electrical grids, dams, and our democracy itself.