The Department of Homeland Security should formally classify electronic voting machines used in dozens of states as critical infrastructure so it has the authority to protect them against hackers, spies and foreign saboteurs, democratic lawmakers say.
The classification would give DHS specialized authority and free up additional budget dollars to protect electronic voting equipment and state voter databases from hackers — just as it has for U.S. energy and telecommunication networks and other vital industries.
The calls follow reports that Democratic National Committee computers were hacked by two groups with ties to Russian intelligence; and new demonstrations by white-hat hackers of the vulnerabilities of electronic voting equipment widely used in the U.S.
In a letter addressed to DHS Secretary Jeh Johnson Monday, Sen. Tom Carper, D-Del, ranking member of the Senate Homeland Security and Government Affairs Committee, wrote: “Designating election systems as critical infrastructure could improve and expand our nation’s ability to prevent and to respond to potential cyberattacks originating both from inside or outside our borders.”
“The Department [of Homeland Security] must act swiftly to prevent even the suggestion that our electoral processes are vulnerable or under attack and ensure the public confidence of one of our most sacred treasures — the right to vote — is not affected by the prospect of malicious cyber and information technology intrusions,” Rep. Bennie Thompson, D-Miss, wrote in another letter to Johnson, Tuesday.
U.S. officials have yet to publicly attribute the DNC breach, although many private sector cybersecurity firms have happily convicted the Kremlin. Regardless of the perpetrators, it rapidly became clear that other elements of America’s political system, including the DCCC and a prominent democratic advocacy group, were vulnerable.
Last week, a group of security researchers attending the Black Hat cybersecurity conference hacked into a U.S. polling station machine simulation. Installed on the convention floor by cybersecurity giant Symantec, the computer system was left unprotected for guests to launch cyber attacks against. The exhibit showed the risks associated with old hardware that carry known vulnerabilities.
Johnson, for his part, told an audience last week at a Christian Science Monitor event that his Department is already considering making the classification upgrade a reality.
“We are actively thinking about election cybersecurity … [and] whether our election system is critical infrastructure,’ he said.
But the classification would have severe repercussions across the more than 9,000 jurisdictions in the U.S. that have authority over the presidential voting process, according to Tenable Network Security strategist Cris Thomas.
“Classifying voting computers as critical infrastructure is going to cause a lot of headaches at the local level,’ said Thomas, who in the past has testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs.
‘Because elections, even national elections, have been historically treated as a local event, having a federal designation as critical infrastructure will fundamentally change how we have handled our elections for the last 240 years,’ he added.
“[Instead] we need to remain focused on the security concerns of the current system … Many manufacturers are not testing the systems well enough before selling them to municipalities, often using off-the-shelf hardware and software with minimal security and using things like default hard coded passwords.”
And, with less than three months before election day, an overhaul of the country’s voting systems appears nearly impossible, Nicholas Weaver, a senior staff researcher focused on computer security at the International Computer Science Institute, wrote in a post on the prestigious Lawfare blog.
To mitigate the risks, he argued, it’s necessary to revert back to paper voting in some states.
“While there is still time, election officials in swing states should take immediate action. It is clearly not feasible for those states which still use DRE [Direct Recording Electronic] machines without VVPAT [Voter Verifiable Paper Audit Trail] to switch the entire ballot to paper,” writes Weaver. “[But] they could use paper for just the presidential vote. So all the rest of the races can use the existing (dangerously insecure) systems, but at least the presidential election would have protection against … mass tampering.’