[Image via wikimedia]
Cybersecurity concerns related to recent news stories about email “hacks” and other cyberattacks have led the U.S. Department of Homeland Security to consider measures to protect the nation’s voting systems. The New York Times has more:
The Obama administration is weighing new steps to bolster the security of the United States’ voting process against cyberthreats, including whether to designate the electronic ballot-casting system for November’s elections as “critical infrastructure,” Jeh Johnson, the secretary of Homeland Security, said on Wednesday.
In the wake of hacks that infiltrated Democratic campaign computer systems, Mr. Johnson said he was conducting high-level discussions about “election cybersecurity,” a vastly complex effort given that there are 9,000 jurisdictions in the United States that have a hand in carrying out the balloting, many of them with different ways of collecting, tallying and reporting votes.
“We should carefully consider whether our election system, our election process is critical infrastructure, like the financial sector, like the power grid,” Mr. Johnson told reporters in Washington. “There’s a vital national interest in our electoral process.”
In particular, Secretary Johnson wants to reach out to election officials about the ever-changing threats that exist online:
A national commission [the EAC] created as part of a voting overhaul enacted in 2002 [HAVA] in response to the controversy surrounding the 2000 presidential election “raised the bar” on security, Mr. Johnson said. “But there is more to do,” he added. “The nature of cyberthreats has evolved.”
Mr. Johnson said he was considering communicating with state and local election officials across the country to inform them about “best practices” to guard against cyberintrusions, and that longer-term investments would probably have to be made to secure the voting process.
“There are various different points in the process that we have to be concerned about, so this is something that we are very focused on right at the moment,” Mr. Johnson said.
The White House noted the difficulty that the nation’s decentralized election system poses for would-be attackers and defenders alike:
The administration on Wednesday played down the dangers, saying voters should not worry about cyberattacks wreaking havoc with the election.
“There are risks out there,” said Josh Earnest, the press secretary. “But I think the American people can have quite a bit of confidence in our ability to mitigate those risks.”
Mr. Earnest said the administration was committed to offering support to state and local governments so they could protect the integrity of the voting process, but that given the varied practices and software used in different jurisdictions, there could be no single method for doing so.
“That varied infrastructure and those different systems also pose a difficult challenge to potential hackers,” Mr. Earnest added. “It’s difficult to identify a common vulnerability.”
Election officials concerned about lacking the technical expertise on-staff to handle these threats might be reassured to learn that an excellent first start is to address the typically most-vulnerable component of the system; namely, the people running it:
Mr. Johnson said it was vital for employers to emphasize to their employees the importance of not falling prey to “spear phishing,” in which a hacker, posing as a trusted source, sends a fake email in an attempt to compromise the security of a computer network.
“The most devastating, intrusive attacks by the most sophisticated actors often originate with a simple act of spear phishing,” Mr. Johnson said.
Even some of his own employees have been caught by such gimmicks, Mr. Johnson added. He said the Department of Homeland Security had run exercises in which employees receive an email offering free tickets to Washington [NFL] football games if they click a link.
“They’re told to report at a certain time and place to pick up their free … tickets,” Mr. Johnson said. “They get a cybersecurity lecture instead.”
Regardless of the response, it is vital for election officials in jurisdictions of every size and at every level to develop an awareness of cybersecurity issues – and, where possible to harden their systems against such attacks. Not everyone will have the necessary technological skills, or the budget to hire them, but a general familiarity with the behaviors and structures that create vulnerability will go a long way toward preventing cyberattacks and and identifying them when they are attempted.
Here’s hoping that DHS follows through on those plans to share information on cybersecurity – and that election officials and the larger election community move to share not just best practices but first steps for election officials seeking to protect their systems and their voters.
Stay tuned …