Casting a Vote on
Electoral Security
GUEST BLOG—By Brian Nussbaum, writer, New America Weekly via “Future Tense.”
There’s something particularly unusual
about the recent revelations that foreign hackers successfully breached voter
registration systems in Arizona and Illinois.
It’s not
just the intriguing possibility of Russian involvement. Nor is it that FBI and
Department of Homeland Security officials took the notable step of confirming
the penetration and warning state election boards to conduct vulnerability
scans.
It’s that
the targets of the hacks—state and local election data—don’t have the same
obvious incentives as attacks before them. Missing are the monetary rewards for
the perpetrators of large retail data breaches; lacking is the espionage value
of a hack like the massive compromise of data from the Office of Personnel
Management. Instead, these intrusions target the system at the heart of our
democracy, and the incidents are rightly being treated as a very serious
problem. But how do we fix it?
For his
part, DHS director Jeh Johnson has discussed the idea of including U.S voting
systems on the list of federally designated “critical infrastructure”—a
protective designation it gives to resources such as nuclear power plants,
banking and finance systems, and the electrical grid. However, unlike our
nuclear or financial systems, both the institutional and network
infrastructures that underpin our local elections have been cobbled together in
troubling ways: They were done incredibly cheaply, over years and numerous eras
of technology, and with virtually no standardization or even minimum security
practices.
To be clear,
it would actually be very hard for hackers to meaningfully alter a national
vote count given our decentralized election systems. (As Johnson himself
pointed out after the August state breaches, we’ve got some 9,000 jurisdictions
at the state and local level involved in the process.) But changed ballots
aren’t the only meaningful consequences that can result from such attacks.
Other less clear costs—from weakened public confidence in election results to
increased auditing expenses—pose serious concerns. Assessing this impact will
be challenging, as will making changes to prevent future hacks. The
vulnerabilities exposed by the Illinois and Arizona breaches, and credible
concerns about the possibility of new ones, have exposed just how behind state
and local governments are when it comes to protecting their systems and data.
Part of the
reason for this comes down to serious funding and personnel constraints. Almost
all local governments struggle to recruit and retain generally qualified IT
professionals, let alone those specializing in cybersecurity. With short supply
and high demand, many are unable to pay competitive salaries and often rely on
contractors for most or even all of their information security. This wouldn’t
be a problem if the local governments knew exactly what they needed and had
sophisticated contracting capabilities, but this is often not the case. The
most resource-constrained jurisdictions aren’t taking steps to beef up their
cyberprotections. And when it comes to electoral processes, these local
setbacks become national issues.
The other
reason that state and municipal governments have fallen behind on cybersecurity
is a phenomenon known as “security debt.” The idea behind the term is that
computers and computer networks allowed institutions—companies, organizations,
and governments alike—to decrease their costs, increase their efficiency, and
shrink their staff levels. The problem is that the upsides of the switchover
are front-loaded in the early years of deployment, and this new, efficient way
of doing business becomes the norm. Only later, sometimes years down the line,
do costs like network vulnerabilities become apparent. Malware and Trojans.
Data breaches. Ransomware. Most result from pre-existing or unpatched
vulnerabilities. This is the security debt coming due.
The problem
is that too many organizations quickly adopted these new systems without
sufficiently planning for their inevitable future costs and vulnerabilities.
The resulting security debt is especially problematic for local governments,
which are often unable to mitigate the unplanned costs in an era where their
funding is declining and more is expected of them. And it’s not just electoral
processes that have been put at risk. Think of all of the information your
municipal government has on you—voting data, tax information, property records,
criminal history, driver’s license numbers, Social Security numbers. Think of,
if your kids go to public schools, all of the data they have on your children.
There’s perhaps no better case study of governments diving into a new system
without thinking of security and privacy pitfalls than the fast-paced adoption
of educational technology. Few examples have a bigger security debt—what kind
of data are these companies collecting? Who can use this sensitive student
information? How secure is this data?—than these digital learning tools. The
impulse to chase after the newest, shiniest technological aide doesn’t help
either.
We expect
our local governments to do quite a bit of work for us—from policing to
collecting taxes to repairing roads to operating elections. In a modern world,
all of those functions require information systems housing large amounts of
sensitive data. Frankly, we haven’t thought enough about what goes into these
processes. And when we have, we’ve mostly assumed that governments were taking
reasonable measures to keep these systems secure. It’s not clear that those
were good assumptions.
There are,
however, ongoing discussions about how to fix these problems. They include
ideas like having local governments consolidate, adopt cloud-computing
solutions, outsource to managed security services, or connect with federal and
state programs that would pool resource capabilities. All of these, if
implemented with care, provide promising potential for future solutions. Until
then, we should concede that we will be paying a high “interest” rate on our
growing security debt—interest that is likely to manifest as data breaches,
intrusions, and emergency costs to respond to incidents and patch
vulnerabilities.
It’s also
worth noting that, even with good tools, there are no simple answers to these
challenges. Federal financial and technical support to better secure local
electoral process, for example, are sometimes viewed skeptically. Numerous
state election officials have suggested that this represents creeping federal
control over their elections, something many don’t want to see. Roadblocks like
these pose serious challenges for a nation that relies on selecting leaders at
every level at local ballot boxes. As we do so, we’re pushing the operations of
our voting infrastructure to the most underfunded, understaffed, and
underequipped levels of government.
Justice
Louis Brandeis famously described the states as the “laboratories of
democracy.” In an age with more of our civic life online and more threats to it
from around the world, we certainly have an interesting experiment on our
hands.
Editor’s
Note: Posted from New America Weekly via “Future Tense,” a collaboration among
Arizona State University, New America, and Slate.
Brian
Nussbaum is a fellow in New America’s Cybersecurity Initiative. He is an
assistant professor of homeland security and cybersecurity in the College of
Emergency Preparedness, Homeland Security and Cybersecurity at the University
at Albany.
About New America
New America
is dedicated to the renewal of American politics, prosperity, and purpose in
the Digital Age. Its hallmarks are big ideas, pragmatic policy solutions,
technological innovation, and creative engagement with broad audiences. Read
the rest of New America’s story, or see what we've been doing recently.
https://www.newamerica.org/our-story/
STAY
CONNECTED
Subscribe to
New America Weekly
Get free
weekly digital magazine, program newsletters, and events lineups in your inbox.
No comments:
Post a Comment