The Problem with a New Elections System Critical Infrastructure Sector
Posted: October 13, 2016 at 11:45 am, Last Updated: October 13, 2016 at 12:57 pm
On August 18, 2016, the Federal Bureau of Investigation’s (FBI) Cyber Division issued a “flash” alert warning states of the potential risks of cyberattacks against voter registration lists. The FBI issued this warning to raise awareness of cyber vulnerabilities following penetrations of Illinois and Arizona voter registration lists in the lead up to the November 8 U.S. elections. According to David Kennedy of TrustedSec, the lack of sophistication of the attacks on these elections systems indicates that they may be preparatory, serving as a precursor to a larger attack. These hacks were significant, however, as hackers retrieved personal information on about 200,000 Illinois residents, leading state officials to shut down voter registration for 10 days.
Though the information stolen from these registration lists was public information, the fact that hackers exploited vulnerabilities in state elections systems poses unique concerns for the legitimacy of outcomes in future U.S. elections. The Obama administration identified these concerns prior to the Illinois and Arizona hacks when Secretary of the Department of Homeland Security (DHS), Jeh Johnson, entertained the idea of classifying state elections systems as critical infrastructure (CI). In the event DHS formed a new CI sector for elections systems, it would join sixteen existing CI sectors, which range from the Energy Sector to the Transportation Systems Sector.
Pursuant to Presidential Policy Directive 21 (PPD-21), the DHS Secretary may designate specific sectors of the U.S. economy as CI sectors, which are defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” When this classification occurs, PPD-21 provides for DHS to enhance sector resiliency by maintaining “national critical infrastructure centers,” coordinating with various governmental agencies through information sharing and technical assistance, and providing comprehensive preparedness standards and emergency planning devices for that specific sector. In addition, each CI sector is assigned to a sector-specific agency (SSA), which operates as a facilitator between the state and federal governments in information sharing and logistical support.
The Current State of U.S. Elections Systems
The current framework for U.S. elections systems is derived from Article 1 Section 4 Clause 1 of the U.S. Constitution, which reads “[t]he Times, Places and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof; but the Congress may at any time by Law make or alter such Regulations, except as to the Place of Chusing Senators.” Traditionally, states predominantly held control of selecting the manner in which federal elections were executed, subject to congressional action. In the latter half of the 20th century, Congress increased its oversight of elections through implementing legislation like the Voting Rights Act, usually to curtail state discriminatory practices against the voting rights of minorities. However, to a large extent, individual states still control the oversight of federal elections, including technologies like voting booths and voter registration lists.
U.S. elections systems dramatically changed after the controversial 2000 presidential election and corresponding recount of ballots in Florida. Upon entering office, President George W. Bush sought to reform U.S. elections systems to avoid future confusion in presidential elections. As part of this initiative, Congress passed The Help America Vote Act of 2002 (HAVA) which, inter alia, provided for the creation of the Election Assistance Commission (EAC). The HAVA provides mandatory minimum standards for states to following regarding elections systems in an attempt to avoid issues similar to the 2000 election. The HAVA also mandates the EAC—with support from the National Institute of Standards and Technology (NIST)—to perform the regulatory tasks of certifying elections-systems technologies, forming guidelines for elections systems, and maintaining the National Voter Registration form. Although the HAVA increases the role of the federal government in elections systems oversight, much of the HAVA and EAC’s role is in defining enhanced voter security through voluntary guidelines and suggestions, like the Voluntary Voting System Guidelines (VVSGs). State regulation is still the most significant form of elections systems protection.
Potential Cyber Vulnerabilities for Elections Systems
Members of Congress have voiced their concern over whether elections systems in the United States are protected against devastating cyberattacks. As a result of the cyberattack on the Democratic National Committee’s (DNC) server, purportedly conducted by the Russian government, Democratic Congressman Hank Johnson proposed two separate bills to combat cyberattacks against elections systems. Both bills include provisions to enhance elections-systems security against cyber activities to protect the integrity of U.S. elections. Congressman Johnson’s introduction of these bills raises a question of whether elections systems are in fact vulnerable to cyberattacks similar to the attack on the DNC or the attacks on the Illinois and Arizona voter registration lists. If so, then the federal regulations presented by Congressman Johnson, which include mandatory changes to voting technology and centralized oversight, may be warranted.
Like any technical system, elections systems face the potential harm posed by hackers, whether they are independent or state-sponsored. Hackers need only gain access to software used in voting booths or electronic aggregations of voter information to wreak havoc on election results. Yet, voting via the Internet is not a reality in the United States; individual states use various forms of handwritten, electronic, or quasi-electronic ballots to cast votes. Differences do exist between typical cyberattacks and potential attacks against elections systems, however. For instance, the DNC hackers exploited vulnerabilities in the DNC’s network server via the Internet. The major difference between the DNC hack and potential issues with elections systems are that voting booths are not connected to the Internet, while voter aggregation systems on the county and state levels are also not connected to the Internet. To be sure, the potential does exist for hackers to exploit vulnerabilities in computers used to aggregate votes if they become connected to the Internet, which Professor Andrew Appel of Princeton University believes is a real possibility. But, states implement procedures to ensure that these computers are by default not connected to the Internet.
Barring an inadvertent connection to the Internet, these computers (as well as electronic voting machines) must be compromised with a physical intrusion, much like how Bradley Manning infiltrated military computers by using compact discs to send information to WikiLeaks. Professor Appel, along with several graduate students, demonstrated the ease with which voting booths could be compromised—first by physically breaking into a voting booth, then replacing easily accessible ROM chips with ones containing malicious code. Professor Appel also demonstrated that similar vulnerabilities exist with software in voter aggregation computers by successfully installing malware. With proper access to these elections systems, independent or state-sponsored actors could disrupt American elections in a matter of minutes.
The Problem with a New CI Sector for Elections Systems
The speed and efficiency with which Professor Appel and his team could hack voting booths and voter aggregation computers is quite alarming. However, these successful attempts must be viewed in the context of the overall U.S. elections system. The term “elections system” is somewhat misleading since it implies a centralized and uniform process. To the contrary, as illustrated previously, elections systems in the United States are predominantly managed on the state and local levels. Furthermore, of the 50 states, only five exclusively use electronic voting booths without any form of additional paper trail. This is not to say that other states fail to use any form of electronic voting system; many states utilize either completely handwritten ballots or an electronic voting booth with or without a corresponding paper trail. However, the main issue regarding the protection of elections systems is what procedures and best practices provide the most resiliency against cyberattacks.
In the event that the DHS Secretary or Congress decides that elections systems should become a separate CI sector, a myriad of logistical and potentially constitutional issues arise. As stated, when DHS forms a new CI sector pursuant to PPD-21, DHS must create a new national CI center, formulate sector preparedness standards, and become the focal center for oversight and regulation. However, this potentially clashes with the U.S. Constitution since the states first and foremost hold the right to determine their own election procedures, subject to acts of Congress. Although the Supreme Court has not encountered this legal issue in the past, DHS may need a mandate from Congress to designate elections systems as a CI sector first.
In the event that DHS creates a new elections system CI sector, it also faces issues regarding a lack of diversity in cybersecurity. Currently, the elections system in the United States is quite diverse: many states allow individual counties to choose whether they will utilize electronic voting booths; others use only handwritten ballots; and some use electronic ballots that either include or exclude a paper trail. This diversity allows states to protect against individual or small numbers of cyberattacks resulting in vast and devastating consequences. If elections systems become a new CI sector, the potential exists for a top-down regulatory approach sanctioned by DHS that fails to fully realize the benefits of diversity in voting procedures. In addition, a new elections system CI sector would compete with the already existing EAC and NIST responsibilities for voter protection and enhancement on the federal level. With a new CI sector, DHS will compete with the EAC and NIST for federal money and influence over the electoral system. This could lead to confusion at both the federal and state levels over which preparedness standards must be met or disregarded, as well as lead to an unnecessary increase in federal spending.
Alternative Solutions with Existing Governmental Structures
Instead of forming a new elections system sector under PPD-21, both the state and federal governments should utilize existing governmental structures to enhance resiliency. For example, a CI sector of Government Facilities already exists, with DHS and the General Services Administration functioning as co-SSAs. The Government Facilities Sector could be modified to include a sub-sector for elections systems, as has already been achieved with Education Facilities and National Monuments and Icons. Also, the existing Multi-State Information Sharing & Analysis Center (MS-ISAC), which acts as “the focal point for threat prevention, protection, response and recovery for . . . state, local, tribal, and territorial  governments,” can become a major information sharing hub for elections systems resilience. The MS-ISAC’s expertise in cybersecurity issues on the state and local level can serve as a valuable tool for state and federal coordination and information sharing. In addition, the EAC’s VVSGs should be updated to reflect the evolution of voting technologies and security. This will allow the EAC and NIST to maintain their influence and expertise in elections system resiliency and protection. Finally, individual states should continue to experiment with various forms of elections systems technology. This offers one of the most practical solutions to improving resiliency in this sector. In the event of a successful massive cyberattack, the resulting damage will only affect at most those targeted states using electronic voting systems. Diversity in elections systems allows for reduced adverse effects.
Instead of pursuing the formation of new federal governmental structures, practitioners and governmental officials should prudently examine structures already in existence. These structures, some of which were mentioned previously, offer a solid foundation for protecting U.S. elections systems from independent and state-sponsored cyberattacks. While threats do exist for voter aggregation computers and electronic voting booths, hastily forming an entirely new CI sector may exacerbate problems without solving any issues. State and federal government funds would be better spent updating outdated voting technologies, expanding information sharing, and allowing states to continue experimenting with various technologies. In doing so, states will continue to increase protection for their own systems, as evident by the already common trend of re-implementing handwritten ballots. With increased cooperation and diversity, and not expanded top-down regulation, elections systems will become more resilient and protected.
Stephen Jackson received his juris doctor degree from George Mason University School of Law and is currently a Research Associate at the Center for Infrastructure and Protection at the George Mason University School of Business. The views and arguments expressed in this article are solely the author’s, and do not represent the views of the Center for Infrastructure and Protection or George Mason University.
 Dustin Volz & Jim Finkle, “FBI Detects Breaches Against Two State Voter Systems,” Reuters, Aug. 29, 2016, http://www.reuters.com/article/us-usa-election-cybersecurity-idUSKCN1141L4.
 Julie H. Davis, “U.S. Seeks to Protect Voting System from Cyberattacks,” N.Y. Times, Aug. 3, 2016, http://www.nytimes.com/2016/08/04/us/politics/us-seeks-to-protect-voting-system-against-cyberattacks.html.
 “Critical Infrastructure Sectors,” U.S. Department of Homeland Security, Oct. 27, 2015, https://www.dhs.gov/critical-infrastructure-sectors.
 Presidential Policy Directive-21: Critical Infrastructure Security and Resilience, Feb. 12, 2013, http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
 U.S. Const. art. 1, § 4, cl. 1.
 “History of Federal Voting Rights Laws,” U.S. Department of Justice, updated Aug. 8, 2015, https://www.justice.gov/crt/history-federal-voting-rights-laws.
 These include: maintaining voter registration lists, adopting voter identification procedures, and updating voting technology. “Help America Vote Act,” U.S. Election Assistance Commission, http://www.eac.gov/about_the_eac/help_america_vote_act.aspx.
 “Rep. Johnson Introduces Bills to Protect Voting Systems, Integrity of Elections,” HankJohnson.house.gov, Sept. 21, 2016, https://hankjohnson.house.gov/media-center/press-releases/rep-johnson-introduces-bills-protect-voting-systems-integrity-elections.
 “Here’s What We Know about Russia and the DNC Hack,” Wired.com, July 27, 2016, https://www.wired.com/2016/07/heres-know-russia-dnc-hack/.
 Alex Halderman, “How to Hack an Election in 7 Minutes,” Politico, Aug. 5, 2016, http://www.politico.com/magazine/story/2016/08/2016-elections-russia-hack-how-to-hack-an-election-in-seven-minutes-214144.
 See e.g. “Guidance on Electronic Voting System Preparation and Security,” Pennsylvania Department of State (2016), http://www.dos.pa.gov/VotingElections/OtherServicesEvents/Documents/DOS%20Guidance%20Electronic%20Voting%20System%20Security%2009232016.pdf.
 David Leigh, “How 250,000 US Embassy Cables Were Leaked,” The Guardian, Nov. 28, 2010, https://www.theguardian.com/world/2010/nov/28/how-us-embassy-cables-leaked.
 Halderman, supra note 14.
 “Voting Methods and Equipment by State,” Ballotpedia, https://ballotpedia.org/Voting_methods_and_equipment_by_state.
 U.S. Const. art. 1, § 4, cl. 1.
Write to the Editors at firstname.lastname@example.org