WHY THIS MATTERS IN BRIEF
- With only 55% of the world’s population now living in democracies it’s important that voters, governments, and other nations can trust the integrity of a country’s voting systems, but while this move gives US election systems more protection participation is voluntary so we could still see breaches
Citing increasingly sophisticated cyber bad actors and an election infrastructure that’s “vital to our national interests,” Homeland Security Secretary Jeh Johnson announced Friday that he’s designating US election systems as Critical National Infrastructure (CNI), a move that provides more federal help for state and local governments to keep their election systems safe from tampering.
“Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of CNI, in fact and in law,” said Johnson, adding, “particularly in these times, this designation is simply the right and obvious thing to do.”
The determination came after months of review and despite opposition from many states worried that the designation would lead to increased federal regulation or oversight on the many decentralized and locally run voting systems across the country. It was announced on the same day a declassified US intelligence report said Russian President Vladimir Putin “ordered” an influence campaign in 2016 aimed at the U.S. presidential election.
The declassified report said that Russian intelligence services had “obtained and maintained access to elements of multiple U.S. state or local electoral boards.” None of the systems targeted or compromised was involved in vote tallying, the report said.
In 2013 a presidential directive identified 16 sectors as critical, including energy, financial services, healthcare, transportation, food and agriculture and communications, and the designation announced Friday places responsibilities on the Homeland Security secretary to identify and prioritise those sectors, considering physical and cyber threats against them. The secretary is also required to conduct security checks and provide information about emerging and imminent threats.
Such a change does not require presidential action, and only requires the secretary to first consult with the assistant to the president for homeland security and counterterrorism and discussions about whether to designate elections systems as CNI surfaced after hackers targeted the voter registration systems of more than 20 states in the months prior to the November election.
While the designation puts the responsibility for helping to secure CNI on the Department of Homeland Security, it doesn’t require CNI entities to participate, something which at the moment could cause a schism, especially as much of the nation’s critical infrastructure is in the private sector.
Johnson said election infrastructure included storage facilities, polling places and vote tabulation locations, plus technology involved in the process, including voter registration databases, voting machines and other systems used to manage the election process and report and display results.
The designation allows for information to be withheld from the public when state, local and private partners meet to discuss election infrastructure security – potentially injecting secrecy into an election process that’s traditionally and expressly a transparent process. US officials say such closed door conversations allow for frank discussion that would prevent bad actors from learning about vulnerabilities and the DHS would also be able to grant security clearances when appropriate and provide more detailed threat information to states as appropriate.
The Obama administration has actively campaigned for international cyber rules for peacetime that would expressly prevent countries from conducting online activity that targets CNI, and last week the President used sanctions to retaliate against Russian efforts to meddle in the US election process. Meanwhile Rep. Bennie Thompson of Mississippi, who is the ranking Democrat on the House Committee on Homeland Security, commended Johnson’s action.
“In the long term, this will put our electoral systems on a more secure footing and maintain public confidence in our elections,” he said.
Rep. Jim Langevin, a Rhode Island Democrat and co-chairman of the Congressional Cybersecurity Caucus, said in a statement that the decision “demonstrates the vital need to ensure votes can’t be tampered with. We must also act as a nation to build our resilience against future information warfare attacks.”
Georgia Secretary of State Brian P. Kemp, who is a member of the US Election Infrastructure Cybersecurity Working Group run by DHS, is among those who have opposed the designation. – testifying in September to a House Oversight subcommittee, Kemp said more federal oversight could make systems more vulnerable and could make protected records more accessible.
When Johnson discussed the likelihood of the designation in a conference call with state officials on Thursday, Kemp called the action “a federal overreach into a sphere constitutionally reserved for the states,” and according to a copy of his comments released by his office, Kemp told Johnson on the phone that “this smacks of partisan politics” given the dwindling days left in the Obama administration.
Whichever way you view it though, with only 55% of the world’s population now living within democratic countries, it’s vital that the systems that underpin democracy are trustworthy, so in an age where cyber attacks are just getting started, and where artificial intelligence powered “Robo-hacking” will inevitably become more prevalent, this is an important step. How it’s governed though is another question entirely.