Opinion: How to make democracy harder to hack
With听the alleged听听of the Democratic National Convention email servers, and听听expected over the coming months that could influence an election,听the听drama of the 2016 US presidential race highlights an important point: Nefarious hackers don't just pose a risk to vulnerable companies, cyberattacks can potentially effect the future of the free world.听
And the trouble does not stop with the DNC. As and other outlets reported, what has been lost in the torrent of reporting on attributing the DNC hack are the latent vulnerabilities replete throughout our election infrastructure 鈥 including voting machines.
Unfortunately, we're not treating听voting machines as the core pieces of critical infrastructure that they are, on either a national or global level.听
What counts as 鈥渃ritical infrastructure鈥 is often in the eye of the beholder. In the US, there are 16 critical infrastructure sectors designated by the , ranging from finance to healthcare. In the European Union, 听罢丑别 distinction matters because when something is designated as 鈥渃ritical,鈥 regulation is more likely to follow.
Yet, so far, the machinery undergirding our democratic institutions has not received the same level of scrutiny as other critical infrastructure sectors such as our power lines and wastewater plants. That is despite a long, international history of attacks on voting machines and databases going back as far as 1994 in (when Nelson Mandela鈥檚 victory was initially diluted because of fraud). Even in the US as recently as 2012 during a in DC to test online voting, researchers from the University of Michigan were able to hack the government website so that the University鈥檚 fight song would play after a vote was cast.
To put it plainly, voting is in many ways just as important to our long-term prosperity as functioning telecom networks and financial systems. A first step in recognizing this reality would be for the DHS to explicitly include voting booths and affiliated networks as democratic critical infrastructure, potentially as part of the already recognized 鈥溾 sector.
This move would help pave the way for National Institute for Standards and Technology, in collaboration with industry, to craft cybersecurity best practices to help jurisdictions across the nation navigate the often confusing choices between voting technology providers. In fact, the choice is so muddled that some cities 鈥 including 听鈥 have developed their own systems incorporating various combinations of touch screens and paper ballots.
At the global level, it's听time to build on the positive progress that has been made in international cybersecurity norm building (e.g., establishing rules of the road for how nations 鈥 and companies under their jurisdiction 鈥 should behave online) by adding in election machinery to our emerging understanding of critical infrastructure.
听罢丑别 between the US and China, for example, calls for mutual restraint in economic cyberespionage, particularly the theft of trade secrets. It could be expanded to include mutual respect for one another鈥檚 political parties and election infrastructure; a topic held dearly by the Chinese leadership.听
Similarly, the continued its work on cybersecurity in 2016, publishing its view that 鈥渘o country should conduct or knowingly support [information and communication technology-enabled] theft of intellectual property鈥 and that all G7 nations should work to "preserve the global nature of the Internet" including the free flow of information in a nod to the notion of cyberspace as a 鈥済lobal networked commons.鈥 Such information could explicitly include data on candidates and norms against outside interference with domestic elections.
Finally, the US proposed three peacetime norms that were accepted for inclusion in the 2015 听consensus report, which included language on protecting critical infrastructure, safeguarding computer security incident response teams, and collaborating on cybercrime investigations. This critical infrastructure norm 鈥 to which many of the cyberpowers, including Russia, have already agreed 鈥 could be leveraged to explicitly include elections.
When we flip a switch, we expect the lights to come on. When we pull a lever, or touch a screen, we expect our vote to accurately be recorded. And when we debate about the next US president, we expect that dialogue to be free of foreign entanglements. A first step in realizing these goals 鈥 and ensuring that the 2016 DNC hack, or worse, is not repeated in 2020, and 2024 鈥 is by recognizing our democratic machinery as being at least as important as our industrial machinery.听
Scott Shackelford is an associate professor at Indiana University as well as a research fellow at the Harvard Kennedy School鈥檚 Belfer Center for Science and International Affairs, and a senior fellow at the Center for Applied Cybersecurity Research. Professor Shackelford鈥檚 research is available .
听
