In January, Secretary of Homeland Security Jeh Johnson announced: “Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law.” With this one statement, the nation’s election infrastructure was firmly placed for the first time on equal footing with other parts of America’s critical infrastructure such as emergency services, nuclear reactors, and water systems. While this was a welcome designation, events that unfolded in late July demonstrated just how vulnerable this infrastructure really is. With the ongoing controversy surrounding the integrity of our nation’s voting systems, hackers at the 25th annual DEF CON computer security conference held late last month in Las Vegas were given an unprecedented opportunity to find and exploit possible vulnerabilities in a variety of different voting systems supplied by organizers of the show.
… This leads to the logical question of what to do next. I would suggest a two-step approach. Step one would be a simple acknowledgement that hacking of these machines is an inevitability. This sounds counterintuitive but by making this simple statement, it then becomes possible to foster a different way of thinking about how to approach the problem. This doesn’t mean that vendors and government officials shouldn’t try and prevent these hacks through improved security policies and protocols; it simply means that we won’t assume these techniques will be foolproof.
Step two then involves focusing efforts around mitigating the impact of the inevitable breach. For starters, the application of standard security recommendations for any piece of electronic equipment — updating software, applying patches, using multi-factor authentication, etc. — is certainly necessary. However, for voting systems being treated as critical infrastructure, these tactics alone are not sufficient. For voting systems, what is also needed is the creation of a last layer of defense that will protect both voter information and the votes themselves from the inevitable hack.