Hacking May Prompt Heightened US Election Security

US officials are weighing whether to designate elections as national critical infrastructure after recent hacking attacks on political groups, a move that would open up federal assistance to election officers around the country, Homeland Security Secretary Jeh Johnson said.

“We should carefully consider whether our election system, our election process, is critical infrastructure," Johnson told reporters recently at a breakfast sponsored by the Christian Science Monitor. "There’s a vital national interest in our election process."

The debate comes after hackers infiltrated the computer networks of the Democratic National Committee and the Democratic Congressional Campaign Committee in what cybersecurity experts call a broad operation by Russian operatives to infiltrate US political organizations. Hillary Clinton’s campaign said hackers also breached one of its data programs, adding that cybersecurity efforts found “no evidence” that internal systems were compromised.

The attacks, which the FBI is investigating, have spurred speculation that Russian President Vladimir Putin’s government is trying to meddle in and influence US elections, an assertion that officials in Moscow have repeatedly denied.

The breaches also revive a lingering debate over whether electronic voting systems, which have replaced paper ballots in many jurisdictions, could be hacked to manipulate the results. Republican presidential nominee Donald Trump said that he’s “afraid the election’s gonna be rigged,” although Republicans have focused mostly on potential fraud by ineligible voters.

Real Problem

Asked about the reports of Russia’s possible involvement in hacking, President Barack Obama said, “If in fact Russia engaged in this activity, it’s just one on a long list of issues that me and Mr. Putin talk about and that I’ve got a real problem with.”

Johnson said the US wasn’t yet prepared to attribute the attacks to any particular nation or group. Designating elections as critical infrastructure would put them on par with other vital national assets, such as the power grid and pipelines.

Presidential Policy Directive

White House Press Secretary Josh Earnest told reporters that members of the president’s national security team are discussing the proposal. "It’s important for the federal government to offer support to state and local governments" in their efforts, he said.

The Department of Homeland Security has the authority to designate what qualifies as critical infrastructure under Presidential Policy Directive 21 and Executive Order 13636, said Bruce McConnell, former DHS deputy undersecretary for cybersecurity. In reality, though, Johnson is vetting the proposal through the interagency process and floating it publicly to ensure it has support before making a final decision, he said.

"It’s not that they would take unilateral action but legally they have the authority to do this," said McConnell, who is now global vice president of the nonprofit EastWest Institute, based in New York.

November Election

It isn’t clear what difference such a designation would make on the upcoming November elections, as any new funding for security would have to be approved by Congress.

For this year’s elections, McConnell has recommended that DHS issue a security alert warning election officials of risks to their systems, advising them of the need to have an audit trail and paper backups, and calling on companies supplying voting machines and other equipment to go through independent audits with published results.

Designating voting systems as critical infrastructure also must be accompanied by specific ways to help state and local election official improve the security of their systems, such as through grant funding, said Larry Clinton, president of the Internet Security Alliance, a cybersecurity trade association.

"I just want to make sure nobody thinks there’s a magic wand that comes along with designating it as critical infrastructure," Clinton of the alliance said in an interview. "There has to be some actual money at the end of the pipeline."

The government could try to mandate security improvements as a condition of receiving funding, Clinton said. A better approach, he said, would be to offer incentives, as the government does to encourage states to improve the safety of highways.

Invest the Resources

"The point is, do you have an actual plan as to how to correct the problems and are you willing to invest the resources?" Clinton said. "We certainly hope this would not be more public relations than actual security."

In the short term, Johnson said he is considering working with election officials across the country with regard to what kind of “best practices” they can adopt to enhance cybersecurity.

"This is something that we’re very focused on right now," Johnson said. "There’s no one federal election system. There are some 9,000 jurisdictions across this country that are involved in the election process."

Bloomberg

 

« Banks Look Up To The Cloud
Hackers Help FBI Fight Cybercrime »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Lastline

Lastline

Lastline is the leader in advanced malware protection.

eScan AV

eScan AV

eScan develops Information Security solutions that provide protection against current and evolving cyber threats.

Kaseya

Kaseya

Kaseya is a premier provider of unified IT management and security software for managed service providers (MSPs) and small to medium-sized businesses (SMBS).

Research Institute in Science of Cyber Security (RISCS)

Research Institute in Science of Cyber Security (RISCS)

RISCS is focused on giving organisations more evidence, to allow them to make better decisions, aiding to the development of cybersecurity as a science.

Actiphy

Actiphy

Actiphy provides a tried and proven backup and disaster recovery software solution to ensure business continuity at all times.

Hyve

Hyve

Hyve provide a wide range of managed web hosting services including private, hybrid and public VMware cloud hosting.

CERTuy

CERTuy

CERTuy is the national Computer Emergency Response Team for Uruguay.

IT Association of Slovakia (ITAS)

IT Association of Slovakia (ITAS)

ITAS is a professional association of domestic and foreign companies operating in the field of information and communication technologies

Ethoca

Ethoca

Ethoca is a secure network for card issuers and merchants to connect and work cooperatively outside the payment network in a unique and powerful way.

NSA Career Development Programs

NSA Career Development Programs

NSA offers entry-level programs to help employees enhance their skills, improve their understanding of a specific discipline and even cross-train into a new career field.

Neudomains

Neudomains

Neudomains is a Corporate Domain Name Management and Brand Protection Online Specialist. One of the world's top providers of online brand protection and enforcement.

US Cyber Range

US Cyber Range

US Cyber Range is a scalable, cloud-hosted infrastructure providing students with virtual environments for realistic, hands-on cybersecurity labs and exercises.

ACA Group

ACA Group

ACA Group are a leading governance, risk, and compliance (GRC) advisor in financial services.

NOW Insurance

NOW Insurance

NOW Insurance provides small business owners and other professional classes with a seamless purchasing experience for general liability, professional liability, and cybersecurity insurance coverage.

DataSixth Security Consulting

DataSixth Security Consulting

DataSixth delivers Cybersecurity Intelligence. With our unique capabilities, we’re able to deliver value, deliver answers, and deliver actionable security intelligence.

ReasonLabs

ReasonLabs

ReasonLabs have created a next-generation anti-virus that is enterprise grade, yet accessible to any personal device around the world.