President Trump has signed into law a bill that makes hacking election systems a federal crime, a move some security experts hope will warn off potential cyberattacks.
The House of Representatives passed the Defending the Integrity of Voting Systems Act by voice vote on Sept. 21, more than a year after it passed in the Senate. The law covers electronic voting systems in the federal Computer Fraud and Abuse Act, or the CFAA, allowing prison terms to be up to 20 years.
The bill’s language was initially recommended in a 2018 Cyber-Digital Task Force report from the Department of Justice. Before the bill was passed, it was unclear whether hacking voting systems were covered in the Computer Fraud and Abuse Act, said Ken Underhill, CEO of cybersecurity consulting firm K&L Tech.
“Hacking election systems wasn’t specifically covered in the CFAA, and the concern was that since voting systems are not traditionally connected to the internet, there might be room for interpretation in the current law that would allow for a loophole for a defense team,” he told the Washington Examiner.
Before the new law passed, the Computer Fraud and Abuse Act did not prohibit the act of hacking a voting machine “in many common situations” because they are not typically connected to the internet, the DOJ report said. “Consequently, should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers.” Hacking a voting machine could, however, violate other criminal laws, the report noted.
Although it might not have an impact on the 2020 election, the new law could have some positive effects, Underhill added. The new law “allows for more resources to be thrown” at election hacking, as well as harsh penalties, he said.
However, many hackers targeting the U.S. election live overseas in countries that aren’t interested in bringing charges against them, he added. “This legislation might keep some script kiddies from trying it, but I don’t see any measurable effect from this law change in keeping real criminal hackers from election system interference,” Underhill said.
The law’s importance is the message it sends, added Greg Touhill, president of cybersecurity firm Appgate Federal Group and former chief information security officer under President Barack Obama. “This represents a signal to anyone thinking about messing with any American election system, regardless of the state, territory, etc., that the full weight and power of the entire United States will come for you if you engage in the criminal behavior stipulated under the law,” he told the Washington Examiner.
Before the new law passed, more than 30 states had laws against hacking or tampering with election systems, noted Armando Seay, co-founder of the Maryland Innovation and Security Institute and a director at DreamPort, a cyber mission accelerator.
However, the new law may help the fight against election hackers, he told the Washington Examiner.
“In my opinion, the federal crime component elevates and nationalizes the consequences of hacking any voting system and adds a national ability to prosecute hackers who commit the crime regardless of state laws,” he said.
Unlike Touhill, Seay said he sees the law as having benefits for the 2020 elections.
“Any additional consequences that can be imposed on state actors, nation-state actors, or ‘hacktivists’ to deter them from hacking election systems or prosecute hackers can only help,” he said.
Seay noted that while the law covers election hacking, disinformation remains a considerable problem. “It is easier to hack a human through disinformation campaigns by U.S. political activists or by foreign actors than it is to hack voting systems that are part of the diverse and broad U.S. election infrastructure,” he said.
However, one security expert suggested the new law may be used to target legitimate security researchers.
“The biggest impact is more likely to be to chill and potentially criminalize the actions of good-faith hackers conducting security research to help secure the election process,” said Casey Ellis, chairman, co-founder, and CTO of cybersecurity firm Bugcrowd.
“If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers — who are ignoring these laws, to begin with — have an open field to exploit undiscovered vulnerabilities within voting systems,” he told the Washington Examiner.
