It comes as a surprise to many members of Congress, and the general public, that the nation’s electoral system isn’t formally regarded as critical infrastructure. But whether such a designation would impact the cybersecurity of electronic ballot boxes is an open question.
With Russian hacks apparently targeting the U.S. political system, lawmakers on Capitol Hill have been showing an intense interest in the cybersecurity of American polling places.
“Shouldn’t the election of our leaders be considered critical?” Senate Armed Services Chairman John McCain, R-Ariz., demanded at a hearing last week. It seemed like such a no-brainer that an exasperated McCain added, “Why are we even having this discussion?”
Adm. Michael Rogers — head of the National Security Agency and Cyber Command, who appeared at the Sept. 13 hearing — explained that critical infrastructure designations have mostly been applied to “industrial systems” like the electricity grid and telecom systems, but senators were unappeased.
“I would hope there will be a move to characterize industrial systems as critical infrastructure,” said Sen. Richard Blumenthal, D-Conn., a committee member.
Under Secretary of Defense for Intelligence Marcel Lettre, who also appeared before the committee, agreed under questioning that there was “a need to consider that.”
Rogers added that the discussion “raises a broader question of what is really critical in the cyberworld. We’ve been thinking of it in a traditional industrial way.”
But as the North Korean hack of Sony Pictures revealed in late 2014, attacks on virtually any part of the U.S. economy can have dramatic consequences.
House Homeland Security Chairman Michael McCaul, R-Texas, and Senate Homeland Security and Governmental Affairs ranking member Tom Carper, D-Del., last week both issued calls for the Department of Homeland Security to take steps before the upcoming elections to ensure the integrity of the nation’s ballot boxes against cyberattacks.
McCaul stressed that the administration needs to “have a plan” for securing the electoral system and to make it clearly known immediately.
Both McCaul and Carper stressed that federal officials need to quickly reassure voters that they are cyber-safe heading into the voting booth.
That need generated the discussion on a critical-infrastructure designation at the Senate Armed Services hearing. But DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment at a different hearing said that wasn’t in the works, at least prior to the election.
Instead, DHS Secretary Johnson issued a statement on Sept. 16 saying: “The Department of Homeland Security stands ready to assist state and local election officials in protecting their systems. In our cybersecurity mission, this is the nature of what we do — offer and provide assistance upon request.
“We do this for private businesses and other entities across the spectrum of the private and public sectors. This includes the most cybersecurity-sophisticated businesses in Corporate America.”
Johnson listed six services the department offers to state and local election officials, including cyberhygiene scans, risk and vulnerability assessments, information sharing, the services of the National Cybersecurity and Communications Integration Center, sharing best practices and “field-based” cybersecurity advisers.
Would a critical-infrastructure designation add to this? Many industry observers doubt it. One source said it would allow government officials to “check a box” that they had “done something” to secure the election system, but the practical effects would be negligible.
The Defense Department’s Lettre noted at the Armed Services hearing that the recent Presidential Policy Directive-41 addresses responses to attacks on entities designated as critical infrastructure. In the case of electoral systems, that would theoretically involve designating DHS as the sector-specific agency and giving the department a centralized coordinating role in a response.
But in practical terms, it would probably mean carrying on with the type of assistance Secretary Johnson described last week.
Whether this critical-infrastructure designation step is taken or not, federal officials and lawmakers from both parties clearly see a need for some kind of confidence-inspiring measures now in the run-up to Election Day.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
