Breach Preparedness , Cybersecurity , Data Breach
Should Political Parties Be Deemed Critical Infrastructure? DHS Secretary Jeh Johnson Moves to Protect Integrity of Voting System Homeland Security Secretary Jeh Johnson. Photo: DHSIn mulling whether to designate the U.S. electoral system as critical infrastructure, which could lead to beefed up cybersecurity protections, the question arises whether those safeguards should focus just on the voting process itself or be extended to other components, such as political parties.
See Also: How to Illuminate Data Risk to Avoid Financial Shocks
Homeland Security Secretary Jeh Johnson earlier this month suggested that the federal government should consider designating the electoral system as critical infrastructure following the revelation of breaches of various Democratic Party computer systems, with hackers tied to the Russian government being prime suspects (see Labeling U.S. Electoral Systems as Critical Infrastructure). Emails leaked from the hacks showed bias among top party leaders against the presidential candidacy of Sen. Bernie Sanders, and publication of those messages resulted in the resignation of the Democratic National Committee chairwoman, Rep. Debbie Wasserman Schultz of Florida.
But Johnson's recent actions in support of bolstering cybersecurity protections for the electoral system have focused on the more narrow voting process than the broader network of other stakeholders, such as political parties.
Johnson Meets with State Election Officials
At an Aug. 15 teleconference with state officials responsible for the voting process, Johnson offered them the assistance of DHS's National Cybersecurity and Communications Integration Center. NCCIC would conduct vulnerability scans, provide actionable information and access to other tools and resources for improving cybersecurity, according to a readout of the call.
The secretary said DHS is unaware of any specific and credible cybersecurity threats to the voting systems related to the upcoming presidential and congressional elections. Nevertheless, he announced his agency is convening a voting infrastructure cybersecurity action campaign with experts from all levels of government and the private sector to raise awareness of cybersecurity risks potentially affecting voting infrastructure and promote the security and resilience of the electoral process.
The Role of Political Parties
The hack of computers at the Democratic National Committee and Democratic Congressional Campaign Committee got Johnson started on publicly pondering elevating the electoral system to critical infrastructure. But should political party organizations be included in the definition of the electoral system?
Some in the cybersecurity community see the political parties as outside the system that could be labeled critical infrastructure. "They have no impact on citizen security, health and monetary systems," Robert Bigman, former CISO at the CIA, says in arguing against inclusion.
Bigman says the core of the electoral system could deserve critical infrastructure designation. Those central elements would include the Federal Election Committee and the 9,000 or so local and state government entities that run elections in the United States.
Sen. Tom Carper, the Delaware Democrat who serves as the ranking member of the Senate Homeland Security and Governmental Affairs Committee, encourages Johnson to explore designating the electoral system as critical infrastructure. And like Johnson, Carper cites the DNC and campaign committee hacks as rationale to elevate protections. "If these reports (of Russian hacks of Democratic Party computers) are accurate, such an intrusion raises concerns about the ability of foreign actors to interfere in the American political process during the upcoming election, including through cyberattacks targeting electronic voting machines or the information technology of state and local election officials," Carper writes in a letter to Johnson.
Safeguarding Integrity of Election Process
Clearly, designating the voting system as critical infrastructure is long overdue. It's at the core of our democracy, and safeguarding its integrity is vital. We wouldn't want the Russians, other nation-states or even political parties hacking systems used to run our elections.
But expanding the electoral system to include political parties and other political entities involved indirectly with the election process could prove problematic. "That's a tough call," says Malcolm Harkins, author of Managing Risk and Information Security: Protect to Enable and chief security and trust officer at the malware prevention provider Cylance. "Is a political action committee part of the electoral system?"
Harkins says critical infrastructure should only include the voting system because "it has direct material significant implications if the integrity or the availability or confidentiality of that system itself was manipulated."
Still, he recognizes that information systems operated by political parties and PACs, if exploited by a hacker, could have an adverse impact on the election process. "That, certainly, has some potential for manipulation that could sway things one way or another," he says. "But I think there's much more indirect impact."
Nevertheless, that indirect impact could have significant consequences on the integrity of the election process. So when considering the electoral system as critical infrastructure, the government shouldn't automatically rule out those indirect stakeholders.