Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Sept. 28 — State election systems' cybersecurity is important to ensure election integrity and voter confidence after recent cyberattacks against political organizations and the technology sector, House lawmakers heard at a Sept. 28 hearing.
The hearing comes after high-profile attacks against the Democratic National Committee (15 PVLR 1606, 8/8/16), state election databases (15 PVLR 1764, 9/5/16) and Yahoo! Inc. (15 PVLR 1881, 9/26/16) gained national attention.
Cybersecurity threats have garnered enough attention that it was discussed during the 2016 presidential debate. Although many cybersecurity researchers, national security officials and Democratic nominee Hillary Clinton say that state-sponsored hackers, specifically Russia, were behind the attacks, Republican nominee Donald J. Trump refused to point fingers at a specific hacking group .
Regardless of which party is responsible for the high-profile attacks, state and local officials should distinguish between “real threats” and ones based on “sensationalistic rhetoric,” Lawrence Norden, deputy director of the Brennan Center for Justice at New York University, said at the hearing. The real risk isn't to the outcome of the upcoming election, or to local election results, but rather to the public confidence in voting machines, he said.
In response, the Department of Homeland Security has increased efforts to help state and local officials combat cyberattacks even if the threat is only to public confidence.
Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, said at the hearing that it is the “fundamental right” of U.S. citizens “to have their voice heard” in elections. To help ensure this right, the DHS has partnered with state and local officials by offering cybersecurity best practices, increased cyberthreat information sharing and assisting stake holders in incident response after a data breach, he said.
State and local governments need to realize that “in the field of cybersecurity we must always be vigilant and never relax,” Ozment said.
Whether voters should have confidence in the upcoming election may come down to the complexity of the voting system.
Thomas Hicks, chairman of the U.S. Election Assistance Commission, said that the U.S. election systems is secure and that voters should have confidence in the upcoming election because there is no national or uniform system for hackers to infiltrate.
Additionally, a hacking attack against one state election system may allow other states to increase the cybersecurity of their own ballot boxes after an attack, Hicks said. A breach in one state won't compromise voting data in another state, he said. State data breaches allow other states to step up and have their respective officials do system security checks, he said.
Although the panelists all denied that a cyberattack will change the outcome of the 2016 election, there is still disagreement over whether the election system is vulnerable.
Rep. Ted Lieu (D-Calif.) wasn't convinced that the hacking of one election system won't have a material impact on other states' systems. If the ballot of just one swing state, even just one county, is influenced then the outcome of the national election may be compromised, he said.
In response, Hicks said that it would take a “tremendous amount of people” to hack into a election system and that he is confident that a hack won't happen.
Lieu, a “recovering computer science major,” disagreed with Hicks assessment. He pointed to a prior report from Symantec Corp. that the cybersecurity company was able to easily hack into an electronic voting system. A Symantec official said that the voting machine was “vulnerable” to both physical and digital breaches (15 PVLR 1855, 9/19/16).
Ensuring cybersecurity on the state election level has also drawn the concern of privacy advocacy group the Electronic Privacy Information Center (EPIC).
EPIC's main point of concern is the increased risk of cyberattacks for states that want to allow voters to cast their ballot online, the privacy advocacy group said in a Sept. 28 letter to the House Information Technology subcommittee.
The privacy advocacy group pointed out that states that have adopted online balloting have hedged their bets against cyberattacks. Alaskan officials told voters who used the online system that they are waiving their “right to a secret ballot and are assuming the risk that a faulty transmission may occur.” EPIC pointed out that a physical voting machine with that kind of warning “would be unacceptable” to the public.
Andrew W. Appel, computer science professor at Princeton University, echoed the concerns of EPIC. At the hearing, Appel said that “at a minimum” he would push for congressional action to eliminate touch screen voting machines due to the cybersecurity risks they pose compared to their optical scanning counterparts.
Touch screen voting machines have higher cybersecurity risks because after the vote there is no “paper ballot to count” in case of any computer based election tampering, Appel said. Additionally, these machines also rely on computer programs that may be easily hacked through compromised “ballot cartridges,” he said.
Any computer software engineer should be able to create a program that would harm the integrity of the voting system, Appel said.
Voting cybersecurity also gained the attention of the Senate Committee on Homeland Security and Governmental Affairs Sept. 27.
DHS Secretary Jeh Johnson at the hearing focused on threats to national security. The DHS has seen efforts of cyberattacks against “voter registration data maintained in state election systems,” he said. Although federal and state officials need to “be vigilant” in protecting election tampering, Johnson said he has “confidence in the overall integrity of our electoral systems.”
As of the hearing, “18 states have requested” the DHS' “assistance” with protecting state election systems, Johnson said. The DHS will work state and local election officials on cybersecurity and offer “risk and vulnerability assessments” in addition to an increased focus on sharing cyberthreat information with state and local officials.
The DHS “strongly encourages” more states and local government officials to take advantage of federal cybersecurity assistance, Johnson said.
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Further information on the hearing is available at https://oversight.house.gov/hearing/cybersecurity-ensuring-integrity-ballot-box/.
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)