Russia’s apparent efforts to influence the 2016 presidential election showed that the U.S. system is vulnerable to many cyber threats — and not just in the voting booth. It therefore seems inevitable that Russians and other potential actors will attempt to disrupt future U.S. elections, or at least work towards that option.
So how can Americans better protect our electoral infrastructure from cyber disruption? We will never achieve 100 percent security, of course, but officials can still do much to defend our election process. Here are six key steps that could bring dramatic improvements:
Change our mindset about the problem
Right now, our focus is on protecting individual voting machines from hackers who might change selections. But an election consists of far more infrastructure, including voter registration databases, voter lists for poll workers to check against and vote tallying systems. If a malicious actor succeeded in corrupting any of these systems, it could significantly undermine the electoral process.
Americans need to view the entire electoral infrastructure as a critical asset — like a power grid or communications network — deserving of the same attention and resources. Officials must also consider non-cybersecurity, low-tech approaches such as ensuring that the voting process produces a clear, checkable paper trail that is kept for an extended period of time after the vote.
Adopt a risk-management approach
Though we can never entirely eliminate the threat, we can manage risk to bring threats down to an acceptable level.
Consider what the National Institute of Standards and Technology Cybersecurity Framework is doing to help business. It advises executives so they can think about cybersecurity in risk-management terms — the same way they might view litigation risk or the likelihood of natural disasters. It shifts the focus from treating cyber threats as a technical problem to be solved to seeing them as a long-term risk to be mitigated.
This framework helps corporate executives think through the problem and determine how to allocate resources. It might be, for example, that upgrading all voting machines does not result in the largest marginal return on a cybersecurity dollar. Instead, jurisdictions might reduce their risk more by increasing the resilience to tampering of voter registration databases or enabling backup methods for vote tallying if primary systems are knocked off-line.
By adopting a risk-management framework, electoral officials would have an analytic foundation for making these kinds of decisions.
Make cybersecurity a priority
Top election officials should make clear that election infrastructure cybersecurity is a priority and that they plan to hold themselves and their staff accountable. Raffi Krikorian, the new chief technology officer for the Democratic National Committee is taking this to heart. He recently spoke to WIRED about how he’s improving security for his party’s infrastructure.
The corporate world has shown that when a chief executive and other top-level officials make cybersecurity a priority, the company’s security posture improves. New York State recently passed cybersecurity rules requiring financial services companies to hire a chief information security officer and have a specific board member oversee cybersecurity compliance efforts.
Accountability is also crucial. Not in the sense of a “zero tolerance” policy for intrusions — because that’s a recipe for failure. You can, however, hold people accountable for implementing sound risk-management plans and being diligent in addressing risks. The New York regulations require financial institutions that suffer material breaches to notify the state’s Department of Financial Services within 72 hours of discovering the entry.