DHS: We May Declare Elections System 'Critical Infrastructure'

Voter databases were hacked in two states this week. According to Michael Isikoff of Yahoo! News, Illinois and Arizona had their residents’ voter data downloaded by parties reportedly associated with Russian intelligence. NBC News had more on the nature of the hacks:

The bulletin does not identify the targeted states, but officials told NBC News they were Illinois and Arizona. Illinois officials said in July that they shut down their state's voter registration after a hack. State officials said Monday the hackers downloaded information on as many 200,000 people.

State officials told the Chicago Tribune they were confident no voter record had been deleted or altered.

In Arizona, officials said, hackers tried to get in using malicious software but were unsuccessful. The state took its online voter registration down for nine days, beginning in late June, after malware was discovered on a county election official's computer. But the state concluded that the system was not successfully breached.

The Chicago Tribune reported that the number had been revised down to 90,000. This is some serious news, one that prompted Department of Homeland Security Secretary Jeh Johnson to consider whether DHS should consider our election system to be reclassified as “critical infrastructure” (via Paul Bedard/Washington Examiner):

We should carefully consider whether our election system, our election process, is critical infrastructure like the financial sector, like the power grid," Homeland Security Secretary Jeh Johnson said.

"There's a vital national interest in our election process, so I do think we need to consider whether it should be considered by my department and others critical infrastructure," he said at a media conference earlier this month hosted by the Christian Science Monitor.

DHS has a vital security role in 16 areas of critical infrastructure and they provide a model for what the department and Johnson could have in mind for the election.

DHS describes it this way on their website: "There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."

So, will Russian hackers, or any hacker, mess with America’s election? Not really, says Philip Bump and Amber Phillips of The Washington Post. This was mainly a security threat to voter databases, not the actual process in which state boards certify results, which has encryption protocols. The two reported noted that what the Florida State Association Of Supervisors Of Elections wrote in response to the hacks that detailed how results are protected (via WaPo):

Before each election, a public test of the tabulating system is conducted to ensure that the machines are functioning as expected. King describes this process (which is not unique to Florida) as "an opportunity for members of the public and media to come and observe the ballot is correct and it can capture voter intent correctly and can tabulate it."
On election night, results are encoded with multiple layers of encryption and transmitted to a central gathering point.
Voting machines themselves are not connected to the Internet, preventing them all from being hacked at once.
Thumb drives with results are also transmitted to the central location. Those drives are digitally signed and secured before Election Day, preventing their being replaced with a drive from somewhere else.
If there are any corrupted or unusually slow results transmitted to the central location, the results from the thumb drives are used.
Election night totals are transmitted to the state as unofficial results via both an encrypted device and over a separate network system.
A week after the election, the results in each precinct are reviewed by looking at the paper totals. Any discrepancies are "researched and noted." The Florida vote is backed up by paper ballots (which isn't the case everywhere), facilitating that research.
Only once those checks are complete is the result certified.

That's the process that needs to be hacked to directly change the results of the election, not a hack of the voter registration database. There are hundreds of similar setups in all 50 states that similarly flow upward to state agencies. That distribution is an asset, not a flaw.

The bad news is that voters targeted in these types of hacks could be subject to fraud. Again, it’s not a good situation. It’s a serious security concern, but unlikely to impact our elections in a way to see them break down under the threats of cyber warfare, though I know that’s not going to put everyone at ease.