Critical Infrastructure Security, Incident Response, TDR, Vulnerability Management

U.S. government extends offer to protect states from electoral cyberthreats

In a move to quell fears that the electoral process could be hacked and manipulated this November, the U.S. government has pledged to provide states with federal resources and assistance to help manage voting cyber risks. The development is a potential precursor to the Obama administration officially declaring the U.S. electoral system as critical infrastructure, which would subject the process to greater federal oversight.

In a call earlier this week, Secretary of Homeland Security Jeh Johnson reassured members of the National Association of Secretaries of State (NASS) and other election officials that the federal government is ready and willing to provide them access to cybersecurity expertise, information, and services, including vulnerability scans of their networks and voter registration databases. Moreover, the U.S. administration will brief election officials on relevant cyberthreats, as needed.

“We did ask if there was any credible threat and the answer was no,” said Leslie Reynolds, executive director of NASS, in an interview with

Pamela Smith, president of election watchdog group Verified Voting, told that the DHS' collaboration with state and local voting officials almost certainly won't lead to districts “changing election systems” or “adopting different procedures” at this late stage of the game. But still, “People didn't know that these [U.S. government] services were available and having this meeting was a way of saying ‘We do this.'”

The Election Assistance Commission, the Department of Commerce's National Institute for Standards and Technology (NIST), and the Department of Justice (DOJ) also joined the call, which was likely prompted by a confluence of election controversies.

For example, the recent hacks of the Democratic National Committee and presidential candidate Hillary Clinton, combined with Republican nominee Donald Trump's contention that the 2016 election results could be rigged against him, have prompted rampant speculation over whether hackers could manipulate a U.S. election. Smith told that while the timing of DHS' latest announcement may have been “forced a bit by some of the public commentary,” the extra help is nevertheless welcomed, especially in economically struggling districts that don't have a full-time election official or a top-notch IT staff.

In truth, a preponderance of cybersecurity experts has dismissed the scenario of hackers electronically altering citizens' ballots as highly unlikely because voting machines at polling stations are not Internet-connected, and because individual jurisdictions rely on vastly different systems and procedures to record votes. “There's no centralized point of vulnerability here,” said Smith.

Hackers could theoretically breach a voter registration database and tamper with its records in an attempt to prevent citizens in certain precincts from voting, but there are paper-based back-ups and fail-safes to thwart such tactics as well, Reynolds explained.

“It would not manipulate the outcome. It would just slow everything down,” said Reynolds. “Democracy is safe.”

Still, the U.S. government is now considering classifying its electoral system as critical infrastructure, thereby placing it under the protective purview of DHS or another federal agency. DHS Secretary Johnson acknowledged the possibility in early August, shortly after global thought leadership organization The Aspen Institute issued a statement publicly condemning the DNC attack and insisting that “Voting processes and results must receive security akin to that we expect for critical infrastructure.”

Sen. Tom Carper (D-Del), ranking member of the Senate Homeland Security Committee, published an open letter to Johnson shortly after the Secretary's public remarks, asserting that “Designating election systems as critical infrastructure could improve and expand our nation's ability to prevent and to respond to potential cyberattacks originating both from inside or outside our borders.”

On the other hand, the NASS' Reynolds acknowledged that some state and local election officials are wary about being overregulated by the federal government, and would prefer that any such transition “move slowly.”

Still, there is logic behind the idea, said Smith, noting that a sound election process is critical to the “peace exchange of power in democracy.”

Even if hackers cannot necessarily change vote tallies, it does not mean they can't inflict damage. Certainly, they can cast doubt on the veracity of electoral results by hacking candidates' online assets, exposing vulnerabilities in government networks and servers, and even violating voters' privacy.

Case in point: Verified Voting, the Electronic Privacy Information Center (EPIC) and Common Cause jointly released a report yesterday warning of security deficiencies in electronic voting mechanisms that could expose individuals' voting histories – information that could be held against them by future employers, for instance.

According to the report, 32 states and the District of Columbia allow military and overseas voters to cast their ballots by some combination of email, fax or Internet portal. (Alaska and Utah also allow electronic voting for all absentee voters and disabled voters, respectively.) But “because of current technological limitations, and the unique challenges of running public elections, it is impossible to maintain separation of voters' identities from their votes when Internet voting is used,” the report continues. Consequently, 28 states as well as Washington, DC require electronic voters to sign waiver forgoing their right to a secret ballot.

“The secret ballot is cornerstone of our democracy,” said Caitriona Fitzgerald, State Policy Coordinator at EPIC, in an interview with “If privacy gets called into question in a voter's mind, it could impact people's desire to vote,” which could indirectly impact election results by suppressing voter turnout.

Asked if electronic voting methods would ever be secure enough to protect voters' records, Fitzgerald said it is a complicated problem, noting that at some point, a person's vote has to be officially recorded and verified. “Voting can't be completely anonymous,” she said.

The report instead advises all voters to stick with manually marking and mailing printed absentee ballots.

Update 8/19: The story was updated to include additional quotes, and news of the report by Verified Voting, EPIC and Common Cause.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.