Stanford CIS

The Security Debt Is Coming Due

By Brian Nussbaum on

There’s something particularly unusual about the recent revelations that foreign hackers successfully breached voter registration systems in Arizona and Illinois.

It’s not just the intriguing possibility of Russian involvement. Nor is it that FBI and Department of Homeland Security officials took the notable step of confirming the penetration and warning state election boards to conduct vulnerability scans.

It’s that the targets of the hacks—state and local election data—don’t have the same obvious incentives as attacks before them. Missing are the monetary rewards for the perpetrators of large retail data breaches; lacking is the espionage value of a hack like the massive compromise of data from the Office of Personnel Management. Instead, these intrusions target the system at the heart of our democracy, and the incidents are rightly being treated as a very serious problem. But how do we fix it?

For his part, DHS director Jeh Johnson has discussed the idea of including U.S voting systems on the list of federally designated “critical infrastructure”—a protective designation it gives to resources such as nuclear power plants, banking and finance systems, and the electrical grid. However, unlike our nuclear or financial systems, both the institutional and network infrastructures that underpin our local elections have been cobbled together in troubling ways: They were done incredibly cheaply, over years and numerous eras of technology, and with virtually no standardization or even minimum security practices.

To be clear, it would actually be very hard for hackers to meaningfully alter a national vote count given our decentralized election systems. (As Johnson himself pointed out after the August state breaches, we’ve got some 9,000 jurisdictions at the state and local level involved in the process.) But changed ballots aren’t the only meaningful consequences that can result from such attacks. Other less clear costs—from weakened public confidence in election results to increased auditing expenses—pose serious concerns. Assessing this impact will be challenging, as will making changes to prevent future hacks. The vulnerabilities exposed by the Illinois and Arizona breaches, and credible concerns about the possibility of new ones, have exposed just how behind state and local governments are when it comes to protecting their systems and data.

Read the full piece at Slate.