I’ve been warning against a rush to take DHS secretary Jeh Johnson up on his proposal to declare state voting systems “critical national infrastructure.”
Johnson’s plan would allow the federal government to essentially take over the state voting systems, by administering standards for their performance even more actively than is already the case under the Help America Vote Act of 2002.
My chief concern so far has been that the integrity of these systems should not be entrusted to a central, federal authority. I’d say this no matter who was in the White House, because it’s just a bad idea. It centralizes the power to affect every election in the country, in a way there can be no effective checks and balances on. In the case of the Obama administration, it would be setting the fox to guard the hen house. The states need to retain control of their voting systems. And the less centralized the standard-setters and the vendors are, the better.
But this weekend, WND pointed out another reason to be leery of Johnson’s plan. A WND article cites Philip Haney, the former DHS analyst and whistleblower, reminding us that DHS itself has been the target of high-profile hacking. Jeh Johnson’s interest in declaring voting systems “critical infrastructure” has reportedly increased with the FBI’s revelation that hackers penetrated the state election boards of Arizona and Illinois.* What they gained access to was the voter registration database in each state. But DHS has also been targeted successfully by hackers, including within the last year.
In the WND article, the instance Philip Haney refers to is the massive hack of the federal Office of Personnel Management in 2014-15, which affected nearly 22 million current and former federal workers, including thousands at DHS. But DHS was hacked in a different case more recently. In that case, a group of apparently independent foreign hackers (including at least one 16-year-old) gained access to DHS and DOJ records, and published personal information about 9,000 federal employees. The hack was reported in February 2016.
DHS’s track record with hacking hasn’t been impressive. It’s interesting to note that the state election board hacks were accomplished through the method called “SQL injection.” The reason that’s interesting is that the method has been a known vulnerability for two decades – and DHS was itself hacked by SQL injection attacks in 2008 and 2012.
Yet an audit done by the agency’s Inspector General in 2015 revealed that DHS was deficient in guarding against attacks by SQL injection, having failed to implement adequate precautions against those and other forms of cyberattack.
It’s all very well to condescendingly assure skeptics that DHS would of course do better than that in preparing to secure America’s voting infrastructure. But what was stopping the agency from doing better at securing sensitive things like the personnel data of ICE and CBP, between 2008 and 2015?
It’s a legitimate question, why we should let control of our voting systems become centralized in a federal agency, when neither that agency nor most of the rest of the federal government has a respectable record of avoiding cyber-intrusion. It’s quite possible that centralizing control of our voting systems would just make life easier for hackers. That’s a serious and valid point. If cyberattacks are as hard to ward off as they seem to be, less centralization is inherently better.
* Here, it’s important to keep in mind that the state election board websites are not inherently “voting systems,” which typically are administered separately. There may be electronic connections between them, but they’re not the same thing. So don’t let the hacking of state administrators’ websites mislead you to believe that the computer you cast your vote on has necessarily been hacked.
It might be possible for someone to use voter registration data from the state election board database to enter false votes into the voting system itself. But that would require penetrating another system. Such penetration is possible, of course, but if it has happened, it hasn’t been reported.