Elections are a Cybersecurity Problem
My good friend, Herb Lin, has suggested that “election interference is not a cybersecurity issue.” His point, with which I completely agree, is that Russia's meddling in the 2016 election was not the product of cybersecurity failures. To the extent it relied on manipulation of social media it was, obviously, an influence operation. And to the extent it involved attempts to penetrate electoral systems, those efforts were, as far as the public record suggests, unsuccessful. Thus, Herb is precisely correct to say that the only cybersecurity breach of any consequence during the 2016 elections were those at the DNC and the Clinton campaign—and neither of those appears to have been the product of a systematic cyber insecurity in the systems. As always, they seem more to be derived from failures of human agents.
But from these truths Herb reaches, I think, the wrong conclusion: “a focus on preventing the hacking of election systems is misleading and dangerous—it distracts us from the real danger to the republic today, which is the toxic nature of political discourse in an internet-enabled information environment that Russia can manipulate in entirely legal ways.” To me this smacks too much of fighting the last war rather than the next.
We know, beyond doubt, that prior attempts at penetrating election infrastructure have been made. We know as well that “the machines … Americans use at the polls are less secure than the iPhones they use to navigate their way there.” Indeed, as Bruce Schneier has noted, vulnerabilities in electoral systems are widespread across the diverse locally managed systems that comprise the U.S. election infrastructure. Many are, for example, running “severely outdated operating systems like Windows XP, which has not been patched ... since 2014."
I am certain that we need to look at social media and a polarized society as causes of electoral unease. But, unlike Herb, I think a focus on electoral infrastructure is both valuable and essential. Today's electoral system is in much the same place as the electric grid was 15 years ago—diverse, under-resourced, and mostly inattentive. Unlike Herb, I think we can and should focus effort on changing that state.