What the Next President Can Do on Cybersecurity

November 8, 2016

From a Democratic National Convention overshadowed by email leaks, to breaches of voter information in at least two states, to reports of shadowy Russian hackers – or possibly some guy who weighs 400 pounds – colluding with WikiLeaks to release damaging information, cybersecurity has played an unusually prominent role in this US election campaign. 

While it’s unlikely that cyber intrusions will be seen to have had a direct impact on the results, the events of the past 18 months have revealed a lot about vulnerabilities in the American election system and the threats it faces.

As a result, US government officials have ramped up their efforts to bolster election security this year. While elections are a state matter, not a federal one, the Department of Homeland Security (DHS) consulted with all 50 states to scan their election systems for vulnerabilities and offer security support. The department also asked social media companies to be on the alert for disinformation campaigns, such as fake ads spreading on Twitter encouraging Clinton supporters to vote by text.

After the next president is sworn in, here are three cybersecurity priorities he should focus on to make future elections more secure:

1. Classify elections as ‘critical infrastructure’

The US uses the designation “Critical Infrastructure” to refer to sectors and industries that “provide the essential services that underpin American society” – without which, there would be severe consequences for Americans’ health, security and economy. There are currently 16 sectors designated as critical infrastructure, including the electrical grid, financial services, water supply and communications systems. The federal government puts a higher priority on critical infrastructure sectors, which allows it to play a larger role in funding and standard-setting. 

The argument for designating elections as critical infrastructure is that public faith in free and fair elections is fundamental to American democracy. After the first round of email hacks this summer, DHS officials said they were considering the critical infrastructure option for future elections so they could bring in more oversight and standards for voting systems. Some critics fear this would represent an unconstitutional federal intrusion on a state responsibility, or create another layer of bureaucracy. Others say it would just be window dressing when more serious and comprehensive election security reforms are needed.

It’s clear that the critical infrastructure designation alone won’t be enough to secure a voting system plagued with patchy and outdated infrastructure, but it could be a first step to drive government focus and resources toward the problem. It would also send an important deterrent signal to the international community if an attack on the election were considered to be as serious as an attack on the power grid.

2. Improve security for the Internet of Things

On Oct. 21, a massive cyberattack took down a number of top websites – including Twitter, Paypal and CNN – on the US East Coast. The hackers made use of commercial, Internet-connected webcams, infecting them with malware and using them to launch a Distributed Denial of Service (DDoS) attack. The target was Dyn, a Domain Name Server (DNS) host – a key part of Internet infrastructure.

A similar Internet shutdown on election day would be disastrous, stopping voters from finding polling locations, poll workers from confirming registered voters, and polling centres from reporting their results, among other disruptions.

As the number of Internet-connected devices – known as the “Internet of Things” or IoT – grows, so does the risk to security. That’s because DDoS attacks rely on a huge number of IP addresses to overwhelm their targeted servers, and millions of IoT devices are being rushed to market – often with minimal security measures in place. “The challenge is how do we make sure that we don’t destroy this ecosystem through security risks, while also not destroying this ecosystem through imposing solutions that will choke growth at an unreasonable level,” Allan Freidman, a cybersecurity official with the US Department of Commerce, told the Atlantic Council. Under the next president, the government could play a role in regulating IoT security, giving companies incentives to build stronger security measures into IoT products, or spurring greater cooperation on security between government agencies and IoT companies.

3. Develop policy responses to state-sponsored cyberattacks

American intelligence officials are blaming Russia for using cyber incursions to disrupt the election, raising the question of how the US should respond. But the implications of this go far beyond the election itself.

Cyberattacks are only expected to become more common, as they are less expensive and less lethal than traditional forms of state-sponsored aggression. But unlike traditional military attacks, there are no firm international norms in the cyber arena. This means that decisions being made now – such as, what kind of response is proportionate to an elections cyber-breach or massive DDoS attack – could resonate well into the future. The incoming president will be better off working on this right away, instead of waiting for the next big attack to react.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Stephanie MacLellan is a digital democracy fellow with the Public Policy Forum.