By Stephanie Mlot
, November 3, 2017, https://www.geek.com/tech/the-government-wants-you-to-hack-u-s-election-systems-1721551/?source
Two U.S. senators have introduced bipartisan
legislation aimed at protecting American election
systems from foreign interference.
The Securing America’s Voting Equipment (SAVE) Act
would help shield voting systems, registration data, and ballots from theft,
manipulation, and malicious computer hackers.
Among various authorizations and mandates, the
proposed bill includes the creation of a “Cooperative Hack the Election”
contest: Participants work with vendors to uncover (and ultimately defend)
threats to electronic voting systems.
The goal of the annual bug bounty program is to “strengthen
electoral systems from outside interference”; discover the most significant
vulnerabilities to earn an as-yet-unspecified award.
Hackers, however, may not “exploit” uncovered
vulnerabilities or “publicly expose” them, according to the legislation.
“Our democracy hinges on protecting Americans’ ability
to fairly choose our own leaders,” Sen. Martin Heinrich (D-N.M.), who co-wrote
the bill with Sen. Susan Collins (R-Maine), said
in a statement. “We must do everything we can to protect
the security and integrity of our elections.” The move comes after reports
that election-related networks, including websites, in 21 states were targeted
by the Russian government during the 2016 campaign.
If enacted, the SAVE Act would invite developers,
network specialists, security experts, cyber criminals, and anyone with average
computer skills who lives in their parents’ basement to infiltrate nationwide
systems.
It also facilitates information sharing, provides
guidelines for best practices, and entitles states to additional funding to
develop their own solutions to election threats.
The Department of Homeland Security in June confirmed
that “a small number” of voting networks—including those in Arizona and
Illinois—were successfully compromised last year. Reports also suggested that
voter registration databases in 39 states were penetrated.
A “truly disturbing”
reality that Collins
said
should “serve as a call to action to assist states in hardening their defenses
against foreign adversaries that seek to compromise the integrity of our
election process.” “Until we set up stronger protections of our election
systems and take the necessary steps to prevent future foreign influence
campaigns, our nation’s democratic institutions will remain vulnerable,”
Heinrich added.
Title I
calls for the Director of National Intelligence to sponsor a security clearance
up to Top Secret for each eligible chief State election official and one
designee of such official. In general, the chief State election official is the
state’s Secretary of State. There is no mention of what happens if the
designated officials either are not eligible for a security clearance or fails
a required background check. Title II directs the Secretary of Homeland
Security to designate voting systems used in the United States as “critical
infrastructure”. The definition of “critical infrastructure” as used in this
bill is:
(e) Critical infrastructure defined
In this section, the term “critical infrastructure” means systems and
assets, whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public health or
safety, or any combination of those matters.
While the protection of
voting systems is certainly important, I am not sure the designation as
critical infrastructure is appropriate. Also, the designation of voting systems
as critical infrastructure extends federal government control into an area traditionally
left in State control. Title II also makes funds available in the form of
grants for States to upgrade their voting systems, but those grants would be
made available only to States that implement the best practices dictated by
DHS. I don’t really have an issue with making funds available, but I think the
States should be the ones to determine the best security practices for their
own systems. Otherwise, there is too much potential for federal government
overreach and mischief. (Just my opinion.)
Title III is the one that
establishes the “Cooperative Hack the Election Program” and directs the DHS
Secretary to develop the program which would include the creation of “an annual
competition for hacking into State voting and voter registration systems during
periods when such systems are not in use for elections”.
While I understand and
accept the desire and need to discover vulnerabilities in computing systems,
this is the type of activity that should never be done on live,
production systems. It should only take place in controlled, test and
development environments, designed to duplicate live environments.
Title III provides a safe
harbor from prosecution under 18 U.S.C §1030, Fraud and related activity in
connections with computers, for activities conducted that are associated with
the program.
My feeling is that this
is ill advised. Offering rewards to people for attempting to break into
computer systems, especially live, production systems, even within certain
constraints, is not a good idea. Nor is it a prudent use of taxpayer
funds. My personal opinion is that, if
the States want to standardize security requirements and procedures for voting
systems, it should be left to the National Association of Secretaries of State
and the National Association of State Election Directors. They are responsible
for the conduct of elections and can establish the standards, including the
certification of vendors and equipment. If they want to consult with NIST,
fine. Authorize block grants to those
association for that purpose if necessary and keep the federal government out
of it (Joe Butin, CISSP, CIPP, e-mail message, November 9, 2017).
