The New York Times and other mainstream outlets have been filled with alarming stories recently about the possibility, voiced by Jeh Johnson, the Secretary of the Department of Homeland Security (DHS), that our voting process in the November election could be subjected to cyber-attacks. Johnson told reporters in Washington (and state officials in a phone call on Monday) that he was considering designating our election system as “critical infrastructure, like the financial sector, like the power grid” because there is “a vital national interest in our electoral process.”
There is only one problem with this — there is no credible threat of a successful cyberattack on our voting and ballot-counting process because of the way our current election system is organized. An election official who was on that Monday call, and who has direct knowledge of Johnson’s plan told me that Louisiana Secretary of State Tom Schedler asked Johnson whether he had any evidence of any credible threat to our election system. Johnson’s answer was “no.”
That confirms what another high-level source who attended a White House meeting last week said – that DHS officials admitted they had no evidence of any “credible threat” of a cyber-attack. But designating the nation’s election system as “critical infrastructure” under a post 9/11 federal statute may be a way for the administration to get Justice Department lawyers, the FBI, and DHS staff into polling places they would otherwise have no legal right to access, which would enable them to interfere with election administration procedures around the country.
No one minimizes the threat of cyberattacks by bad actors from the Chinese government to individual hackers. And cyber criminals have managed to get into all kinds of computer systems, from the attack on the Office of Personnel Management (OPM) that obtained the personnel files of millions of federal employees, to the embarrassing invasion of the DNC’s computer system. But all of those computer systems have direct access to the internet, which provides the pathway in for hackers once they battle their way through the security firewalls and defenses that are supposed to protect those systems. That is not the case with almost all of our voting and ballot-counting processes. We have the most decentralized election system of any Western democracy, with over 3,000 counties and numerous townships running elections. There is no central computer system running our national elections and the computer ballots used to total votes are almost all standalone computers. (By the way, the Pentagon has an entirely closed computer system without access to the internet in order to protect classified information.) That is why states should entirely avoid any type of internet voting proposals, since then our election process would become highly vulnerable to cyber-attack, as happened to Illinois’s new online voter registration system recently.
The same is true of the electronic voting (touch screen) machines used in polling places in many jurisdictions. The vast majority of counties do not have those machines tied into a reporting system that runs through the internet; they don’t keep their information in “the Cloud” as Louisiana Secretary of State Schedler told me in a separate conversation recently about the cyber issue. Instead, they are stand-alone machines with a cartridge in the back that is removed at the end of the polling day and physically transported to the county elections department, where the cartridge is inserted into the stand-alone computer that totals up all of the votes.
There is no question, as security experts have demonstrated, that the security on some of these individual electronic voting machines is poor, and that they may be subject to hacking if a hacker can get physical access to the machine. But these touch screens are kept in secure warehouses before election day and then are monitored by election officials when they are set up in polling sites. It would be difficult for a hacker to access a significant number of machines in any meaningful way.
That doesn’t mean these types of touch screens shouldn’t be replaced; but the point is that hackers do not have the ability to access either these individual machines or the ballot-counting computers through internet portals. And they have even less of an ability to try to cyber-attack the ballot scanners that are used in the vast majority of polling places. There, individual voters fill out opti-scan paper ballots with a special ballot-marking pen, and the ballots are then run through a standalone computer scanner that counts the vote. Those paper ballots act as a back-up if any questions arise about the computer total. Those scanners are also not hooked into the internet.
So what is going on? After 9/11, Congress passed the Homeland Security Act of 2001 allowing the president or the secretary of DHS to designate “critical infrastructure” that must be protected against attacks (6 U.S.C. §132). In 2013, President Obama issued a revised “Presidential Policy Directive” on “Critical Infrastructure Security and Resilience” (PPD-21). If Jeh Johnson designates our election system as “critical infrastructure,” then according to this directive, the Justice Department is given the authority to “investigate, disrupt, prosecute, and otherwise reduce” threats to that infrastructure. DHS will “coordinate the overall Federal effort to promote the security and resilience of” the infrastructure.
Given the lack of a credible threat of a cyber-attack, there could be another explanation for what DHS is doing. But designating election systems as “critical infrastructure” could grant Secretary Jeh Johnson, Department of Homeland Security officials, and officials at the Department of Justice access to any and every election and to any and every voting location they “deem” threatened. The government would be able to police the systems, and could demand changes be made to election and voting systems regardless of the views of local officials.
DHS’ actions could stem from the administration’s frustration over the 2013 Shelby County decision by the U.S. Supreme Court, about which Attorney General Loretta Lynch has loudly complained, claiming it severely curtailed the ability of DOJ to send official observers recruited by OPM to polling places. Those officials can only go where a court has given them authorization to be present. Otherwise, DOJ is dependent on local jurisdictions giving DOJ permission for its lawyers and staff to be there. Many jurisdictions have wised up and started saying “no” to DOJ. That must be very frustrating to the partisans who inhabit parts of the Justice Department these days and want their staff out there making sure their political friends get elected....
The realistic fear is that this is the first step towards nationalizing election administration. Federal officials who have already shown they will not hesitate to use their power to tilt public policy in favor of their own personal political agenda could bring that same bias to decisions that affect the very integrity of our election process.
If we have close elections on the local, state, or federal level in November, there is a much greater possibility that they could be affected by misbehavior such as absentee ballot fraud or illegal voting by noncitizens or other ineligible voters than that some hacker will be able to manipulate the system. But just like in The Wizard of Oz, this administration wants you to pay no attention to that particular man in the corner while it launches its election Trojan horse.
Secretary of Homeland Security Jeh Johnson designated the U.S. “election infrastructure” as a “critical infrastructure subsector” in what can only be considered a bold move Friday.
Johnson’s designation through the Department of Homeland Security will include “storage facilities, polling places, and centralized vote tabulations locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments,” according to Johnson’s official statement.
Johnson wrote, “[…] election infrastructure in this country should be designated as a subsector of the existing Government Facilities critical infrastructure sector. Given the vital role elections play in this country.”
Although many state and local election officials have clearly been in opposition to such a designation, fearing a federal takeover, Johnson decided to move forth anyway.
“Prior to reaching this determination, my staff and I consulted many state and local election officials; I am aware that many of them are opposed to this designation. It is important to stress what this designation does and does not mean. This designation does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country. This designation does nothing to change the role state and local governments have in administering and running elections,” Johnson wrote.
Moreover, Johnson claims that the takeover is “simply the right and obvious thing to do” and will make it “easier for the federal government to have full and frank discussions with key stakeholders regarding sensitive vulnerability information.”
According to the DHS there are currently 16 critical infrastructure sectors which also include 20 subsectors. These main sectors include:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Material, and Waste
- Transportation Systems
- Water and Wastewater Systems