Amid ongoing investigations into how Russia may have used cyberhacking to influence the 2016 presidential election, the Obama administration added the nation’s elections systems to the list of “critical infrastructure.”
The U.S. Department of Homeland Security's (DHS) decision, which was announced last Friday, is meant to ensure that elections systems -- which include voting machines, storage facilities and voter registration databases -- are a high priority for federal cybersecurity assistance and protections.
The need for heightened safeguards became clear last year when the FBI found that hackers infiltrated voter registration databases in Arizona and Illinois. In both cases, state officials later verified that voter information had not been altered. But in the case of Illinois, a hacker was able to steal personal information from nearly 90,000 voters.
The decision to add elections systems to the list has caused confusion and concern among the state and local officials who handle U.S. elections.
In a statement released on Monday, the National Association of Secretaries of State (NASS) said, "While we recognize the need to share information on threats and risk mitigation in our elections at all levels of government, as we did throughout the 2016 cycle, it is unclear why a critical infrastructure classification is now necessary for this purpose."
David Becker, executive director of the Center for Election Innovation and Research, agrees.
“DHS and the federal government absolutely has access to [cybersecurity] resources that a state wouldn’t possess,” he said. “That being said, those were largely already being shared with the states before this designation ever occurred.”
Connecticut Secretary of State Denise Merrill, the president of NASS, said during a press call on Monday that she worries increased federal involvement could bring harm to the elections system by adding an unnecessary layer of bureaucratic oversight and by centralizing an inherently local -- and decentralized -- system.
But in his announcement of the designation, DHS Secretary Jeh Johnson stressed that the feds will only offer cybersecurity assistance to those who request it.
“This designation does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country,” he said in the statement. “This designation does nothing to change the role state and local governments have in administering and running elections.”
There are currently 16 sectors and 20 subsectors of critical infrastructure. Similar to elections, many of them are largely run by state and local governments -- a fact that DHS thinks should calm some of their concerns.
"If you talk to the electric sector, if you talk to the water sector, they can tell you this is very much a partnership, where we are not dictating anything," said Caitlin Durkovich, DHS assistant secretary for infrastructure protection. "We are helping bring to light the threats and hazards that could impact a particular infrastructure."
Some, however, are skeptical of those assurances.
Christy McCormick, a member of the bipartisan U.S. Election Assistance Commission, opposes the designation. She wonders whether the states and localities that choose not to request assistance will still receive the same important security information -- both classified and unclassified -- from the federal government. If not, then she questions the extent to which the assistance is really voluntary. McCormick also wants to know if DHS assistance will require states to conform to any federal security standards.
Leading up to last week’s announcement, state and local elections officials had tried to clarify what the designation would do and how it would be different from what DHS already provides.
“We kept asking for something in writing,” said Merrill of NASS. “And we never got that.”
Unlike laws and regulations, a designation of this kind doesn't require a public comment period or other vetting that might reverse Johnson's decision. But Merrill said the secretaries of state would discuss the topic in February at their annual conference, where they may vote to ask the Trump administration to remove the designation.
Both NASS and the U.S. Election Assistance Commission view the DHS decision as unnecessary because most states are already working with the federal government to guard their elections systems against cyberthreats. Last fall, at least 33 states and 11 county or local election agencies approached DHS about taking advantage of federal cybersecurity services.
The Arizona and Illinois incidents have led to some confusion about whether election systems, more broadly, have been hacked. So far, there is no evidence that any machines in any state or locality that count and report votes were hacked. Still, some cybersecurity experts have demonstrated how they could hack machines to affect vote tallies.
Dan Wallach, a computer scientist at Rice University who researches the security of electronic voting systems, said the DHS decision should also make grants available to upgrade state and local cybersecurity infrastructure.
"In practice," he said, "this designation should be nothing but helpful."