This column by ACRU Policy Board member Hans von Spakovsky was published August 17, 2016 by Conservative Review.
The New York Times and other mainstream outlets have been filled with alarming stories recently about the possibility, voiced by Jeh Johnson, the Secretary of the Department of Homeland Security (DHS), that our voting process in the November election could be subjected to cyber-attacks. Johnson told reporters in Washington (and state officials in a phone call on Monday) that he was considering designating our election system as “critical infrastructure, like the financial sector, like the power grid” because there is “a vital national interest in our electoral process.”
There is only one problem with this — there is no credible threat of a successful cyberattack on our voting and ballot-counting process because of the way our current election system is organized. An election official who was on that Monday call, and who has direct knowledge of Johnson’s plan told me that Louisiana Secretary of State Tom Schedler asked Johnson whether he had any evidence of any credible threat to our election system. Johnson’s answer was “no.”
That confirms what another high-level source who attended a White House meeting last week said — that DHS officials admitted they had no evidence of any “credible threat” of a cyber-attack. But designating the nation’s election system as “critical infrastructure” under a post 9/11 federal statute may be a way for the administration to get Justice Department lawyers, the FBI, and DHS staff into polling places they would otherwise have no legal right to access, which would enable them to interfere with election administration procedures around the country.
Election cybersecurity right now
No one minimizes the threat of cyberattacks by bad actors from the Chinese government to individual hackers. And cyber criminals have managed to get into all kinds of computer systems, from the attack on the Office of Personnel Management (OPM) that obtained the personnel files of millions of federal employees, to the embarrassing invasion of the DNC’s computer system. But all of those computer systems have direct access to the internet, which provides the pathway in for hackers once they battle their way through the security firewalls and defenses that are supposed to protect those systems. That is not the case with almost all of our voting and ballot-counting processes. We have the most decentralized election system of any Western democracy, with over 3,000 counties and numerous townships running elections. There is no central computer system running our national elections and the computer ballots used to total votes are almost all standalone computers. (By the way, the Pentagon has an entirely closed computer system without access to the internet in order to protect classified information.) That is why states should entirely avoid any type of internet voting proposals, since then our election process would become highly vulnerable to cyber-attack, as happened to Illinois’s new online voter registration system recently.
The same is true of the electronic voting (touch screen) machines used in polling places in many jurisdictions. The vast majority of counties do not have those machines tied into a reporting system that runs through the internet; they don’t keep their information in “the Cloud” as Louisiana Secretary of State Schedler told me in a separate conversation recently about the cyber issue. Instead, they are stand-alone machines with a cartridge in the back that is removed at the end of the polling day and physically transported to the county elections department, where the cartridge is inserted into the stand-alone computer that totals up all of the votes.
There is no question, as security experts have demonstrated, that the security on some of these individual electronic voting machines is poor, and that they may be subject to hacking if a hacker can get physical access to the machine. But these touch screens are kept in secure warehouses before election day and then are monitored by election officials when they are set up in polling sites. It would be difficult for a hacker to access a significant number of machines in any meaningful way.
That doesn’t mean these types of touch screens shouldn’t be replaced; but the point is that hackers do not have the ability to access either these individual machines or the ballot-counting computers through internet portals. And they have even less of an ability to try to cyber-attack the ballot scanners that are used in the vast majority of polling places. There, individual voters fill out opti-scan paper ballots with a special ballot-marking pen, and the ballots are then run through a standalone computer scanner that counts the vote. Those paper ballots act as a back-up if any questions arise about the computer total. Those scanners are also not hooked into the internet.
Why is DHS pushing for this designation?
So what is going on? After 9/11, Congress passed the Homeland Security Act of 2001 allowing the president or the secretary of DHS to designate “critical infrastructure” that must be protected against attacks (6 U.S.C. §132). In 2013, President Obama issued a revised “Presidential Policy Directive” on “Critical Infrastructure Security and Resilience” (PPD-21). If Jeh Johnson designates our election system as “critical infrastructure,” then according to this directive, the Justice Department is given the authority to “investigate, disrupt, prosecute, and otherwise reduce” threats to that infrastructure. DHS will “coordinate the overall Federal effort to promote the security and resilience of” the infrastructure.
Given the lack of a credible threat of a cyber-attack, there could be another explanation for what DHS is doing. But designating election systems as “critical infrastructure” could grant Secretary Jeh Johnson, Department of Homeland Security officials, and officials at the Department of Justice access to any and every election and to any and every voting location they “deem” threatened. The government would be able to police the systems, and could demand changes be made to election and voting systems regardless of the views of local officials.
DHS’ actions could stem from the administration’s frustration over the 2013 Shelby County decision by the U.S. Supreme Court, about which Attorney General Loretta Lynch has loudly complained, claiming it severely curtailed the ability of DOJ to send official observers recruited by OPM to polling places. Those officials can only go where a court has given them authorization to be present. Otherwise, DOJ is dependent on local jurisdictions giving DOJ permission for its lawyers and staff to be there. Many jurisdictions have wised up and started saying “no” to DOJ. That must be very frustrating to the partisans who inhabit parts of the Justice Department these days and want their staff out there making sure their political friends get elected.
The realistic fear is that this is the first step towards nationalizing election administration.
In fact, Richard Pilger of the Election Crimes Unit of the Public Integrity Section of the Criminal Division at DOJ was a participant in the Monday call with the secretaries of state, and Chris Herren, the chief of the Voting Section of the Civil Rights Division, was a participant in a call last week on this subject with Leslie Reynolds, the executive director of the National Association of Secretaries of State. Neither Pilger nor Herren know anything about cyber security; the Civil Rights Division has absolutely no expertise on that subject whatsoever and has no jurisdictional authority over the issue.
Johnson emphasized in Monday’s call that he wanted to make the federal government available to the states to prevent cyber-attacks; but nothing prevents DHS from making recommendations now — no “critical infrastructure” designation is required. Johnson said he was organizing a federal-state working group that would include DHS, DOJ, and the National Institute of Standards and Technology, an agency of the Department of Commerce. Johnson was still “considering” whether he would be “designating some aspect of the election process as critical infrastructure.” But Georgia Secretary of State Brian Kemp was very vocal in the telephone call in telling Johnson the states don’t need any help from the federal government.
The realistic fear is that this is the first step towards nationalizing election administration. Federal officials who have already shown they will not hesitate to use their power to tilt public policy in favor of their own personal political agenda could bring that same bias to decisions that affect the very integrity of our election process.
If we have close elections on the local, state, or federal level in November, there is a much greater possibility that they could be affected by misbehavior such as absentee ballot fraud or illegal voting by noncitizens or other ineligible voters than that some hacker will be able to manipulate the system. But just like in The Wizard of Oz, this administration wants you to pay no attention to that particular man in the corner while it launches its election Trojan horse.