A bipartisan bill introduced in the Senate just before the Christmas break aimed at protecting American elections from foreign cyberattacks has been getting generally positive reviews from security professionals.
The Secure Elections Act would provide block grants to states to help them upgrade their election security, and streamline the sharing of cybersecurity information between Federal intelligence agencies. Specifically, it would improve the links and lines of communication between the Department of Homeland Security (DHS) and states.
During the 2016 election, Russia hacked presidential campaign email accounts, launched cyberattacks against 21 state election systems, and attacked a U.S. voting systems software company, according to intelligence reports. “We must do everything in our power to protect our democracy from future attacks, and ensure those on the front-lines of administering elections are equipped with the tools and resources necessary to keep them safe. Time is of the essence, the next Federal election is less than a year away,” said Sen. Amy Klobuchar, D-M.N., one of the bill’s co-sponsors. The bill now heads to the Senate Rules and Administration Committee.
There are several key provisions of Senate bill 2661:
- Eliminate paperless voting machines. An estimated one in four Americans currently vote on touchscreen machines, which leave no paper trail and therefore provide no backup system. So, if a touchscreen machine were hacked, there would be no way to go back and determine if an individual voted and who they voted for. The bill would provide block grants so that states could throw out paperless voting machines and replace them with versions that read paper ballots.
- In addition, the bill would provide incentives for states to conduct post-election audits to make doubly sure that the results are accurate. Currently, states perform post-election audits only when the results are extremely close or when a recount is requested.
- The bill would also open up and accelerate information sharing between DHS and the states. For example, DHS determined that 21 states had their election systems targeted during the 2016 election, but didn’t tell the states until nearly a year later. The bill calls on DHS to promptly share information on cybersecurity threats with state, local, and county election agencies. It provides security clearances to appropriate state officials, so they can access and act quickly on classified cybersecurity information. It also creates a panel of independent experts charged with setting up cybersecurity guidelines for election-related systems.
- In addition, the bill would set up a bug bounty program, dubbed Hack the Election, in which independent security analysts would be encouraged to identify and report potential vulnerabilities.
BluVector CEO Kris Lovejoy said she agrees with the premise that an election system constitutes critical infrastructure and should be secured as such. “It has been made abundantly clear that these systems are subject to cyber tampering by a variety of adversaries intent on manipulating vote counts. As such, I applaud the legislation as a practical and pragmatic approach for incenting state and local governments to do the right thing,” Lovejoy said.
She added one point of caution. This bill will not fully address the risk of election meddling by foreign powers because it only focuses on voting machines, while Russian meddling was a broader effort that included the use of social media to spread disinformation.
Michael Sulmeyer, director of Belfer Center’s Cyber Security Project at Harvard University, also gave the bill high marks. “As much as we hear that ‘the best defense is a good offense,’ sometimes the key to good defense is actually a better defense. If this bill passes and congressional appropriators provide the required funding, we stand to be better off on defense than we are today,” he said.