Congress, don’t miss the mark on election security

Congress, don’t miss the mark on election security
© Getty Images

Voter registration data in most states are public by law. What happens when voter registration data are compiled and parsed with data from internet browsing, shopping and social media?

It’s a well-known fact that our foreign adversaries have attempted to influence and breach our election systems. We believe that they are trying to do so again and we need to stay two steps ahead of them in order to solve problems that may arise in securing voter data and the integrity of our election system.

ADVERTISEMENT
While we can all agree that elections systems are vulnerable, there is much more to the story. Ideas such as the Securing America’s Voting Equipment (SAVE) Act, proposed by Sens. Susan CollinsSusan Margaret CollinsRepublicans will pay on Election Day for politicizing Trump's impeachment The Hill's 12:30 Report: Trump beefs up impeachment defense with Dershowitz, Starr The Hill's Morning Report — President Trump on trial MORE (R-Maine) and Martin HeinrichMartin Trevor HeinrichHealth care, spending bills fuel busy year for K Street Schumer introduces bill requiring GDP measure inequality Senators want FERC to protect critical infrastructure from Huawei threats MORE (D-N.M.), would allow election officials access to classified information and would designate election systems as critical infrastructure. Designating these systems as critical infrastructure will trigger additional cybersecurity controls and require oversight at many levels, state and federal.

 

But if we’re serious about protecting our democracy through our election cyber infrastructure, we need to put much stronger safeguards in place throughout the election cycle, long before voters head to the polls.

Both major political parties have invested millions of dollars in data and voter information to encourage people to vote and convince voters to identify with their candidates. Various other campaigns, third-party organizations and super PACS have access to this information, all supplied by vendors and data brokers who hold this information and extrapolate data points for voter identification. It’s combined with data about our likes and dislikes and shopping habits, and then used for social media targeting. We know the Democratic National Committee was breached in the last election cycle; this time, it could very well be the Republican National Committee.

Data are extrapolated down to the zip code level and available for campaigns and their volunteers to download onto mobile phone applications. It’s not inconceivable to think of a foreign adversary walking into a campaign office, volunteering to walk precincts and having a 24-year old campaign staffer set up a password and account on the adversary’s mobile phone. All with no real security protocols or background checks in place. Eureka! They’d have access to a system with millions of personal data points and a platform leading to who knows where — from their own mobile device.

Today, across the defense industrial complex, federal contractors are complying with new standards that safeguard their networks and prevent hostile foreign adversaries such as Russia, China and Iran from accessing their systems. If you work for a defense contractor, you likely have undergone a rigorous background check to gain access to the classified information you need to provide the appropriate support to our nation’s war fighters, and your company has massive infrastructure in place — both technology and personnel — to protect sensitive and classified information.

To secure our democracy from hostile foreign actors, shouldn’t we consider putting in place the same cybersecurity compliance standards for campaign consultants and vendors advising our candidates? They’re the ones who are buying, selling and downloading election data on millions of voters across the country.

We know from the #MeToo movement and recent news stories that political campaigns are loosely organized and lack human resource departments. So, one should ask if they don’t have human resources, what is their approach to cybersecurity when they’re handling millions of data points of personally identifiable information and access to any given state’s voter rolls? If breaches can happen to a Fortune 100 company such as Target or major defense contractor such as Booz Allen Hamilton, it could certainly happen with a campaign consultant, political campaign or third-party interest group.

With an industry that spends hundreds of millions of dollars targeting us, the voters, shouldn’t they be required to follow the same protocols as our nation’s defense contractors? It’s an appropriate question to ask since we’re considering legislation that would designate our voting systems as critical infrastructure.

If Congress really wants to safeguard our elections, we need to follow the data. And we should seriously consider data security before it becomes a problem that we can’t figure out how to solve.

Heather Engel is chief strategy officer for Sera-Brynn, a leading global cybersecurity audit and advisory firm. She is a Certified Information Systems Security professional and sits on the board of directors for the Virginia Economic Development Partnership.