Future Tense

The Security Debt Is Coming Due

What hacks into voter registration systems say about the state of local government cybersecurity.

Was2019759
State and local governments have more than just voting data on their hands.

Karen Bleier/AFP/Getty Images

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. On Wednesday, Oct. 5, Future Tense will host an event in Washington, D.C., on elections and technology. For more information and to RSVP, visit the New America website.

There’s something particularly unusual about the recent revelations that foreign hackers successfully breached voter registration systems in Arizona and Illinois.

It’s not just the intriguing possibility of Russian involvement. Nor is it that FBI and Department of Homeland Security officials took the notable step of confirming the penetration and warning state election boards to conduct vulnerability scans.

It’s that the targets of the hacks—state and local election data—don’t have the same obvious incentives as attacks before them. Missing are the monetary rewards for the perpetrators of large retail data breaches; lacking is the espionage value of a hack like the massive compromise of data from the Office of Personnel Management. Instead, these intrusions target the system at the heart of our democracy, and the incidents are rightly being treated as a very serious problem. But how do we fix it?

For his part, DHS director Jeh Johnson has discussed the idea of including U.S voting systems on the list of federally designated “critical infrastructure”—a protective designation it gives to resources such as nuclear power plants, banking and finance systems, and the electrical grid. However, unlike our nuclear or financial systems, both the institutional and network infrastructures that underpin our local elections have been cobbled together in troubling ways: They were done incredibly cheaply, over years and numerous eras of technology, and with virtually no standardization or even minimum security practices.

To be clear, it would actually be very hard for hackers to meaningfully alter a national vote count given our decentralized election systems. (As Johnson himself pointed out after the August state breaches, we’ve got some 9,000 jurisdictions at the state and local level involved in the process.) But changed ballots aren’t the only meaningful consequences that can result from such attacks. Other less clear costs—from weakened public confidence in election results to increased auditing expenses—pose serious concerns. Assessing this impact will be challenging, as will making changes to prevent future hacks. The vulnerabilities exposed by the Illinois and Arizona breaches, and credible concerns about the possibility of new ones, have exposed just how behind state and local governments are when it comes to protecting their systems and data.

Part of the reason for this comes down to serious funding and personnel constraints. Almost all local governments struggle to recruit and retain generally qualified IT professionals, let alone those specializing in cybersecurity. With short supply and high demand, many are unable to pay competitive salaries and often rely on contractors for most or even all of their information security. This wouldn’t be a problem if the local governments knew exactly what they needed and had sophisticated contracting capabilities, but this is often not the case. The most resource-constrained jurisdictions aren’t taking steps to beef up their cyberprotections. And when it comes to electoral processes, these local setbacks become national issues.

The other reason that state and municipal governments have fallen behind on cybersecurity is a phenomenon known as “security debt.” The idea behind the term is that computers and computer networks allowed institutions—companies, organizations, and governments alike—to decrease their costs, increase their efficiency, and shrink their staff levels. The problem is that the upsides of the switchover are front-loaded in the early years of deployment, and this new, efficient way of doing business becomes the norm. Only later, sometimes years down the line, do costs like network vulnerabilities become apparent. Malware and Trojans. Data breaches. Ransomware. Most result from pre-existing or unpatched vulnerabilities. This is the security debt coming due.

The problem is that too many organizations quickly adopted these new systems without sufficiently planning for their inevitable future costs and vulnerabilities. The resulting security debt is especially problematic for local governments, which are often unable to mitigate the unplanned costs in an era where their funding is declining and more is expected of them. And it’s not just electoral processes that have been put at risk. Think of all of the information your municipal government has on you—voting data, tax information, property records, criminal history, driver’s license numbers, Social Security numbers. Think of, if your kids go to public schools, all of the data they have on your children. There’s perhaps no better case study of governments diving into a new system without thinking of security and privacy pitfalls than the fast-paced adoption of educational technology. Few examples have a bigger security debt—what kind of data are these companies collecting? Who can use this sensitive student information? How secure is this data?—than these digital learning tools. The impulse to chase after the newest, shiniest technological aide doesn’t help either.

We expect our local governments to do quite a bit of work for us—from policing to collecting taxes to repairing roads to operating elections. In a modern world, all of those functions require information systems housing large amounts of sensitive data. Frankly, we haven’t thought enough about what goes into these processes. And when we have, we’ve mostly assumed that governments were taking reasonable measures to keep these systems secure. It’s not clear that those were good assumptions.

There are, however, ongoing discussions about how to fix these problems. They include ideas like having local governments consolidate, adopt cloud-computing solutions, outsource to managed security services, or connect with federal and state programs that would pool resource capabilities. All of these, if implemented with care, provide promising potential for future solutions. Until then, we should concede that we will be paying a high “interest” rate on our growing security debt—interest that is likely to manifest as data breaches, intrusions, and emergency costs to respond to incidents and patch vulnerabilities.

It’s also worth noting that, even with good tools, there are no simple answers to these challenges. Federal financial and technical support to better secure local electoral process, for example, are sometimes viewed skeptically. Numerous state election officials have suggested that this represents creeping federal control over their elections, something many don’t want to see. Roadblocks like these pose serious challenges for a nation that relies on selecting leaders at every level at local ballot boxes. As we do so, we’re pushing the operations of our voting infrastructure to the most underfunded, understaffed, and underequipped levels of government.

Justice Louis Brandeis famously described the states as the “laboratories of democracy.” In an age with more of our civic life online and more threats to it from around the world, we certainly have an interesting experiment on our hands.

Future Tense is a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.