A crisis makes us think differently. Hopefully, another prickly presidential election result tally isn't needed to embrace our election system as a critical national infrastructure, do more to protect it against threats, and make it more participatory.
Transportation systems, dams and energy facilities are "critical infrastructures," recognized as essential to long-term well-being, requiring vigilant protection. But these known "hard targets" are not more important to our country than the foundational notion of a republic, that our government leaders are selected by the will of a majority of Americans.
Yet we face the reality of foreign adversaries twisting information that Americans use to form their opinions on whom to elect; technology deficiencies curbing election turnout at roughly 50%; and voters staying home wrongly thinking their votes won't make a difference.
To understand what we are up against, let's break down election threats into three categories:
- Voting technology manipulation and disruption: We need to create convenient, secure voting from smartphones or home computers.
- Voter suppression: We need confidentiality and trust of interim vote tallies.
- Information poisoning: We need better integrity on the true source and accuracy of content pertaining to election issues.
Voting technology manipulation
Our prudent caution with today's voting technology means that elections are decided by roughly 25% of voting-eligible adults who brave voting inconveniences to back the winner. We face an unrealized opportunity and responsibility to vastly increase voter participation through secure smartphone and home computer voting, an extraordinarily convenient way to vote in which the telecommunications infrastructure is already in place. But there are cybersecurity shortfalls to precisely address. Doing so would eliminate disenfranchised non-voters while simultaneously empowering elected officials.
We cannot fall back on non-cyber solutions, since such quaint comforts in voting systems results in only about half of eligible citizens voting. With the right cybersecurity, we can empower all voters to actually participate in our "participatory democracy."
We can't be reckless about a movement to internet-based, remote voting. We need to solve the problem of authentication, the root of almost all problems on the internet, and ensure communication resiliency. But deciding it's important to do is the first step toward enabling the full power of this critical infrastructure.
Voter suppression
With informed voters and trustworthy voting technologies, we still need to prevent biases in reporting of preliminary voting tallies. With jumps in preelection-day snail-mail voting, foreign interference and even local corruption, too many people self-suppress their vote, believing that overwhelming numbers of already-decided voters have predetermined an outcome.
Interim results must be kept confidential until official tallies are complete. With interim results not leaked, through confidentiality and cybersecurity segmentation, accidental or deliberate biasing wouldn't suppress otherwise motivated voters. And nefarious disruptions of voting places — creating lines and delays at polling places — would be eliminated by leveraging the diverse availability inherent in the internet. We can and should ensure we're not susceptible to accidental or deliberate voter suppression.
Information poisoning
Well-funded foreign disinformation campaigns seek to sway American public opinion. While tempting to dismiss social media memes as specious nonsense, the numbers are sobering.
Paid print and digital subscriptions to the New York Times are currently at a high point of 4.5 million. Hannity, the Fox News show and highest-rated nightly cable news show, is watched by 3.3 million. Meanwhile, social posts on various networks reach hundreds of millions.
But how does that relate to cybersecurity?
CISOs like to say that we need two categories of firewalls: hardware that makes automated decisions about what to allow access to, and human ones that make good decisions on online behavior. In elections, cybersecurity and personal responsibility must each play roles.
While cybersecurity can help authenticate the source of information, people need to pay closer attention to the information we consume and share. Disinformation is like malware for the mind, and foreign manipulators know that only a small percentage of the voting population needs to be influenced to sway the outcome of an election. In that example, a "weakness" occurs when our defenses are down, when we lower the bar on critical thinking or allow emotions to dictate our decisions. Cybersecurity principles of authentication and integrity can help protect the very information that determines how we perceive our world, and information consumers need to better leverage those tools.
We live in a cyber-enabled world, where everything from wealth to medical records are already digitized. While a physical polling booth can help verify votes, it's become a stifling, stopgap measure, overshadowing where we really need to be.
Our participatory democracy is at risk without raising the criticality of securing the election system, and failing to apply modern conveniences whose exclusion directly stifles voting turnout. We need to ensure it's highly available to those authorized to use it, has information authenticity, and its data is confidential.
That's a cybersecurity problem to solve, not a moonshot. President John F. Kennedy's "moonshot" rallying cry is overused; let's not mischaracterize the reason for achieving election security and convenience: We don't "do it because it's hard," for the challenge. We do it because we're obligated to; it's our democracy's core.
This call to action to give our election system the cybersecurity that a critical infrastructure deserves is not written with novice's viewpoint about the insecurities of internet voting. I've worked with good people to leverage high-end technical capabilities to solve unbreakable "evil empire" enigmas, ensure the security of nuclear command and control codes, and help protect the electric power grid. And I know that for the foreseeable future, we'll need manual processes as a "belts and suspenders" approach. But we live in a cyber-enabled world, where everything from wealth to medical records are already digitized. While a physical polling booth can help verify votes, it's become a stifling, stopgap measure, overshadowing where we really need to be.
Ben Franklin, at the 1787 Constitutional Convention, said the country's framers had created a republic (not a monarchy) where voters choose their governing officials, adding, it's "a Republic, if you can keep it." Nearly 250 years later we must do everything we can to deploy the cybersecurity practices that will allow us to keep that republic — if we can secure it.
—By Phil Quade, chief information security officer at Fortinet and a member of the CNBC Technology Executive Council
