Making Democracy Harder to Hack: Should Elections Be Classified as ‘Critical Infrastructure?’

S. Shackelford, B. Schneier, M. Sulmeyer, A. Boustead, B. Buchanan, A. N. Craig Deckard, Trey Herr, J. Malekos Smith

University of Michigan Journal of Law Reform, v. 50, n. 3, Spring 2017, pp. 629-668.

ABSTRACT:

With the Russian government hack of the Democratic National Convention email servers and related leaks, the drama of the 2016 U.S. presidential race highlights an important point: nefarious hackers do not just pose a risk to vulnerable companies; cyber attacks can potentially impact the trajectory of democracies. Yet a consensus has been slow to emerge as to the desirability and feasibility of reclassifying elections—in particular, voting machines—as critical infrastructure, due in part to the long history of local and state control of voting procedures. This Article takes on the debate—focusing on policy options beyond former Department of Homeland Security Secretary Jeh Johnson’s decision to classify elections as critical infrastructure in January 2017—in the U.S., using the 2016 elections as a case study, but putting the issue in a global context, with in-depth case studies from South Africa, Estonia, Brazil, Germany, and India. Governance best practices are analyzed by reviewing these differing approaches to securing elections, including the extent to which trend lines are converging or diverging. This investigation will, in turn, help inform ongoing minilateral efforts at cybersecurity norm building in the critical infrastructure context, which are considered here for the first time in the literature through the lens of polycentric governance.

[full text - PDF (Acrobat)]

Categories: Miscellaneous Papers

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.