After repeated requests from various states, the Department of Homeland Security informed state governments which states had their election systems hacked or otherwise compromised during the 2016 general election.  According to reports, 21 states had their systems compromised in some fashion, although there is no evidence voting machines themselves were tampered with and in only some instances were computer systems actually penetrated.

Putting aside the politics, there are some serious cybersecurity issues to grapple with.

First and most importantly, states legitimately need whatever information DHS can possibly provide regarding the vulnerabilities in their election systems.  Keep in mind that states can be hemmed in by budget considerations when it comes to their election infrastructure; so even if computer systems relating to elections were vulnerable a year ago, it is not necessarily correct to assume that any given state will have enough resources to replace them with different systems for the next election.  In other words, these systems need to last.  As such, states need information in order to know what to patch and what to fix.

Second, the fact that there does not appear to be evidence of any actual vote tampering might be reassuring for 2016, but it's not reassuring for future elections, for the same reason: this could be evidence of hackers simply trying to see what the vulnerabilities are in order to take damaging action in the future.

Finally, the lateness of the information being provided, even though states have been requesting this information from DHS for some time, is troubling.  As with any data security problem, more knowledge sooner can reduce future vulnerabilities.  DHS has stated it will try to be more prompt going forward, and prompt communication will be necessary for adequate security.

The bottom line is that there are real security vulnerabilities in our election system, and the federal government appears to have been somewhat coy in communicating the issues involved.  Hopefully such communication will be straightened out to allow states the time needed to patch systems.  Were Congress more apt to focus on this issue in a productive way, it might also consider specific budget appropriations to allow states to beef up their systems.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.