Obama Administration Looking To Expand Definition Of 'Critical Infrastructure' To Hit Back At Russians
from the oh-really-now? dept
One of the ridiculous parts of all of the discussions around “cybersecurity” concerns what should be considered “critical infrastructure.” That’s because, thanks to various executive orders, what the President declares as “critical infrastructure” leads to different cybersecurity requirements. There have been concerns that this will result in broadly classifying the internet as “critical infrastructure” in a manner that will lead to easier surveillance. But, as we noted nearly a decade ago, broadly classifying the internet as critical infrastructure would be silly, when the use of that designation should be narrowly focused on things like voting and banking (not to mention things like energy grids and water supplies).
Apparently, however, as the Obama administration is looking to respond to what it believes was Russian “interference” in the 2016 Presidential election, it is realizing that none of it targeted “critical infrastructure.” And thus… it now wants to change the definition of what’s covered. That should be concerning.
First off, at this point we should make a quick aside that there remains zero evidence released publicly that there was any actual hacking of our voting systems. None. Zip. Zero. And basically everything claiming otherwise has been partisan hackery. Before the election Trump supporters were going on and on about how voting machines could be hacked — but have been mostly silent since the election. Instead, since the election ended, it’s been Clinton supporters insisting that Russian hackers tampered with voting machines. For a decade and a half we’ve been warning about bad e-voting machines and how insecure they are, but so far no one has presented anything in the way of proof that electronic voting machines were hacked. Actual voting infrastructure is pretty clearly “critical infrastructure.” But what about other things — like the emails of top party leaders? Well, that’s what the administration now seems to want to change into “critical infrastructure.”
This is from a Washington Post article on the expected response by the White House against Russia:
The sanctions portion of the package culminates weeks of debate in the White House on how to revise a 2015 executive order that was meant to give the president authority to respond to cyberattacks from overseas but that did not cover efforts to influence the electoral system.
But officials concluded this fall that the order could not, as written, be used to punish the most significant cyber-provocation in recent memory against the United States ? Russia?s hacking of Democratic organizations, targeting of state election systems and meddling in the presidential election.
With the clock ticking, the White House is working on adapting the authority to punish the Russians, according to the officials, who spoke on the condition of anonymity to discuss internal deliberations. President Obama pledged this month that there would be a response to Moscow?s interference in the U.S. elections.
The targeting of “state election systems” definitely seems a bit more like it should obviously be considered “critical infrastructure” — though those attacks on state systems were not targeted at the actual voting infrastructure, but computer systems that contained information about voters and such. But it seems a lot more questionable to argue that political parties’ computer systems should automatically be seen as “critical infrastructure.” That seems to be heading down the slippery slope of declaring certain individuals email accounts critical infrastructure, and lots of mischief could be associated with such a designation.
As the article notes, even though it’s believed by many that Russian hackers got into election systems, it doesn’t appear they did anything in those systems, so it’s tough to show that there was actual harm:
?You would (a) have to be able to say that the actual electoral infrastructure, such as state databases, was critical infrastructure, and (b) that what the Russians did actually harmed it,? said the administration official. ?Those are two high bars.?
Although Russian government hackers are believed to have penetrated at least one state voter-registration database, they did not tamper with the data, officials said.
It definitely seems that voting systems should be seen as critical infrastructure, but given how declarations of critical infrastructure come with some pretty hefty requirements — and opening up the possibility of greater surveillance — the administration should be pretty careful about expanding the list as a reactionary move to the last election.