Earlier this week, news broke of the House unanimously approving The Defending the Integrity of Voting Systems Act, which would make hacking federal voting systems a crime. The legislation is a bipartisan bill that was introduced last year – it’s now moving on to the POTUS’ desk for a signature.
By enacting The Defending the Integrity of Voting Systems Act, the U.S. government might seek to deter adversaries from meddling with the voting process, but instead the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process. If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers – who are ignoring these laws to being with – have an open field to exploit undiscovered vulnerabilities within voting systems.
Another question that remains is whether this new bill will now make ethical security research of second hand and aftermarket voting equipment illegal by putting these machines into the protected computer class? If so, this bill will have practical impact on the ability for voting machine security research to be conducted in the first place/
As the legislation now awaits the POTUS’ signature for final approval, it would be remiss of cybersecurity industry leaders to ignore the fact that this legislation is a step in the wrong direction, as is any broadening of the scope of the CFAA. The Computer Fraud and Abuse Act (CFAA) was originally passed by Congress in response to growing threats from malicious actors, yet it serves as a barrier for the betterment of our society by barring security researchers from doing their job. Every time that it is broadened, good-faith hackers unfortunately are the ones most affected.
As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet. This legislation would not only outlaw but also derail the efforts of security researchers in helping identify and resolve vulnerabilities that could potentially destroy an organization within the voting infrastructure, impacting democracy as a whole.