S 3311 Introduced – Voting Cybersecurity

Last month Sen. Blumenthal (D,CT) introduced S 3311, the Defending the Integrity of Voting Systems Act. The bill would amend the definition of ‘protected computer’ in 18 USC 1030 to include voting systems.

Protected Computer

Section 2 of the bill amends the definition of ‘protected computer’ §1030(e)(2) by adding “is part of a voting system”. It further clarifies that the voting system is either:

• Used for the management, support, or administration of a Federal election; or

• Has moved in or otherwise affects interstate or foreign commerce.

Moving Forward

Blumenthal and his two cosponsors {Sen. Graham (R,SC) and Sen. Whitehouse (D,RI)} are all members of the Judiciary Committee. This means that there is a good chance that they would have sufficient influence to have this bill considered in Committee. I do not see anything that would draw significant opposition to the bill. I suspect, however, that the current political back-and-forth on foreign political influence will cause slow movement on this bill, preventing consideration during the remaining months of this session.

Commentary

The big problem with this bill is the lack of definition of ‘voting system’. While the new paragraph §1030(e)(2)(C)(I) looks like an attempt at a definition by stating “is used for the management, support, or administration of a Federal election” the subsequent inclusion of the next phrase “or, has moved in or otherwise affects interstate or foreign commerce” compromises that definition by overly expanding the possible universe of covered computers. I understand that the crafters were trying to specifically include State and local government computers, but a broader reading of that language, especially the word ‘support’, is encouraged by the way Congress has been talking about ‘election interference’ to include influence operations on social media.

I also am concerned about any broadening of the scope of §1030 generally without some sort of effort to ensure that studies of computer systems by legitimate security researchers are not stymied by application of this section by prosecutors seeking to protect owners from the embarrassment of being publicly told that their computers are poorly secured.