Free, fair, and secure elections are preconditions of democracy. Yet despite the electoral disruption of 2016, these crucial pillars of U.S. governance continue to exhibit dangerous weaknesses. Congress and the executive branch have failed to take sufficient steps to secure U.S. elections. Risks to the vote continue to include vulnerabilities in voting equipment, weaknesses in campaign and party infrastructure, voter susceptibility to manipulation, and partisan voter suppression. As a result, members of both parties agree that some amalgamation of these risks places our elections in legitimate danger. With November 6 just two weeks away, we must now brace ourselves as a nation for impact and damage control. Hopefully, the post-election landscape will allow another attempt at a successful risk mitigation strategy—one that features better-coordinated action from government, the private sector, and civil society.
Election counting machine and voter registration system vulnerabilities
The first set of risks to U.S. elections lies in how votes are tabulated. Election counting machines and voter registration systems—the equipment relied upon by the government—are fallible. Instances of their failures, some of which wreaked havoc in 2016 and other previous elections, have been well documented. A faulty memory card (potentially from an “unauthorized source”) plugged into an election management system in a small Florida precinct during the presidential election of 2000 was part of pitching the nation into a more than month-long strife before a winner was declared. Over the past 16 years, direct-recording electronic voting machines (DRE) have incorrectly interpreted votes, failed to record them altogether, and crashed, creating long lines and delays that caused countless individuals to leave their voting places (or often the long lines snaking for blocks around those voting places) without casting a ballot. (One of the authors, Eisen, litigated these matters on behalf of injured voters and parties between 2000 and 2008.) The August 2018 Def Con conference, one of the world’s largest annual conventions for hackers and cyber security enthusiasts, featured nearly four dozen voting machines as part of their “Voting Village” exhibit designed to highlight problems with election equipment. Attendees hacked into the machines in short order, manipulating vote tallies and stealing voter data, among other interference.
Voter registration systems have security problems, too. This past July, Deputy Attorney General Rod Rosenstein reported that Russian intelligence officers successfully stole information on 500,000 voters from an Illinois election board website. A county database in Arizona, a Tennessee state website, and an information technology vendor in Florida were all breached as well. And these are just the breaches that we know of. Experts agree that cyber-intrusions into DREs and voter registration systems can be difficult to detect, and more sophisticated hackers are interested in both hacking into systems and in the ability to elude detection.
Many states are, at present, poorly equipped to deal with these vulnerabilities. Despite their problems, five states rely exclusively on DREs that do not generate verified paper audits. In these states, there is no means of confirming the count in the event of a machine failure. Other states that do use backups rely on outdated equipment. As of one recent survey, 21 states were not planning to upgrade their voting machines—or were unclear about their plans—before the November midterm election. Moreover, current post-election efforts to probe for electoral meddling are generally considered to be piecemeal and insufficient.
Even with respect to the many jurisdictions that use optical scan voting systems generating paper trails, computer scientists have demonstrated that those systems too are vulnerable to hacking and to changing the results. While false election tallies can be detected with those systems, that can only actually occur if jurisdictions go through a post-election auditing process. That is, authorities should as a best practice conduct audits of every election in those optical scan jurisdictions, randomly reviewing a statistically-significant percentage of the hand-marked paper ballots and matching them up against the election tallies from the optical scan machines. Disturbingly, only a tiny handful of states currently conduct post-election audits that are truly reliable for detecting false tallies coming from optical scan machines. The authorities must do much better if we are to have confidence in our elections in this new risk-infused environment.
Campaign insecurity
A second set of election vulnerabilities stems from the kinds of information generated by political campaigns themselves. According to Professor Charles Stewart III of MIT, individual campaigns are relatively less secure than voting machines and registration systems. For instance, in July 2018, Senator Claire McCaskill reported that Russians unsuccessfully attempted to access her Senate computer network with a phishing attempt. Russian hackers have also attempted to infiltrate at least three other congressional campaigns before the midterm election.
While campaigns are not directly involved in determining electoral outcomes, their networks contain confidential information that can be used maliciously. The Russian government strategically used materials acquired in its 2016 successful breach of the Democratic National Committee’s networks, including the personal email account of Clinton campaign chairman John Podesta, in an effort to influence U.S. public opinion in support of its own interests. Both major political parties have since taken steps to harden themselves from such intrusions.
Manipulation of U.S. voters
This brings us to the third type of risks to elections—the manipulation of U.S. voters. In addition to disseminating stolen information in the lead up to the 2016 presidential election, the Russian government embarked on a massive disinformation campaign aimed at swaying the opinion and ultimately the behavior of U.S. voters. Russian government bots and trolls propagated fake stories and conspiracy theories (and even organized inflammatory rallies) directed at increasing support for then-presidential candidate Donald Trump and harming his opponent, Hillary Clinton. Some have argued that these tactics were successful. Similar tools are at work today on a variety of controversial, partisan issues. Indeed, the Department of Justice has just charged a female Russian national with conspiring to “interfere in the U.S. political system, including the 2018 midterm election,” using the internet to amplify highly partisan issues in American politics as well as campaign for and against political candidates.
It is worth noting that disinformation campaigns intending to alter the outcome of a vote have a long history in the United States. In 1864, politically motivated journalists penned an anonymous pamphlet that stirred public fear that Abraham Lincoln (who was running for re-election) was a mixed-race eugenicist who advocated the intermarriage of blacks and whites to produce a superior race. Lincoln survived the slander and won the election, though historians have assessed that the spurious allegations harmed Lincoln’s public popularity. As the advent of the internet and social media have amplified disinformation’s effects and allowed for its further “weaponization,” the scale of the challenges that disinformation presents today is far greater than the lies that almost “sank” Honest Abe.
Partisan efforts to suppress voting
Finally, a fourth set of risks stems from partisan efforts to suppress voting. Recent polls suggest that voter-ID requirements, automatic voter roll purging, and frequent changes to polling locations implemented ahead of the 2016 election presented barriers to voting that disproportionately affected people of color and students—who, as demographic groups, are significantly more likely to vote for Democratic candidates. Leading up to the midterms, such suppression efforts continue in full force. Claims of widespread voter fraud (for which no evidence exists), have provided cover for officials to take further action that decreases equal access to the ballot box. Some examples include the suspension of 50,000 applications to register to vote in Georgia mostly submitted by blacks; a North Dakota law requiring a street address (upheld by the Supreme Court this week) that will make voting more difficult for Native Americans; and a new rule in New Hampshire that requires residents with out-of-state drivers’ licenses to obtain a New Hampshire one in order to vote, which presents a significant barrier to students.
Next steps
These four categories often are too broad for any single sector—whether government, business, or civil society—to handle on its own. When facing such systemic challenges, we typically look to the federal government to take the lead. But the GOP-led executive and legislative branches have largely fallen down on the job.
Congress has failed to pass legislation designed to improve U.S. election security since the Russian attack on the 2016 election. Proposed bills in both bodies were watered down, and now have stalled altogether. Though $380 million was allocated to states in March 2018 by the U.S. Election Assistance Commission for the purpose of securing elections, further funding proposed by Congressional Democrats was knocked down. The White House, for its part, has hindered the effort. It criticized the proposed election security legislation. Moreover, the chaotic nature of the current administration and the president’s long refusal to acknowledge the legitimacy of the Russian interference exacerbate the problem.
While some other actors have stepped up, much more must be done—if not before the midterms, than at least before 2020. Many states have taken measures to secure DREs and registration systems by updating equipment, but all should produce and safely store paper backups as well as limit or eliminate connectivity to wireless networks. Those states that do not currently mandate post-election audits should pass laws to do so. Election officials might also consider partnering with the U.S. Department of Homeland Security to conduct vulnerability testing, as officials in some states are already doing. In order to reduce the likelihood of individual hacking, all election officials, campaign staffers, volunteers, organizers, (and voters), should immediately utilize a series of easily implemented cybersecurity best practices.
Social media companies have begun to police their networks, more actively shut down fake accounts, and build election “war rooms.” However, some analysts conclude that these efforts have been “more talk than action.” Before the midterms and beyond, tech companies should increase cooperation between one another to standardize systematically their policies to defend against disinformation campaigns. Some feasible mechanisms include investing in technology to identify fake news through algorithms and crowd sourcing, reducing the financial incentives of fake news, and increasing online accountability by strengthening real-name policies and continuing to purge fakes.
The U.S. government should push back on external actors pursuing disinformation campaigns by developing a comprehensive deterrence strategy in collaboration with transatlantic partners. Such a strategy will appropriately punish election meddlers for their wrongdoing. Sanctions and diplomatic expulsions like those President Obama imposed against Russia in response to the 2016 election subversion were a good start, and the recently released National Cyber Strategy introduces a more activist stance. Though the plan entails risks of its own, some assess that it may serve as a stronger deterrent. The executive branch should carefully calibrate these policies moving forward.
Government entities must immediately refrain from further implementing restrictive voting policies, adopt inclusive ones, and encourage widespread voting from all eligible. Here, too, there have been some positive steps. Oregon adopted automatic voter registration, which if implemented by all states, could increase voting by 7.9 million within the first year. A similar system has been largely credited with boosting Vermont’s midterm election registration to a record high of 92.5 percent. Other promising policies include same-day voter registration, which has increased participation by an average of 5 percent when implemented, and early voting, which one study found to increase participation by between 2 to 4 percent. All states should follow the lead of others who have successfully increased turnout and implement policies designed to improve ballot access.
With the midterms hard upon us, campaigns, candidates, and all stakeholders should spend the next weeks considering not just prevention but response. What will they do if they detect suspicious cyber activity on or around Election Day? If any questions of significant cyber impropriety arise, candidates should refrain from premature concessions and states should be ready to conduct audits and/or recounts as available under state law and as merited. Voters have a critical role to play as well. They should report any indications of voter suppression or tech-based voting abnormalities, including through the use of civil society hotlines, such as that provided by the ACLU. And they should be patient with candidates who are not immediately ready to concede where significant questions have arisen.
If we are fortunate enough to survive another election cycle without major cyber upheaval, all stakeholders must move with urgency to make better use of the next two years than we did of the last two. A whole of society response is an admittedly ambitious recommendation. The myriad actors, many of whom have competing incentives, will be difficult to galvanize. But to address fully the complex threats to U.S. elections before 2020, a holistic approach focused on decreasing the effectiveness of attackers and holding them accountable will be required. U.S. democracy depends on the success of these efforts.
The authors would like to thank John Bonifaz, Adrienne Epstein, Colby Galliher, Kelsey Landau, and Kiersten Rhodes for their assistance.
Commentary
A perilous election looms
October 22, 2018