Happy Anniversary to America’s Most Corrupted Election
It’s never too late to make sure future votes are secure from foreign interference. Here’s how.
It’s the one-year anniversary of the day the American public elected Donald Trump president of the United States of America. It’s also the anniversary of the culmination of an unprecedented foreign adversary operation to interfere with and delegitimize the U.S. elections. The public has spent much of the last year debating whether such an operation really occurred, the extent of possible involvement of people in the United States, and what impact it might have had on the outcome.Far less attention has focused on how we’re going to stop it from happening again.
We previously noted the startling lack of concern demonstrated by the nation’s chief law enforcement officer, Attorney General Jeff Sessions, on the matter. Sessions testified before the Senate recently that notwithstanding the threat of future foreign interference, he’s not sure what the Justice Department is doing about it. It seems he hasn’t bothered to ask.
Unfortunately, Sessions isn’t alone. Despite enduring interest in the issue of election security among the public and on Capitol Hill, the Trump administration has taken remarkably few concrete steps to counter the threat of foreign interference in 2018, 2020, and beyond.
Below are some ideas on where the executive branch — with help from Congress — should start.
First, it needs to disentangle pure election security issues from broader information operations or covert influence campaigns. Information operations certainly impact the broader context in which elections occur and can interact with election security issues to further undermine confidence. But they should be understood as a separate issue, with a distinct set of available solutions.
Election security involves the more specific threat to election infrastructure and voting systems used in the management and administration of elections. Voting systems include things like voting kiosks, voter registration systems, election night reporting, and poll books (where voters check in). Depending on how broadly one construes election security, it also may involve protecting systems used by campaigns, parties, and candidates.
The information security community has busied itself over the past year proving the alarming vulnerabilities in these systems. At the annual DefCon cybersecurity conference, it took hackers about 90 minutes to thoroughly compromise U.S. voting machines in ways that would allow them to remotely change vote tallies.
To be clear, even if actually changing vote tallies isn’t a technical impossibility, it’s still extremely difficult to do so on the scale necessary to predictably change the outcome of a statewide or national election. The most probable actors with both the incentives and technical capacity to carry out sophisticated attacks are foreign governments. In order to successfully fix an election, they wouldn’t only have to beat forensic detection but also evade the U.S. and allied intelligence communities. The aftermath of the 2016 election demonstrated that is no easy task.
Unfortunately, the name of the game here isn’t just changing election outcomes. U.S. adversaries have set their sights on a more achievable goal: to undermine confidence in the electoral process. The intention here is to shake the faith of the American people in their government, in their processes and institutions, and in the selection of their leaders. In other words, an adversary doesn’t need to change the results to launch a successful assault on liberal democracy. And shaking confidence is a whole lot easier to achieve than predictably changing election outcomes. To do it, a malicious actor needs only to penetrate systems such that experts and election officials can no longer say with confidence that they are positive about the integrity of the system and the result it produced.
This means voting systems have to be secured in a way that protects against both the threat to the actual integrity of the results and to confidence in the systems generally.
The biggest roadblock at the moment is states.
In the United States, state and local governments, rather than the federal government, primarily administer elections. Unsurprisingly, states tend to push back hard at any perceived federal intervention in their electoral processes. That’s what happened when the Department of Homeland Security tried to offer voluntary assistance to states during the 2016 election, and Georgia’s secretary of state not only declined the help but also falsely accused DHS of improperly breaching state election systems. And when Trump’s voter fraud commissioners asked for election data from states, Mississippi’s secretary of state told them to “go jump in the Gulf of Mexico.”
At the same time, states are woefully under-resourced in funding, training, expertise, equipment, and auditing capabilities. For example, according to a Brennan Center for Justice report, 41 states have voting machines that are more than 10 years old. Many states lack funding to buy new machines or increase security. And there are huge variations not only between states but also in some instances from county to county.
It simply isn’t reasonable, under these conditions, to expect state election systems to withstand sophisticated nation-state attacks — to not only counter known threats but also to anticipate unknown threats and to do it in a way that keeps results clean and is understood by the public. The task is even more Herculean when one considers that a successful strategy must not only work to prevent attacks but also rapidly restore confidence in the event of a successful attack. It’s time for the federal government to step up.
Designating election systems as part of critical infrastructure — which the Barack Obama administration did in its final days — is a good first step. If the Trump administration now wants to make its own headway on these issues, without running afoul of states’ rights sensibilities, it needs to adopt an approach that is more carrot than stick. It can do so by developing a national strategy on election security that includes baseline standards and best practices and then by providing substantial federal funding to states to help meet those standards.
Tying large amounts of federal funding and support to meeting specific security standards developed at DHS and the National Institute of Standards and Technology is an obvious way to both address federalism concerns and get results. Sens. Lindsey Graham and Amy Klobuchar are leading the charge in Congress, offering amendments to the National Defense Authorization Act aimed at using federal funding to incentivize better election security practices that would take this approach. The executive branch can deepen these efforts by rolling out a comprehensive and actionable national approach.
Our adversaries have given plenty of thought to the security of the 2018 and 2020 U.S. elections over the past year. It’s time for the Trump administration to catch up.
Susan Hennessey is managing editor of Lawfare.