Election Security: What Can Governments Do Now?

By Dan Lohrman

Protecting the integrity of elections is a hot topic. From cyberattacks to fake news influencing public opinion to other forms of external manipulation that could undermine democracies, voting security has risen to become a top issue for global governments. Here’s what you need to know and potential next steps for the public and private sectors.

• What really happened with Russia in the U.S. 2016 presidential election?

• Were any votes changed as a result of hacked voter machines?

• How did social media and fake news play into influencing voter decisions on candidates?

• What must be done now to better protect upcoming elections?

These questions, and many similar inquiries, have been asked for the past 15 months, and some important new information has now surfaced to help in formulating judgments and hopefully gain closure. But regardless of pronouncements from leaders on the left, right and center of the political spectrum (who generally see this issue very differently), there is a growing sense of urgency for new actions to be taken regarding protections for future election security.

This election security topic is of paramount importance to our nation. As Juan C. Zarate, chairman and co-founder of the Financial Integrity Network and former deputy national security advisor for combating terrorism, recently wrote: “Fair elections are at the core of every democracy. Russia's actions surrounding the 2016 American election were aimed at undermining the confidence of the democratic process.”

What follows are several excellent recommendations to protect our votes. After framing the top election issues, this blog focuses on actions that governments need to take now.

Recent Election Security News Recap

Wherever you turn, people are talking about elections and voting security. Here are a few examples:

CNN: Mueller indicts 13 Russian nationals over 2016 election interference. “Special counsel Robert Mueller has indicted 13 Russian nationals and three Russian entities for allegedly meddling in the 2016 presidential election, charging them with conspiracy to defraud the United States. …”

Fox News: Trump turns Obama quote on election-rigging against him in Russia debate. “President Trump on Tuesday turned a 2016 quote from then-President Barack Obama against him in the ongoing battle over Russian interference in the election — claiming it shows Democrats are using the meddling as a belated “excuse” for losing. …”

NY Times: State Officials Say They Are Told Too Little About Election Threats. “The state officials expressed their unhappiness at a meeting of the National Association of Secretaries of State that ended on Monday. The officials from Washington, West Virginia and other states complained openly about the quality and speed of federal cooperation. …”

TheHill.com: Democrats propose $1.7 billion in grants for election security. “A Democratic congressional task force convened to study U.S. election security on Wednesday unveiled new legislation to help protect voting infrastructure from foreign interference.”

Business Insider: Paul Ryan has removed the head of a commission tasked with protecting US elections from cyberattacks. “The head of a federal commission who has helped US states protect election systems from possible cyberattacks by Russia or others is being replaced at the behest of the Republican House Speaker Paul Ryan and the White House.”

The Wall Street Journal (WSJ): Justice Department Unveils Cybersecurity Task Force to Protect Elections. “The Justice Department on Tuesday unveiled a new cybersecurity task force aimed in part at combating threats to the integrity of U.S. elections, as bipartisan pressure mounts in Washington for stronger countermeasures to deter future Russian and other foreign-backed campaigns targeting the vote. …”

Politico: Election vendors are feeling the heat. “The furor over fake news and Russian bots is overshadowing another weak link in the security of U.S. elections — the computer equipment and software that do everything from store voters’ data to record the votes themselves.

Now the voting vendor industry is receiving increased attention from Congress and facing the prospect of new regulations, after more than a decade of warnings from cybersecurity researchers and recent revelations about the extent of Russian intrusions in 2016. …”

What Is the Best Approach to Understanding Election Concerns and Solutions?

So how can we make sense of this issue and move forward? Who can we trust? Is there a pragmatic middle ground on election security that can gain a consensus in America?

To begin, I highly recommend watching this CSPAN video hearing on election security from the Senate Armed Services Sub Committee on Cybersecurity. The session is over an hour, but worth it.

The experts testifying in this video include:

• Robert Butler, co-founder and managing director, Cyber Strategies LLC

• Heather A. Conley, director, Center for Strategic and International

• Dr. Richard Harknett, professor, University of Cincinnati, Political Science

• Dr. Michael Sulmeyer, director, Harvard University's Belfer Center for Science and International Affairs-Cyber Security Project

There are too many perspectives presented to try and summarize this outstanding session, but one of the highlights includes the introduction of the State and Local Election Cybersecurity Playbook from the Belfer Center at Harvard. Here’s an excerpt from the Harvard website:

In November 2017, we released “The Campaign Cybersecurity Playbook” for campaign professionals.

Now we are releasing a set of three guides designed to be used together by election administrators: “The State and Local Election Cybersecurity Playbook,” “The Election Cyber Incident Communications Coordination Guide,” and “The Election Incident Communications Plan Template.” What follows is the State and Local Election Cybersecurity Playbook. …

I also really liked the perspective of Heather A. Conley, whose comments focused on societal communications issues, not technical issues, associated with elections. Her goal is to get the word out to all voters regarding their role in the process and to help people understand what happened in the past. Also, what is and will be done in future elections to try and sway the American public while harming trust in democratic institutions.

In other election security coverage, the Center for American Progress released their guide entitled: “Election Security in All 50 States,” which is looking specifically at state requirements and practices related to:

1. Minimum cybersecurity standards for voter registration systems
2. Voter-verified paper ballots
3. Post-election audits that test election results
4. Ballot accounting and reconciliation
5. Return of voted paper absentee ballots
6. Voting machine certification requirements
7. Pre-election logic and accuracy testing

To understand other conservative positions on elections, The Heritage Foundation offers this website on election integrity, which highlights why dissolving the election fraud commission was a true loss for the nation.

There are also excellent articles from several conservatives like Pat Buchanan on the Russian Troll Farm actions and U.S. historical actions in foreign elections from the past century. (Back in 2015, I pointed out the Russian troll farms were being used to undermine emergency response efforts using Twitter.)

The Brookings Institute offered these comments on voting security last year: “We need to fix that resource allocation problem. The integrity of the vote is a national-security issue of the first order. The federal government needs to be more forward leaning in mandating that states and localities improve their resilience against future cyberattacks and in providing resources to help ensure this is accomplished quickly. That means there must be paper records of votes, state-of-the-art cyber provisions for electoral systems, and auditable ways of tallying votes that can be checked and, if necessary, redone. The fact that the federal government has now declared our voting system to be critical national infrastructure should trigger the kind of funding needed for states and counties to mount credible defenses now — before the 2018 midterm and 2020 presidential races. …”

Mother Jones offered this perspective on paying for the needed security enhancement for voting machines: “A ProPublica analysis of voting machines found that over two-thirds of counties in America used machines for the 2016 election that are over a decade old. In most jurisdictions, the same equipment will be used in the 2018 election. In a recent nationwide survey by the Brennan Center for Justice, election officials in 33 states reported needing to replace their voting equipment by 2020. Officials complain the machines are difficult to maintain and susceptible to crashes and failure, problems that lead to long lines and other impediments in voting and, they fear, a sense among voters that the system itself is untrustworthy. …”

ForeignPolicy.com provides a substantial history on this topic, and calls for a 9/11-type commission on this topic. They insist that America must:

First, companies and nonprofits as well as state and local governments can organize and invest for cybersecurity.

Second, be preparing to counter cyberthreats from abroad.

Third, the United States needs a national campaign to ensure the American people treat the Internet as a risky environment that demands common-sense precautions

Finally, Thomas Friedman issued a “Code Red” for America in the NY Times this week, which received substantial media coverage.

While I share many of Friedman’s concerns (and I love several of his books), I also think he may be the wrong person to deliver this election message, since he has vocally opposed President Trump on most other topics. Simply stated, he has come out against the president on almost every policy position, so I seriously doubt that the White House or Republicans in Congress will listen closely to him on election security topics now.

One potential response could be a bipartisan commission led by two respected leaders (one from each party) that could restore trust in future elections and communicate the needed messages to the American people. See more below.

What’s Needed Next?

As shown above, there are numerous thoughtful proposals that have been released on election security over the past six months. The first step is to do your homework and understand the various security options. Listen to the C-SPAN session embedded above for some helpful perspectives and action items. Examine the Belfer Center and other recommendations and proposals.

Second, President Trump should appoint bipartisan commission led by respected leaders from each party to take bold action, work with state and local election officials, and respond with an action plan to restore trust. The work could be co-led by former President George W. Bush and President Barack Obama in order to restore confidence in our election processes and to communicate key messages to all voters. The Justice Department Cybersecurity Task Force to Protect Elections may help set the stage or aid the effort.

Third, funding and resources must be provided for state and local governments to update voting equipment and modernize cyberdefenses and uncover threats before they harm us. Better relationships between the federal, state and local governments are needed on this issue.

Fourth, Homeland Security and the DoD must do more to defend elections and other critical infrastructure from cyberattacks from Russia and other nations and bad actors. This needs to include social media “fake news” and related processes that go well beyond voting machines or voter rolls.

Finally, communication is key. As Heather Conley expressed so well in her testimony (shown above), the wider voter messages and election security explanations must be delivered to Americans using many media channels. Listen to her recommendations to gauge opportunities to improve the discussion.

Final Thoughts

Back in March 2016, long before this topic became headlines in any major news media, I was one of the first security cyberexperts to ask the question: Could the election be hacked? Several industry colleagues mocked me in social media for writing that piece, because they thought election interference and attempted hacking of voter rolls was fear-mongering. (Those critics now acknowledge the importance of this issue.)

I also encouraged election security actions in January 2017. I urged leaders to take the needed steps to prepare for 2018 and 2020 immediately. Sadly, the same sense of urgency did not develop in 2017, which makes 2018 election changes much more difficult at this point. Primary elections are starting for 2018, and most states are not fully prepared for new election meddling or potential hacking attempts.

There are real grievances, whether they represent threats to values or material threats, which underlie America's vulnerability to false messages. To be effective, any plan must also recognize the legitimacy of such underlying hopes or fears, and take trustworthy steps to openly identify them and also bring the opposing stakeholders into a transparent clarification and resolution.

The Russian indictments have raised the profile of this call to action on election security as never before. America needs to address the people, processes and voting technology issues — right now.

govtech.com