The 2018 midterm elections are seven days away, yet our elections are not sufficiently secure.
There should be little doubt that the nation-state influence operations to infiltrate state election systems and private vendors in 2016 were a mere trial run for harder hitting efforts to come, perhaps in the 2018 midterm elections and almost certainly again in 2020. Director of National Intelligence Dan Coats says, “the warning lights are blinking red again,” while Department of Homeland Security Secretary Kirstjen Nielsen says that “our democracy itself is in the crosshairs.”
Coats has identified China, Iran, North Korea, and Russia as the “worst offenders” among nation-state actors targeting our critical infrastructure. More recently, he cautioned that these countries’ actions “are persistent, they’re pervasive, and they are meant to undermine America’s democracy on a daily basis, regardless of whether it is election time or not.”
Misinformation and influence campaigns are alive and well. These efforts look to accentuate the tribalism and division infecting the United States. Social media platforms cannot keep up. Thousands of accounts linked to Russia and Iran have been suspended, and more continue to pop up. It’s true, there is no technological silver bullet and most are working in good faith to limit improper influence. But the platforms’ initial disavowals of responsibilities, their business models, and genuine concern about limiting free speech have left them—and our policymakers—scrambling.
Influence operations are only one piece of the puzzle: there are grave threats to nearly every element of the country’s election architecture, something researchers repeatedly demonstrated even before 2016. Voting machines, voter rolls, tallying, and election night reporting are just some examples of potential threat vectors. These are exacerbated by supply-chain and third-party vendor vulnerabilities, which are impractical for local officials to monitor.
Despite heroic efforts since 2016, state and local election officials are underfunded and have much work to do to prepare for today’s cyber threats. These public servants are suddenly front-line cyber warriors thrust into defending our democracy against sophisticated nation-state actors.
That defense is no small task, and even successful defense against attacks on the outcome of the vote may not be enough to protect our democracy. Any number of attacks could create chaos or confusion among poll workers and voters, leading to a damaging loss of faith in election results even where those results are not maliciously altered. A nation-state rival does not need to alter actual votes if Americans do not trust the vote tally. Foreign adversaries are well aware of this vulnerability, which is exacerbated by Americans’ declining confidence in our elections. The paradox of finding a solution to this threat while avoiding very thing our adversaries seek to do—undermine our democracy—is not insubstantial. However, it seems clear now that the balance must tilt in favor of robust threat reduction given the obvious evidence of election interference.
The specter of cyber attacks on our elections should spark dread in all Americans. The federal government must act with the urgency, force, and funding that this threat to our democracy deserves. The Department of Homeland Security’s improved efforts to assist state and local election officials should be applauded; as should Congress’s appropriation of $380 million in funding for improving states’ election cybersecurity. But this is far from enough given the scale of the threats and the corresponding risk to our democracy.
The president himself must publicly declare—and convey through diplomatic channels—that there are consequences for efforts to interfere in our elections. Congress must act on stalled election security legislation. It should provide funding to replace insecure, paperless voting machines and better train election officials, and should condition states’ receipt of federal dollars on implementation of risk-limiting audits after each election to ensure accurate vote counts. In the longer term, Congress should also consider tighter regulation of election vendors and the supply chain of the broader election ecosystem.
Efforts to protect our elections from foreign interference demand nothing more than leaders doing their patriotic duty and should attract broad, bipartisan support. But I fear that partisan gridlock has left Washington unable to do what is necessary before November 6, leaving our 2018 elections vulnerable to attack. The states (which have primary responsibility over our elections) must therefore act quickly, even in the absence of much-needed resources from the federal government.
In the time remaining before the midterm elections, there is much state and local jurisdictions can—and, in many cases, continue to—do.
First, they must better protect their back-end election management systems, including ensuring cybersecurity best practices are in place. Second, they must know what to do in the face of an attack (and practice for it). This means initiating risk assessments now, running tabletop exercises, and being well-versed in plans for how to respond to and recover from attacks. States and localities must also be accurate and transparent in their communications with residents, explaining potential risks and how they are working to mitigate those risks.
Those states and localities that are still using outdated, insecure voting machines without paper audit trails (like most counties in my own state of Pennsylvania) must replace them. For some, this will unfortunately need to wait until after November given the realities of election administration. Once machines with paper audit trails are in place, states must also require statistically sound, risk-limiting audits after every election so that we know the results of our vote are accurate.
These actions are not a panacea. As with all cybersecurity threats, we must also focus on contingency planning and recovery, rather than naively believing we can prevent all attacks. But these basic steps, along with increased resources, will go a long way toward mitigating the threats to our elections.
These threats are not going away. I urge federal, state, local, and private support for the security of our elections, in 2018 and beyond. Our elections, and our faith in them, are not free. Once lost, regaining that trust in our elections would be no small task. This is the moment for Americans of every political stripe to come together to catalyze a national response to this extraordinary threat to our democracy. And on November 6, we must vote.