Over a nearly two-year investigation, Special Counsel Robert Mueller has shown the sheer breadth of the Russian effort to meddle in the 2016 election.
From hacking into campaign email systems to using social media to stir up voters, the Russian effort hit at a number of soft spots in the American electoral system.
Experts say Russia didn’t stop there either, using similar strategies to attempt to influence the 2018 elections, and, they expect, the 2020 elections as well. They also warn that Iran and China may be mulling similar influence operations too.
Here’s what experts say would strengthen American elections against future attacks.
Use paper ballots
What Russia did: Russian operatives compromised at least seven states’ websites or voter registration systems prior to the 2016 election. In some cases hackers accessed voter registration databases, though officials say there was no evidence that votes were changed or that voters were taken off the rolls.
The problem: As of 2018, 14 states still used touchscreen, computerized voting machines that do not have a paper trail. That leaves them vulnerable to hackers seeking to manipulate election results, with no easy way to verify the results if machines are compromised.
What experts say: “I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack,” Dan Coats, the director of National Intelligence, said in July 2018.
How to fix it: Advocates say the simplest solution is to go back to paper ballots read by old-fashioned optical scanners. Apart from providing a backup in case of problems, they’re also cheaper than more high-tech options pushed by voting machine makers.
“Given the threat and the risk, there is no securable digital medium at the moment. And elections are too important that we have to place security over ease,” David Hickton, director of University of Pittsburgh’s Institute for Cyber Law, Policy, and Security and a former U.S. Attorney for the Western District of Pennsylvania, tells TIME. “Election confidence by the voters and the citizens flows from the belief that the elections have integrity, that they are secure and that we’re doing everything we can to protect them.”
Secure online voter rolls
What Russia did: Russian hackers successfully penetrated the voter registration rolls of several states and stole the personal information of about 500,000 voters. The hackers were “in the position to” change or delete voter registration data, although there is no evidence they did.
The problem: Some states had inadequate cybersecurity measures in place during the 2016 election.
What they say: “We were able to determine that the scanning and probing of voter registration databases was coming from the Russian government,” Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, told NBC in February.
How to fix it: States and local officials should prioritize cybersecurity. Officials managing elections should take steps such as mandating two-factor authentication on state databases, making backups of voter registrations and installing monitoring sensors.
“We are the custodians of some really valuable information that’s really the crux of our democracy,” Meagan Wolfe, the administrator of the Wisconsin Elections Commission previously told TIME about her state’s choice to institute multi-factor authentication for employees who have access to voter data. “We have a huge responsibility to make sure that only people who are authorized to view that information, or to make changes about how elections are administered, are able to do that.”
What Russia did: There’s no evidence that Russian hackers changed voter tallies in 2016, but the only way to know about such efforts would be for states to audit their election results.
The problem: Audits typically involve a partial recount of results to make sure that the equipment and procedures used to count votes functioned correctly in a given election. This not only prevents errors, but also helps increase confidence in elections — a crucial part of any functioning democracy. As of September 2018, at least five states did not have paper trails to return to if computer-based voter machines were compromised, meaning it would be very difficult, if not impossible, to audit results.
What they say: “One of the terrifying things about a real threat — from Russians or anyone — is that they don’t have to change a lot of votes, or maybe any votes, to create a lot of fear,” Mark Lindeman, an election auditing expert at election security advocacy group Verified Voting, told TIME earlier this year. “That doubt persists.”
How to fix it: Traditional post-election audits typically look at a fixed percentage of voting districts or voting machines and compare the paper record of votes to what the results put out by the voting system on Election Night. Washington D.C. and 31 states require this kind of audit, according to the National Conference of State Legislatures.
These audits are better than no check, experts say, but the gold standard in election security is a different method called a “risk-limiting audit,” which uses statistics to conduct a more efficient review with strong evidence that reported vote tallies are correct. Just three states — Colorado, Rhode Island and Virginia — require risk-limiting audits, though more counties around the country are exploring ways to implement them.
Stop the spread of fake news
What Russia did: Russian operatives helped put “junk political news and misinformation” — including stories that are sensational or conspiratorial — in front of American voters, according to a report for the Senate Select Committee on Intelligence.
The problem: Russian operatives took advantage of the qualities that make social media attractive to users — information flows freely, and without an editor. Operatives can also use tools to target information to particular users.
What they say: “We cannot prevent all bad actors from using computational propaganda, but in democracies we can have guidelines discouraging its use,” reads one 2018 report by University of Oxford researchers at the Computational Propaganda Research Project.
How to fix it: Cracking down on fake news on social media is very difficult, partly because there’s simply too much information being produced online for moderators to go through it all. However, Facebook has been retooling its site to make it harder for misinformation to spread. It’s changed news feeds to prioritize content from users’ friends and family, launched a tool to limit the spread of pages that are disproportionately visited from Facebook and started a crack-down on groups spreading false information. Facebook and other companies have also launched new fact-checking services to check the truthfulness of information.
Make social media ad-buying more transparent
What Russia did: Russian operatives published at least 3,500 ads on Instagram and Facebook between 2015 and 2017. Many of the ads were targeted at people who feel strongly about divisive political issues, such as immigration and the Black Lives Matter movement.
The problem: The tools that make social media popular with advertisers, such as tools to target information to particular users, helped Russian operatives to profile users before sending them propaganda.
What they say: “[The Russian] social media campaign was designed to further a broader Kremlin objective: sowing discord in the U.S. by inflaming passions on a range of divisive issues,” Rep. Adam Schiff, then-ranking member of the Permanent Select Committee on Intelligence, said during 2017 hearings.
How to fix it: Twitter has started to label political ads, and Facebook has agreed to strengthen its ad review process for political ads and taken steps to make ad-buying more transparent. Critics argue, however, that the site and other social media companies should be placing all political ads in an external, public archive to keep the companies honest.
Improve technology policy
What Russia did: Russia used bots and trolls to drive public opinion and spread misinformation. In 2018, Twitter released a database of 10 million tweets that had been generated by Iranian and Russian-linked operatives.
The problem: Russian bots take advantage of the way social media works — divisive content is more likely to be shared and interacted with on social media. Bots are also able to spring into action right after breaking news to spread discord.
What they say: “Our results suggest that, given narrow margins of victories in each vote, bots’ effect was likely marginal but possibly large enough to affect the outcomes,” experts from the National Bureau of Economic Research wrote in a 2018 working paper.
How to fix it: Both Twitter and Facebook have been working to take down fake accounts. They’re also trying to be more transparent with the government on what’s happening on their websites. When Facebook CEO Mark Zuckerberg testified in front of Congress in April 2018, he admitted Facebook “didn’t take a broad enough view of our responsibility, and that was a big mistake.” That’s why, Zuckerberg said, the site was “working with governments in the U.S., the U.K. and around the world to do a full audit of” data that was misused.
But some say there could be more dialogue between social media sites, that might not be as well versed on election security, and legislators, who might not be as well versed on technology.
“There is pretty much general conventional wisdom that we have a real gap in terms of knowledge on the Hill and technology,” says Sarah Mendelson, a distinguished service professor of public policy at Carnegie Mellon, and a former US Representative to the Economic and Social Council at the United Nations. “I think we’re missing the development of something called public interest technologists — people who really know the tech side and who work on the Hill. There’s some people that are starting to address this issue and Carnegie Mellon is part of a number of universities and foundations that are looking at it, but things are moving faster than we have been able to respond to.”
With reporting by Abigail Abrams from New York