Campaign 2016

Cybersecurity Threats to American Elections

By Michael Sulmeyer, Ben Buchanan
Wednesday, November 2, 2016, 5:12 PM

My colleague Ben Buchanan and I have written a paper on cybersecurity threats to American elections. While we examine operations that try to influence American voters—like the much-publicized hack of various Democratic Party entities—we also examine threats to voting infrastructure itself. We consider the motivations of hackers for targeting elections, the plausible threats to election security, and the effects of real and perceived manipulation.

We tackle two vital questions. First, how concerned should we be about election cybersecurity? Second, how vulnerable is the United States to a foreign power or other actor trying to undermine the public’s confidence in our elections?

We argue that foreign intelligence agencies, most prominently Russia’s, have plausible motivations and capabilities for some kinds of electoral interference. In addition, there are other actors, such as terrorist groups, partisan activists, and groups with narrow parochial interests, which might seek to manipulate an election. There is a range of possible mechanisms for carrying out these threats, including targeting voters, voting rolls, voting machines, tabulation, and the dissemination of results. We draw on security audits and demonstrated cases of previous Russian operations in analyzing these risks. We argue that it is not just the reality of fraud that is concerning, but the perception of it. The effects of perceived illegitimacy can be deeply damaging and perhaps harder to counteract. In particular, persistent questions about electoral integrity may by itself advance foreign interests. 

We put forth five recommendations for improving the cybersecurity of elections, showing their integrity, and guarding against threats. First, the federal government should designate election systems as critical infrastructure, catalyzing additional federal and state attention to improving cybersecurity. Second, backed by federal funding, states should purchase and deploy voting machines that generate a voter-verifiable paper audit trail. Third, states should expand their use of pre-election security audits to identify and remediate vulnerabilities. Fourth, states should establish or improve their post-election audit procedures, applying statistically rigorous methods to increase confidence in the reported results. Lastly, the United States should outline a clear policy on the seriousness of electoral interference as a means of deterring foreign adversaries.

You can read the full paper here