Election hacking requires an urgent response
- By Andrea Little Limbago
The Justice Department recently indicted 12 Russians for interfering in the 2016 U.S. presidential election. Unfortunately, the government has made much less progress on tackling the growing and ongoing threats to election security. With the 2018 midterm elections just a few months away, addressing those concerns is essential to the integrity of democratic institutions and U.S national security.
Although there has been intense focus on Russian interference in the 2016 presidential election, cyberattacks on elections are not a new phenomenon. The Obama and McCain political campaigns were both compromised a decade ago. The difference now is the increasing ability of attackers to target elections at all administrative levels. Adversaries are honing their election interference skills globally and applying many of the lessons learned to operations in the United States. At the same time, legislation to support election security remains stalled in Congress, making campaigns and election officials vulnerable targets this fall and for the foreseeable future.
Election interference is increasingly a global challenge and attack on democratic institutions. In June, the website of a presidential candidate in Mexico was hit with a distributed denial-of-service attack during an election debate. In Taiwan, a spike in cyberattacks on the government is coinciding with increased disinformation in the lead-up to the country's local elections in November. According to Freedom House, data manipulation and disinformation impacted at least 18 elections globally in 2016.
As disinformation and cyberattack tactics become more accessible, prolific and successful, more attackers are adopting those strategies at elections at all administrative levels. In 2016, voter registration rolls in Galesburg, Ill., were compromised not because they were specifically targeted, but due to vulnerabilities that matched the ones the hackers were exploiting. Most state systems were targeted during the 2016 elections, and at least a handful were compromised, according to “60 Minutes” and NBC reports. Earlier this year in Knox County, Tenn., the website of the election committee was disrupted by a DDoS attack the night of the election. Officials later learned the attack was a distraction for a more sophisticated compromise of their networks. Government officials have already publicly stated that two 2018 campaigns have been targeted with DDoS attacks.
Despite the mounting evidence of past and potential foreign and domestic election interference, national policy has yet to seriously address this modern threat. The Protecting the American Process for Election Results Act was introduced last September to require best security practices and auditing capabilities. The Defending Elections from Threats by Establishing Redlines Act, introduced in January, would use national security tools and responses to deter foreign intervention. Neither proposal has advanced beyond the introduction. We have also seen the bipartisan Secure Elections Act and the Protecting American Votes and Elections Act introduced without further action.
As proposed legislation piles up, the omnibus budget bill included $380 million for election security, 55 percent of which has been allocated to 26 states largely for patching and some training. At the same time, states are pursuing self-funded election security, resulting in great variation in security across the states. Some still lack any audit capabilities. For instance, Virginia recently replaced the touchscreen voting machines deemed most vulnerable, but five states still use such machines without any paper trail. These investments are necessary but are not sufficient to instigate the policy changes and technical modernization required for comprehensive election security.
Election security is multifaceted and involves disinformation campaigns and attacks on voter registration rolls, political campaigns, candidates and voting machines. Such interference chips away at democratic integrity. Given the global, national and local evidence of attacks on election security, it is essential to move beyond denial and partisanship and implement impactful, proactive and forward-looking policies with the resources to implement them. The legislation exists, but until election security is prioritized and well understood, state and local election officials and candidates must fend for themselves against well-resourced and motivated attackers.