Key Adversarial Interests And Threats To U.S. Election Infrastructure

Analysts concur that Russia poses the most persistent threat, but the Trump administration has turned its focus to China and Iran, with Homeland Security officials instructed to “cease providing intelligence assessments on the threat of Russian interference.” Going into Election Day, concerns regarding election interference are pervasive, with 75 percent of Americans believing that Russia or other foreign governments will try to interfere in the election. Such fears are backed by the U.S. Intelligence Community (IC) which identifies Russia, China, and Iran as the primary threats to election security. Analysts concur that Russia poses the most persistent threat, but the Trump administration has turned its and the public’s focus to China and Iran, with U.S. Department of Homeland Security (DHS) officials instructed to “cease providing intelligence assessments on the threat of Russian [election] interference.”

According to DHS, adversaries will likely target election-related infrastructure by using various cyber tools, such as exploiting poor cybersecurity practices on protected election systems or networks, compromising election system supply chains, conducting denial-of-service attacks, and more. Though key adversaries, specifically Russia, China, and Iran, have strategic geopolitical goals, other actors including Advanced Threat Persistent (ATP) groups and cybercriminals also represent notable threats to election infrastructure security.

Russia

Vying for international recognition and status, Russia seeks to constrain and undermine U.S. authority, according to foreign policy experts, and reassert itself as a global player with global and regional influence, particularly in regions where great power is absent or where there are multiple great powers (e.g. the Middle East, the Arctic). Given the U.S.’s economic, political, and military strength as well as its participation in NATO, Russia is unlikely to initiate a direct conflict with the U.S., but rather counter the U.S. where it can do so at acceptable costs through nontraditional means such as cyberattacks.

These efforts are deepening and becoming more targeted and refined. Between 2014 and 2017, the Russian government researched the “U.S. electoral process and related technology and equipment” specifically directing activity against U.S. voting boards at state and local levels. This was not the first Russian attack on election infrastructure. In addition to the 2016 hack on the Democratic National Committee (DNC), pro-Russian hackers infiltrated Ukraine’s central election computers in 2014 and rendered the vote-tallying system inoperable. The same year, Poland’s electoral commission’s website was also hacked, and in 2017, alleged Russian hackers leaked emails from the En Mache party ahead of the French elections. Given past demonstrated successes in entering U.S. election infrastructure and other election systems, experts assert that Russia is likely to continue its cyberattacks on voting machines in the 2020 election.

China

Recognizing the economic interdependence with the U.S. and benefits of engagement with the global international system, China is seeking to improve its relative posture globally through economic and technological means. China’s growing control over the ICT and digital media environment internationally—particularly in 5G , creation of the Strategic Support Force in the Chinese military which centralizes the PRC’s space, cyber, electronic, and psychological warfare capabilities, integration of big data into its Belt and Road Initiative (BRI), and installation of fiberoptic networks around the world suggests that China is investing in its cyber capabilities. China’s goals are to capture global market share, export its technology and domestic surveillance model abroad; censure content that is “politically sensitive” and damaging to the communist party’s legitimacy ; and conduct state-backed media campaigns, and cyber espionage operations. For instance, China used malware to target Tibetan individuals and organizations and in 2019, the Chinese government allegedly launched disinformation campaigns during the Taiwanese elections.

According to the director of national intelligence, China prefers that former Vice President Joe Biden win the 2020 elections, and researchers from the Harvard Belfer Center for Science and International Affair’s contend China possesses a higher capability than Russia and Iran to use cyber to achieve its policy goals. Reported instances of Chinese election interference have mainly been in the form of disinformation campaigns, funding preferred candidates, and cyber espionage operations such as attempting to hack the 2020 U.S. presidential campaigns. However, experts agree that China is unlikely to be as active as Russia in this election cycle or use similar Russian tactics such as hacking directly into U.S. voting machines given its manifold interests in preserving and strengthening the PRC’s role in cyberspace.

Iran

After Stuxnet, a 2010 malware attack made against Iranian nuclear facilities, Iran has invested more than $1 billion in its cyber capabilities to enhance its cybersecurity posture. Iran uses its cyber capabilities across various strategic dimensions, including: to surveil and control its domestic population and prevent another Arab Spring ; to project its regional power by targeting Israel, Saudi Arabia, Bahrain, and other Persian Gulf countries’ critical infrastructure and data; and to undermine and challenge global powers, notably the U.S. and U.K.

While Iran poses a threat to U.S. election systems given its activities in cyber espionage and attempts at cyberattacks on critical infrastructure, Russia and China remain relatively more capable nation-state cyber actors—and thus greater risks. While Iran poses a threat to U.S. election systems given its activities in cyber espionage and attempts at destructive cyberattacks on critical infrastructure such as energy and financial institutions, Russia and China remain relatively more capable nation-state cyber actors—and thus greater risks. Recent Iranian activity, particularly using voter registration data to send threatening and fake emails, suggests that while Iran has been credited for conducting multiple cyberattacks, Iran’s cyber capabilities are still developing, especially abroad, and it can’t yet orchestrate a large-scale, multi-vector attack on voting machines. Iranian efforts, instead, mostly focus on online disinformation and propaganda as well as cyber espionage operations, such as trying to identify and attack a U.S. presidential campaign, government officials, and journalists or targeting organizations critical to the democratic process, including nongovernmental organizations (NGOs) and think tanks that work with candidates and political parties.

Russia and U.S. Elections: Disrupt, Divide, and Undermine

Unlike the use of traditional military force, the goal of cyberattacks is not destruction but disruption. According to the Estonia Foreign Intelligence Service, Russia’s goal in the U.S. and other Western elections is to ensure a more beneficial result by favoring Russian-friendly candidates, show how the West is failing to hold fair elections, and support its rhetoric of Western double standards. In the 2016 U.S. elections, Russia primarily used disinformation to erode public trust in the democratic process and “sow divisiveness” among U.S. citizens. Its efforts (as well as others’) were successful. While Americans’ confidence in elections has deteriorated since 2012, it reached a low point in 2016 following Russian interference in the elections. Today, 59 percent of voters say that they are not confident in the honesty of elections in the country.

Russian hacking has evolved, however, from the “cognitive level: propaganda, doxing, influence operations” to a “tactical, technical level” targeting civilian and military infrastructures, notably having used Ukraine as Russia’s main testing ground. “Information troops” and APT groups are central parts of Russia’s cyber information operations (IO) toolkit. According to the report by the U.S. Senate Intelligence Committee on Russian active measures campaigns, most known Russian cyber efforts have targeted the U.S. and its allies online and via social media to undermine trust in authorities, spread disinformation, and manipulate data to influence elections. Technical indicators such as RAM scrapers to bypass encryption, spear-phishing campaigns with third parties hiding behind false online personas, and other advanced malware toolkits and frameworks such as the costly NotPetya attack suggest that the Russian government is investing significant resources to build large-scale cyber espionage capabilities and unique operational security designs that can be used to attack the 2020 U.S. elections.

While no votes were changed in voting machines in 2016, Russian hackers were in a position to compromise votes and voter data in all 50 states. Russia’s cyber capabilities and Putin’s support for the “patriotic hackers [who] add their contribution to the fight against those who speak badly about Russia,” has emboldened hacktivists (a portmanteau of hack and activism) to continue cyberattacks without penalties while providing a degree of plausible deniability to the Russian government.

The preemptive cyber operation made on TrickBot shows the necessity for all stakeholders to coordinate and identify key risks to prevent nation-state actors such as Russia from disrupting and undermining the democratic process. Although Russian cyber capabilities are not equal to the U.S.’s, experts assert that its offensive abilities supersede China’s and Iran’s, and ramping up to Election Day, Russia is evidently using a plethora of cyber techniques to affect the 2020 elections. Just in the past three months, Russian military intelligence tried but failed to hack into campaign staff members, consultants, and think tanks’ computers and most recently, Russia alongside Iran also obtained and used voter registration data to intimidate and influence voters. Then, in mid-October, Microsoft and U.S. Cyber Command launched a series of covert preemptive strikes on Russian hackers to prevent TrickBot, a vast network of infected computers otherwise known as a botnet, from being used toward voting infrastructure. If TrickBot is successfully deployed, even if no votes are changed nor data destroyed, the disruption of the malware would be enough to exacerbate the preexisting doubts on the integrity and validity of the election results. The preemptive cyber operation made on TrickBot shows the necessity for all stakeholders from the public and private sector to coordinate and identify key risks to prevent nation-state actors such as Russia from disrupting and undermining the democratic process.

Realism and Limitations to Election Infrastructure Security

Election infrastructure writ large includes everything from storage facilities, polling places, and centralized vote tabulation locations used in the election process. It also encompasses ICT for voter registration databases, voting machines, and other systems to manage the election process as well as report and display results on behalf of state and local governments. It notably does not include infrastructure used by political campaigns. The DHS does not have regulatory authority over federal elections but takes the lead in coordinating federal support for campaign and election security through the Cybersecurity and Infrastructure Security Agency (CISA), a subagency within DHS that is responsible for securing critical infrastructure and federal networks. However, and crucially, the agency has limited capacity to oversee or enforce cybersecurity protocols at the state or local level. States and localities are responsible for their own election security decisions and can choose to accept assistance from the federal government. In other words, DHS recommends election security policies and best practices, and the Election Assistance Commission’s (EAC) provides guidance on security issues, but states and local precincts need not follow them.

Compounding security issues is the fact that the U.S. election system is highly decentralized, with 8,000 jurisdictions across the country responsible for election administration. Combined with limited federal enforcement mechanisms, disparate security protocols, auditing, election equipment purchasing and management across the country increase the threat and likelihood of an attack. For instance, in 2016, DHS and the IC found that malicious actors scanned and probed states’ election-related systems through servers operated by a Russian company about which state and local election officials were unaware. U.S. Sen. Ron Wyden also asserts that the various cybersecurity protocols and standards at the state and local levels hinders the FBI’s, DHS’, and the IC’s ability to assess whether, or to what extent U.S. election systems have been compromised and therefore, what appropriate measures should be taken to enhance election system resilience. Conversely, analysts and experts contend that the U.S. system’s decentralized nature is its strongest asset. The variety of technology and protocols act as a deterrent to potential cyberattacks because actors must conduct several reconnaissance operations to learn each system and identify vulnerabilities and coordinate multiple attack vectors to orchestrate a large-scale cyber operation on each individual system.

Voting Machine Manufacturers: Critical Players in Safeguarding Election Integrity

Three private companies, Election Systems & Software (“ES&S”), Dominion Voting Systems (“Dominion”) and Hart InterCivic (“Hart”) manufacture and manage the vast majority of U.S. electronic voting machines, controlling 84.08 percent of total eligible voter population. ES&S is the largest vendor, holding 37.97 percent of the market share by precinct and servicing more than 90.31 million registered voters. Followed by Dominion who controls 35.14 percent by precinct and Hart with 10.97 percent by precinct.

Unlike other critical infrastructure such as defense, nuclear, and energy, electronic voting machine manufacturers are not subject to oversight. Beyond the EAC’s voting system certification, no laws require states to continuously implement cybersecurity standards in their systems and protocols. Manufacturers do not need to disclose any breaches that occur or test and audit voting systems with a third party, screen employee backgrounds, patch security flaws, report foreign ownership, disclose information about financial operations or company ownership, and are not open to scrutiny by contractors and subcontractors in their supply chains to either DHS or EAC.

Further, the EAC’s certification program does not have an enforcement mechanism, and the commission is not responsible for federal oversight of election vendors. It only tests machines when they are new, have never received certification before, have been modified, or if the manufacturer wants to be certified with a higher standard. Without sufficient oversight measures to ensure the integrity of voting machines, manufacturers are unlikely to implement the same level of security protocols in voting machines or accurately report if security measures fail.

Global Supply Chain Risks Are Substantial

Not only is U.S. election infrastructure vulnerable to malicious attacks, but faulty or malign operational parts could contribute to system failure. Voting machines contain foreign-manufactured components, with 59 percent of suppliers based in China and Russia, creating supply chain risks because foreign businesses procedures are not subject to federal oversight. Components may not have modern cybersecurity protections, outdated malware detection software may not be able to identify and remove threats, and replacement parts may not be available. Vulnerabilities in supply chains can enable data theft and hardware exploitation that cause a system or network failure. If the hardware has a vulnerability, unless the equipment is taken apart and parts are replaced, hackers will always be able to exploit it.

In response to supply chain concerns voiced by Congress and Interos, a global supply chain risk management company, voting machine manufacturers issued a joint industry statement in January 2020, highlighting best-practice measures to ensure the sanctity of American votes, including routine system review and testing by all levels of government and establishing reasonable levels of security for supply chains in their terms and conditions. In particular, manufacturers note that Interos’ analysis relies on the suppliers’ corporate locations to identify whether components are foreign-produced, rather than subsidiaries—failing to truly account for supply chain vulnerabilities.

Voting machines contain foreign-manufactured components, with 59 percent of suppliers based in China and Russia, creating supply chain risks because foreign businesses procedures are not subject to federal oversight. While voting machine manufacturers have made some efforts, the voluntary security measures they have put in place (e.g. training seminars, two-factor authentication, encryption, etc.) are still not enough. First, existing election system cybersecurity standards derive from a traditional threat model that focuses on potential election rigging by poll workers or election officials. Current standards do not consider nation-state adversaries that can conduct advanced operations against the voting system supply chain and the devices themselves.

Second, the lack of transparency in supply chains and operational protocols makes it unclear to what extent third parties organize and administer the technological tools for elections before voters cast their ballot. During an election, counties or states can hire a third party that is responsible for providing the online tools, voting machines, certification, counting, and supervision of the election process. Often, these third-party companies own and maintain the voting machines and rent them out to clients as needed. While some states and localities own voting machines, more research and oversight measures must be implemented to better understand the role third parties play in the election process.

Third, local election officials lack fundamental cybersecurity knowledge to recognize and help mitigate risks to election systems’ infrastructure and operations. For instance, in 2015 Maryland’s election systems vendor ByteGrid LLC was purchased by AltPoint Capital Partners, whose fund manager was tied to a Russian oligarch. Before the 2016 elections, DHS noticed suspicious online activity in Maryland’s election systems, but election officials did not know about the purchase or cyber activity until the FBI notified them in 2018. Although no evidence suggests ballot or data systems were compromised, it does not mean that no wrongdoing took place either.

Election officials do not have to participate in any cybersecurity training unless mandated by their state or local jurisdiction and are largely unable to identify cyberattacks. Only 28 percent of elected officials have basic controls to prevent phishing and some election administrators (5 percent) use personal emails or technology, which are less secure than government emails and devices. This makes them highly susceptible to falling victim to malicious cybercampaigns, particularly because 90 percent of overall data-loss occurs because of human error, usually through phishing or social engineering. Given the highly unregulated nature of the voting machine technology market and poor cybersecurity practices by manufacturers and election officials, experts anticipate that foreign adversaries will look at the supply chain weaknesses to harm U.S. election infrastructure.

Market Concentration Limiting Cyber- and Security-Related Innovations

The voting machine market also suffers from limited competition, which hampers innovation. State and local election boards mainly use Direct Recording Electronic (DRE) Voting Machines, Optical Scan Ballot Readers, and Ballot Marketing Devices (BMDs) to conduct election processes. Companies tend to sell products as a package with hardware, software, services, and support offered together, leaving little room for others to enter the market. The barriers to entry for potential newcomers are also high. Manufacturers’ registration with the EAC can take up to two years, and companies must meet certification and registration requirements with states and counties, which can cost on average, $2 million per certification for each voting system.

State and local jurisdictions reinforce this market concentration by establishing routine purchasing procedures with a single vendor. Purchasers look to those companies that have already passed state and local requirements and typically enter long-term contracts of at least 10 years. The voting machines can’t operate with other companies’ systems, making it difficult to replace one part with a different vendor without replacing the whole system. Because of this concentration, even if a voting machine does not perform reliably or consistently, states continue to rely on the same manufacturer because they are bound by long-term contracts that obligate them to buy a range of related equipment and supplies from the same company. Given the high costs to entry, saturated market, and limited market opportunity, the voting machine market is not attracting substantial private sector investment and needed security provisions are not being developed and installed.

Broader Security Measures are Needed: Simply Updating Machines Isn’t Enough

After the U.S. Senate Select Committee on Intelligence’s reports on Russian efforts to hack into elections in 2016, states and local jurisdictions began upgrading their systems and moving towards hand-marked paper ballots. But, 71 percent of states that wanted to replace and upgrade their voting systems could not because they did not have the $200 million to $400 million per electronic voting machine to do so. Today, nine states still have paperless DRE Systems, with New Jersey, Tennessee, Mississippi, and Louisiana having paperless machines making up more than half of their polling place equipment. On a paperless machine, manipulation can occur without a trace because there is no way to validate the integrity of election results or provide a paper ballot or receipt.

Other jurisdictions that were able to upgrade their systems opted for ballot marking devices (BMDs) as their primary method of voting for all voters. Unlike hand-marked paper ballots (the most secure voting method), BMDs are slow and often the cause for long lines at polls. It prints out a ballot summary card that contains two separate records of voter intent, one as a record on plain text and the other in a barcode or QR code. When the card is scanned, the scanner only reads the barcode which cannot be verified or understood by the voter or poll workers. Because of this, experts warn that a hacked, misprogrammed, or misconfigured BMD could record votes incorrectly. If the ballot summary card reads as expected, no one may notice the error. In fact, 93 percent of voters do not catch BMD errors on printouts when they do occur and some counties can configure BMDs to “auto-cast” so that voters are not even given an option to verify the printed ballot.

Today, 17.48 percent or over 36.15 million registered voters will use BMDs across 12 states with Arkansas, Georgia, South Carolina, Texas, and West Virginia having more than half their counties rely on BMDs for all voting. In Pennsylvania, 40 percent of polling places reported malfunctions with ES&S’ BMDs in 2019 which incorrectly recorded votes and forced a county to count back-up paper receipts to identify the correct winners. Even more concerning is that manufacturers are promoting the use of BMDs for all voters, particularly BMDs hybrids that combine with a tabulator and/or scanner. Researchers found hybrids could add falsified votes to the paper ballot after it has been cast, thus any manual audits would approve illegitimate receipts.

Although Congress allocated $425 million for election improvements for FY2020, it was not enough. In the next two to five years, it will cost $735 million to upgrade all equipment to current cybersecurity standards and $833 million for extra state and local election cybersecurity assistance. States and localities argue that given the international nature of potential foreign interference, the federal government has the responsibility to provide funding to replace voting machines. However, Congress contends that the government should not “federalize” a practice that is a state and local responsibility. In 2019, some states allocated as much as $150 million to replace voting equipment statewide, but the process to replace the machines is to span the next few years. Other states have relegated the decision-making process to local jurisdictions who require funds to build up over a few years to make major purchases.

While infrastructure improvements are needed, no machine is hacker-proof, even when hardware and software components are upgraded. Voting machines can be remotely hacked within 24 hours, but it can take a year or more and on average $8.64 million to identify a data breach, remove it, and contain damages. Simply segmenting a system from the ICT environment is not enough to stop malicious actors. Although a network layer can be “air-gapped,” that layer is the only one protected from potential compromise, and malicious actors can find alternative pathways. For instance, servers operate on other connected systems such as those connected to buildings, and unless all systems and technological components are equally air-gapped, advanced hackers can find vulnerabilities and bypass encryption to enter a system. The most notable example of such a hack is Target’s data breach in 2013. Despite the cybersecurity measures Target had invested in, 40 million credit and debit card numbers, along with 70 million phone numbers, addresses, and other personal information were stolen through a third-party HVAC provider who was remotely connected to Target’s internal network. Because of these risks, select states have resorted to paper ballots to administer elections. But most states that use paper ballots do not require audits to paper records and lack security protections, making them extremely unsafe to use, especially in close elections.

Only 34 states and D.C. require traditional post-election audits to provide high levels of confidence in the accuracy of the final vote tally and Colorado, Rhode Island, Virginia, and Nevada (which pilots statewide in 2020, all counties in 2022) are the only states with laws requiring “risk limiting audits” in their security protocol. Poor cybersecurity policies and practices are likely because of limited resources, lack of expertise and resources available to elected officials understand and identify cyberattacks, and a reluctance to adopt stricter security protocols because added computations slow down systems or make them harder to use.

Efforts to Go Wireless Amid COVID-19 Further Weaken Security

Despite security concerns and funding constraints, states have invested in enabling remote internet voting in place of paper-based systems to increase voter turnout and serve as an alternative to in-person voting amid COVID-19. Although internet voting may appeal to voters, no internet voting system is secure or reliable enough to use in elections. West Virginia, Denver, and Utah County offer online app-based voting using blockchain technology called Voatz for military and civilians overseas. However, Voatz’s blockchain technology offers no security, relying on HTTPS connection to transfer votes to the server. Assessments of the technology have found that hackers can access voters’ personal identification information and IP address, and change vote tallies. Compounding the risks, hackers could learn rough troop movements from military service personnel who use it.

Other states have connected machines to the internet to ease ballot counting and share results faster. Michigan, for instance, invested $82 million to install wireless modems in their machines. While enabling speed, internet connection also makes machines susceptible to remote malicious attacks, particularly “denial-of-service” (DoS) attacks. Hart, ES&S, and Dominion all have modems in some of their tabulators and scanners, which enable the devices to connect to cellphone networks and the internet. Currently, ES&S’s DS200 voting machine with optional wireless modems connected by AT&T, Sprint, and Verizon, face potential consequences from the EAC for inaccurately presenting its wireless technology as EAC certified. Manufacturers claim firewalls protect systems and the machines are not connected to the “public internet,” but no network is completely segregated. A completely isolated system would exclude software and certification updates and restrict file uploads.

To meet the highest standards of election integrity, either a system—at a minimum—must not be connected to the internet or the system must have end-to-end verifiability (e2e-v). This latter security measure is unlikely to be implemented by many localities because it will raise the cost of each machine and will stretch already limited resources. Today, Estonia is the only known nationwide internet-based voting system being used by a democratic country.

Learning from History: What the U.S. Can Glean from Election Interference Abroad

Despite recent headlines, foreign interference in elections is not a new phenomenon. From spreading online disinformation campaigns to infiltrating political organizations to channeling political money to support preferred candidates, for decades countries have been battling foreign actors who seek to politically influence governments to their favor. The Russian meddling in the 2016 U.S. elections simply brought to the American public’s attention the significance and magnitude to which adversaries could operate beyond their borders. Lessons can be learned from past foreign election interference and help inform a more coherent and robust U.S. cyberstrategy going forward.

Ukraine: Russia’s Playground for Election Interference

In 2014, before the presidential election, CyberBerkut—a group of Russian state-sponsored hackers that support Russia’s military operations—infiltrated Ukraine’s central election computers and deleted files to render vote-tallying systems inoperable. The group later posted that they “completely destroyed the network and computer infrastructure of the Central Election Commission [CEC]” and shared emails and documents as proof. While government officials were able to repair the system, before election results were revealed, experts discovered malicious software that would have shown a false announcement that pro-Russian candidate Dmytro Yarosh as the winner (who in fact only received 1 percent of the vote) and Petro Poroshenko as the loser (who received the majority at 54.7 percent). The Organization for Security and Co-operation in Europe’s Office for Democratic Institutions and Human Rights (OSCE/ODIHR) found the hackers disrupted election material receipt and processing, preventing District Election Commissions (DECs) from sharing results with the CEC.

Russia considers Ukraine to be part of its territory and a strategic asset against the West. Apart from Russian claims to cultural ties, Ukraine is strategically and commercially vital to Russia given that Ukraine is the main conduit of Russian natural gas, with almost two-fifths of all gas that services western and eastern Europe travels through Ukrainian pipes. Ukraine’s warm-water ports are also home to Russia’s Black Sea fleet.

The Ukrainian presidential election followed the 2014 Ukrainian Revolution that ousted the Russia-backed president, Viktor Yanukovych, and prompted Russia’s annexation of Crimea. The main candidates at the time made their opposition to Russia a core part of their platform and conducting a successful and legitimate election was critical for Ukraine to demonstrate its potential to integrate into the EU and NATO. According to a range of regional experts, election interference was key to Russia’s strategy to undermining these candidates, and their objectives.

Although Yarosh was not elected president, Russia’s cyberattacks on Ukrainian election ICT infrastructure helped contribute to the public’s lack of confidence in the integrity of the electoral process (26 percent). In response, the CEC implemented operational upgrades and policies to secure the 2019 presidential election, including:

• Modernized information security systems.
• Segmented office network and critical networks.
• Upgraded critical network and information security equipment (such as firewalls, proxy, and SIEM).
• Replaced systems’ major hardware and software components.

In 2016, the Ukrainian government issued a national cybersecurity strategy to “create conditions for the safe functioning of cyberspace, application of cyberspace, to benefit of individuals, society, and [Ukraine].” After repeated cyber intrusions to industrial and information systems, Ukraine also passed several laws on cybersecurity; specifically, it upgraded its Law on the Protection of Information in Information and Telecommunication Systems (1994) with the most recent amendment in 2020 requiring all “state information resources” to be processed in a “comprehensive system of information protection” (CSIP).

Key Lessons Learned:

1. No silver bullet can preserve election integrity, but decision-makers must identify what attackers are likely seeking in their systems and have a uniformed approach by all stakeholders to secure systems.

2. Increasing funding and upgrading operational systems are not enough. Protecting the democratic process is not only a technical issue; it relies on the confidence of the voters that their ballots process correctly and that the elections are open, free, and fair based on a secret ballot. Legislation and budget appropriation must reflect these values while also having practical and enforceable measures such as mandating basic cyber hygiene behavior to mitigate human error.

3. Vigilant network monitoring can help administrators detect and respond to malicious attacks. The Ukrainian case study highlights the urgent need for elected officials and poll workers to undergo basic cybersecurity training to identify suspicious activity from the time polling places open to when results are verified and revealed.

Estonia: Potential Prototype for Online Voting

Digital systems are an integral part of Estonian society and its economy and have been for some time. Ninety-nine percent of public services, including elections, are available online, with marriages, divorces, and real estate transactions as the only services unavailable digitally. In 2005, Estonia was the first country in the world to use internet voting (i-Voting) as an alternative to in-person voting for its national elections and was the first in 2007 to use i-Voting for its parliamentary elections. Recognized for its sophisticated cyber defenses, particularly against politically motivated hacking and disinformation by Russian malicious actors, the Estonian i-Voting model is often thought as a protype for successful online voting.

In the March 2019 parliamentary elections, 44 percent, or 247,232, of total votes were cast online. Using an ID-card or Mobile-ID, voters logged into the i-Voting system via computer to cast their ballot during a designated voting period. Individuals could change their vote any time during this voting period. Once a vote was made, the name was removed from the ballot and sent to the National Election Commission for counting. Digital signatures authorized votes, encryption secured voting, and blockchain enabled data integrity for non-repudiation.

While exceptionally advanced, the Estonia i-Voting model, as with any technology, is not completely secure. Key vulnerabilities include inadequate procedural controls, use of unsecure HTTP connection when setting up the platform, lack of security personnel to monitor site and hardware, poor cyber hygiene by operators (e.g. using personal devices to backup data), and no audit trails. Although no known instances of foreign hacking into Estonia’s online voting platform were reported, experts warn that online elections are largely “an academic research project,” that still poses significant security risks. I-Voting proponents, however, contest that internet voting mitigates risks because just one software needs managing, while voting machines require multiple pieces of software that no single entity can carefully oversee.

Key Lessons Learned:

1. It’s a myth that election infrastructure can be completely secure. Policies must balance accessibility and security, with ongoing training and monitoring necessary to target breaches early and manage outcomes. The inherent tension between elections and cybersecurity presents a number of challenges. Elections are principled on being open, free, and fair, and based on a secret ballot, whereas cybersecurity necessitates protecting data and information from unauthorized parties, ensuring the data is reliable and accurate, and only authorizing users to systems and resources they need.

   This tension results in an inability to verify votes because once a ballot is cast, the identity of the voter is removed, thereby leaving no way for election officials to trace the ballot back to a legitimate voter. In Estonia’s case, to increase transparency in the i-Voting process, Estonia published the server software code for public reference, use, and recommendations on how to improve security. But allowing public access to this code provides bad actors with the tools and information they need to identify loopholes and weaknesses. Stakeholders must recognize that during the election process, there is a trade-off between security and accessibility, and as the 2016 elections have shown us with Russian probing in voting machines, not disclosing the weaknesses in our security posture doesn’t make systems more secure. The US election system lacks transparency during the formulation and execution of the security process, and it’s leaving CI more vulnerable because of it. Known vulnerabilities must be shared with the public and appropriately managed. As the Ukrainian case study demonstrated, stakeholders must identify likely targets and input security protocols protecting processes and information to mitigate the risks.

2. Education is critical to building public trust in the security of ubiquitous technology. At the time online voting was introduced to Estonia, only 2 percent of the population cast their vote through the system. Over the past 15 years, consistent security testing, monitoring, scrutiny, and improvements to the system as well as ongoing educational campaigns to inform the public about the technology has increased public trust in the system. The key lesson for the U.S. and other countries is that modernizing and digitizing the election process cannot happen overnight and requires long-term commitment both in terms of ongoing technological development and effective educational campaigns.

3. Cybersecurity relies on individual responsibility and behavior. While it is important for citizens to know the security measures that are in place to protect the election process, it is equally as important for voters to understand the failures of cybersecurity protocols so that they are empowered to make informed decisions while also remaining vigilant for untoward activity.

The Nov. 3 Election and Beyond

A fundamental link exists between the trust in election infrastructure and confidence in a fair democratic process. Russia will likely continue to target U.S. voting machines given Russia’s recent cyberattacks as well as political motivation to weaken U.S. institutions and erode public trust. A more secure and resilient electoral process is vital to safeguarding U.S. national interests against Russia, or any bad actor—foreign or domestic.

Although the federal government provides some guidance, cybersecurity protocols such as user digital hygiene, use of malware detection software, and cybersecurity certifications are not a mandated national practice and need both greater attention and coordinated investment. While there has been some progress in securing voting systems in the U.S., the approach has not been uniformed or evenly applied across all 50 states. Many local jurisdictions procure their own election technology and are responsible for inventorying, securing, and training staff on those technologies. Resources vary across the country with some precincts relying on IT personnel, technology providers, or external agencies to secure their election infrastructure. Lawmakers and election officials have yet to understand the technical requirements to implement and maintain a secure voting machine. Although the federal government provides some guidance, cybersecurity protocols such as user digital hygiene, use of malware detection software, and cybersecurity certifications are not a mandated national practice and need both greater attention and coordinated investment.

There is also a lack of political will to develop and implement a coordinated response. Before the 2016 elections, President Obama was reportedly aware of Russian efforts to interfere in the U.S. election and warned President Putin that the law for armed conflict applies to actions in cyberspace, particularly election interference. However, Russia continued to infiltrate U.S. election infrastructure, and no known actions were taken by the U.S. The current administration demonstrates further unwillingness to respond to Russian election meddling. President Trump has accepted Putin’s denial regarding interference in the 2016 elections and has consistently dismissed Congress’ and the intelligence community’s findings related to Russian election interference. While U.S. sanctions may harm specific Russians hackers, they have not deterred Russia from continuing its cyber operations as recent efforts have demonstrated with its intention to continuously interfere in the presidential race in its final days or immediately after the Nov. 3 elections.

Looking beyond 2020, a number of measures could materially strengthen election integrity and critical infrastructure security more broadly. Adherence to all DHS election infrastructure recommendations and adoption of cybersecurity best practices by election officials and employees, including post-election audits to ensure voting integrity, would help harmonize protocols and minimize risks associated with the decentralized voting system. Expansion of the Help America Vote Act (HAVA) to include base level cybersecurity standards for all state voting sites would also help to harmonize approaches and close existing security gaps. DHS and the EAC can continue to provide the technical expertise and facilitate private-public sector partnerships to ensure that security is built into the system at the component level. The creation of incentives for vendors to incorporate robust security systems in future machine designs could also reduce the use of patches and ad hoc, reactive security measures. Moreover, decision-makers must also remain proactive and design legislation and policies to rapidly address ever-evolving cyber threats. The recently updated Defending the Integrity of the Voting Systems Act that now designates foreign and domestic hacking a federal crime is a step in the right direction, but more work must be done to develop a comprehensive robust cybersecurity policy response.

The EAC should also routinely test all machines and issue a cybersecurity certification that the machines are up to date with the latest security protections. Cybersecurity certifications are not new and have been used by the U.S. Department of Defense (DOD) for defense acquisition and sustainment. These initiatives could be funded through a reallocation of the U.S. federal discretionary budget, specifically the DOD’s current budget—because it is the largest cybersecurity budget among federal agencies—and increase DHS’ funding from its current $1.7 billion allowance.

Finally, further research not only in election infrastructure but other sectors is needed to closely examine supply chains and identify what risks could be exploited by adversaries in U.S. critical infrastructure. From food and agriculture to transportation, impacts to critical infrastructure by way of cyberattacks can have a debilitating effect on physical and economic security as well as public health and safety. Having a comprehensive understanding of all the risks to our systems will strengthen U.S. and other nations’ resiliency and mitigate risks to critical networks.

Elections are fundamental to democracy and more work needs to be done to strengthen election integrity and security. As the world becomes more digitally interconnected and technology continues to rapidly evolve, all levels of government, the private sector, and the general public must be vigilant and proactive in protecting this and other critical infrastructure underpinning society.