To defend US elections, we must recognize that the fault is in ourselves

A man completes his ballot at a privacy booth on Election Day at a polling station inside Knapp Elementary School in Racine, Racine County, Wisconsin, U.S., November 3, 2020. REUTERS/Bing Guan

US President Donald J. Trump’s recent firing of former Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs is just the latest deep irony in the United States’ attempt to secure its national election system. Silencing the technical expert who asserts that technical solutions are meaningless in the absence of responsible public messaging is peak 2020.

Our election process is vulnerable to attack. And Americans have made it that way—partially through neglect, partially out of reluctance to demand better of elected political leadership. Say what you will about the national cyber strategy to “defend forward,” and the continued emphasis on Russian meddling, North Korean ransomware, and Chinese spying; the sources of our election vulnerability are domestic, and we must make them less enticing. It is time to put money toward state information infrastructure, to align public expectations with the pace of the democratic process, and to hold elected leaders accountable for lighting fires in information dumpsters.

Improve and fund state election infrastructure

If we want secure elections, then we must invest real dollars in redesigning state data infrastructure. And in return for those investment dollars, we must force states to reform their public-information policies. Elections are periodic, but their infrastructure is not. This infrastructure plugs into all the other parts of a state government’s data systems. Vulnerabilities in those systems are an election’s vulnerabilities.

While sexy headlines about voting-machine hacks are the media’s darling, it is the un-sexy systemic vulnerabilities of county- and state-level data-collection systems that need to be revamped and protected. Who holds your voter data? In most cases, the state’s Department of Motor Vehicles. Due to the National Voter Registration Act of 1993 (the Motor Voter law), voter data (birth dates, addresses, signature samples, etc.) is collected, regularly updated, and stored at motor vehicle-registration offices all across the nation. If you hated your DMV before, now you can be terrified. Federal law requires that this data be “transmitted” and that states “protect the integrity” of those systems. However, in true federated style, each state decides how to conduct that transfer and how to protect it. The result is a patchwork of vastly different degrees of voter-information security.

Furthermore, states need to reconsider what should be publicly available data. Virginia and Maryland voter rolls, for example, are available at no cost to any member of the public, with very few requirements to justify access to that information. When corroborated with campaign-donation information or other publicly available data, it is easy to assemble a targeting list for voter intimidation. Policymakers must think through how to design systems to be accessed and used responsibly. Failure to do this reveals the fundamental disconnect between information security and the wider problem of cybersecurity.

Poor data management, added to a climate of anxiety and crisis, creates opportunity. No actual hacking was even required for the somewhat bizarre but nevertheless concerning Iranian attempt to sow disruption during the 2020 US election. On October 8, the US Departments of State and Treasury announced the imposition of new financial sanctions against Iran. Subsequently, on or about October 20, voters in Democratic districts in Alaska, Arizona, Florida, and Pennsylvania received threatening emails purportedly from the right-wing extremist group known as the “Proud Boys” extorting them to “Vote for Trump or else!” The uncharacteristically fast US attribution of this scheme to Iran was the least interesting aspect of the event. The big story was that Iranian agents were free to use available voter data to any end they saw fit. It just shouldn’t be this easy.

Take the conditions for crisis out of election processes

We want our democratic process like we want our children’s fast-food combos: simple packaging, easily digestible, and with a sticker—now hurry up and get out of the booth! It should seem insane to expect to know the results of millions of votes within moments of the polls closing. And yet, in this nation, we do. We’ve allowed our media and its news cycles to build this bizarre expectation of elections as culminating spectacle.  

Not only does this place an intense amount of pressure on what is a fundamentally decentralized, under-protected, and county-organized system (did we mention under-funded?), but it literally invites predation. In an era of information operations and cyberattacks, the US system can no longer afford such risks.

It is time to take these conditions, which provide fertile ground for crisis, out of the election. Targeting an election is harder when the election is boring, plodding, and transparent. We must, for once, sacrifice the vanity of the pageant and make room for time. Slowing down means decoupling voting-day deadlines from broadcast schedules. It means we lose some excitement and the advertising dollars that flow from it. And it will require no small amount of patience. But if the nation can wait a week to know who won American Idol, we can take a collective breath on something a bit more important.

When disinformation comes from elected leadership

In cybersecurity parlance, the entire gamut of attackers—hacker armies, hackers for hire, espionage agencies, opportunistic criminals, and jerks—have established a foothold in our electoral process. Rooting them out will require more than just better technological telemetry and security logs. By removing officials such as Krebs, our elected political leadership has been complicit in giving attackers oxygen. These attackers now dwell as long as they need in both our cyber networks and our collective consciousness. The information environment in the United States is dirty, noisy, and full of insider threats. That’s not okay.

Americans inhabit a divided and distorted political landscape, exacerbated by a pandemic and political leaders who knowingly and aggressively facilitate disinformation. This has made US elections a tantalizing target. The incentives for adversaries to launch more attacks are clear. As they see it, the more confusion the better.

This is where we are right now with our electoral processes: doing the work of the malicious for them. There doesn’t have to be a cyber Pearl Harbor if we tear ourselves apart from within. The Russians and Iranians are simply playing in a playground we built for just these kinds of shenanigans.

Elected leaders must be held accountable for the veracity of the data and news stories they share. Full stop. In stable times, demagoguery is political cowardice. During national emergencies, it will be our undoing. It needs to cost elected political leaders something—money, jobs, reputation—to share shined-up garbage in public spaces for deliberation.

And yes, Russia, China, North Korea, and Iran still matter in the cyber threat landscape. Offensive cyber operations are a fact of the current era. But while we cannot eliminate all would-be attackers of US elections and data systems, we have the capacity to thin their ranks out significantly by making our elections harder to monetize and sensationalize. We owe those defending our democracy against such adversaries, and our democracy itself, that much.

Nina Kollars is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative and associate professor at the Cyber & Innovation Policy Institute at the Naval War College. She is a senior analyst for the Cyberspace Solarium Commission and a fellow at the Brute Krulak Center at Marine Corps University. She is also a certified bourbon steward.

Michael Rodriguez is a senior consultant with Mandiant in its Global Government Security Programs group, working in Election Protection Services, and is a delivery lead for the Insider Threat Program. He has over 20 years of experience in the field, believes there is a Douglas Adams quote for almost everything and can be found on Twitter @blackducksec.

Further reading

(function() { function async_load(){ var s = document.createElement('script'); s.type = 'text/javascript'; s.src = ('https:' == document.location.protocol ? 'https://pi' : 'http://cdn') + '.pardot.com/pd.js'; var c = document.getElementsByTagName('script')[0]; c.parentNode.insertBefore(s, c); } if(window.attachEvent) { window.attachEvent('onload', async_load); } else { window.addEventListener('load', async_load, false); } })();