How to hack-proof the next election
We now know that Russian President Vladimir Putin ordered a comprehensive effort to interfere with the 2016 presidential election. This mission involved the cybertheft and strategic publication of politically sensitive emails, the placement and amplification of misinformation on social media, overt propaganda and efforts to penetrate the systems of dozens of state election authorities.
This is not speculation or political posturing; it is the public and high-confidence conclusion of the U.S. intelligence community. And it is wholly consistent with past Soviet and Russian use of “active measures” — intelligence operations meant to shape an adversary’s political decisions — with the strategic goal of undermining the integrity of and confidence in the West. Modern technology has only increased the speed, scale and efficacy of such actions.
This would be alarming even as a one-time occurrence, but as former FBI director James B. Comey recently warned, “They will be back.” The fact is that, so far, Putin has paid too small a price to meaningfully deter him in the future.
Here are five concrete steps the United States should take to meet this ongoing threat to our democracy:
First, President Trump must unequivocally acknowledge Russia’s attack on the 2016 election and clearly state that any future attack on our democratic institutions will not be tolerated. One of the oddest aspects of the president’s foreign policy to date is his refusal to criticize — let alone condemn — Russian hostility, be it directed at our elections or Ukraine, Syria or Afghanistan. The president continued to make inconsistent statements in Warsaw, claiming that “nobody really knows” whether Russia meddled in the 2016 election. No president should accept the representations of a foreign adversary over the considered conclusions of his own intelligence services. In all events, the president should demand a plan from his national security team to deter and prevent election attacks.
Second, the Department of Homeland Security and the Election Assistance Commission (EAC) should lead a process to develop election baseline cybersecurity guidelines and help states implement these best practices. For example, most people agree that every electronic voting machine should create a paper record that can be audited, but about a quarter of voters cast their ballots on machines that leave no paper trail. DHS is best positioned to harness government’s cybersecurity expertise, while the EAC, created after the 2000 recount, is experienced at working with state and local election authorities. The process should be collaborative, just as it was when the National Institute of Standards and Technology partnered with the private sector to develop a “framework” of measures and practices widely heralded as the gold standard in industrial cybersecurity. This process should ensure that every state establishes a comprehensive election cybersecurity plan. And Congress should establish a grant program to help states get there.
Third, we must develop a better system for sharing information between state and federal officials. While the U.S. election system is decentralized, the threats against it are not confined to state borders. In the lead-up to 2016, state officials were not adequately discussing election security with one another and the federal government. Even today, a number of officials are reportedly still in the dark about whether Russian hackers penetrated their systems. The federal government should create a “cyber-FEMA” to help detect threats to state and local election systems and then coordinate among Homeland Security, the FBI and the EAC to provide necessary intelligence and assistance.
Fourth, we must engage in a national policy discussion about the roles and responsibilities of our social media platforms and the steps they should take to protect our democracy from malign interference. The crown jewels of our economy, these companies have enormous reach and influence in our lives; we should not allow them to be co-opted for foreign information warfare. Understanding this, they have started to take steps to protect our citizenry from misinformation campaigns. Facebook recently began employing thirdparty fact-checking outlets to evaluate questionable news items and give them less prominence in users’ news feeds. In April, Google announced plans to rework algorithms to avoid driving traffic to sites promoting bogus claims. These measures are a start, but to develop a truly comprehensive solution we must engage all stakeholders and discuss the roles these companies, the government and individuals must play in protecting our democracy.
Fifth, the United States should work within international forums to establish the principle that an attack on election systems violates the principles of noninterference and sovereignty and would justify a robust response. A foreign attack on a bridge in New York or a skyscraper in Chicago would surely rouse condemnation as a violation of international norms; an attack on our election system — the very foundation of our democracy — is just as serious. But for norms to have teeth, they must be enforced. With the recent disclosure of penetration by Russia into states’ election-related computer systems, the United States should promptly impose additional sanctions on Russian assets and individuals. If not confronted, Putin will see no constraints.
These are steps we can take to help secure the future of our democratic institutions in the cyberage. We are on notice. We must act now.