27 July 2019

U.S. Elections Are Still Not Safe From Attack

By Lawrence Norden And Daniel I. Weiner 

Russia’s attack on American elections in 2016, described in Special Counsel Robert Mueller’s recent report as “sweeping and systematic,” came as a shock to many. It shouldn’t have. Experts had been warning of the danger of foreign meddling in U.S. elections for years. Already by 2016, the wholesale adoption of computerized voting had weakened safeguards against interference and left the United States vulnerable to an attack. So, too, the shift to digital media and communications had opened new gaps in security and the law that could be used for manipulation and blackmail. 

Russia—and perhaps other powers like China and Iran—will likely try to exploit these vulnerabilities once again in 2020. The United States was caught flatfooted the last time. Now, nearly three years after the Russian efforts first came to light, the United States has made relatively little progress toward hardening its electoral system against interference. Each day it waits to do so raises the likelihood of another election tainted by significant foreign meddling. 


Fortunately, there are still measures that Congress, the Federal Election Commission, and other policymakers can take to substantially blunt a future attack. With just over six months remaining until the New Hampshire primary and the start of 2020 voting, lawmakers and executive branch agencies should make election security a priority by upgrading equipment, guarding against hacking, and combatting foreign influence operations. 
SECURE THE EQUIPMENT

A recent Department of Homeland Security report confirms that in 2016, Russia most likely conducted “research and reconnaissance” against election networks in all 50 states. They breached and extracted data from one state registration database, used spear-phishing attacks to gain access to and infect computers at a voting technology company, and successfully breached election networks in at least two Florida counties. The very infrastructure that allows Americans to vote was under attack. 

The federal government has made some progress toward safeguarding these systems in the years since. State and local election offices now have greater access to cybersecurity advisers and risk assessments, and the states, the federal government, and the companies that provide equipment used at the polls share more information than they once did. Congress in 2018 provided the states with $380 million to spend on election security.

The United States still has a long way to go if it means to secure its polls.

And yet, with a vast, decentralized election infrastructure—composed of more than 8,000 separate local election jurisdictions—the United States still has a long way to go if it means to secure its polls. The machinery by which the country records and counts votes varies by county and even town, ranging from the manual counting of hand-marked paper ballots to the digital recording of votes on touch-screen computers. Voting equipment in many precincts urgently needs to be upgraded if it is to be protected from outside interference. 

Experts agree that antiquated, paperless voting machines, for instance, are dangerously insecure. And yet counties and towns in 11 states, including battleground states like Georgia and Pennsylvania, continue to use such machines. If someone tampers with a paperless voting machine, no independent paper record will exist by which to check the software results and correct for the manipulation. Congress should take steps to ensure that these systems are replaced before the 2020 election. But paper backups help only when counties and states review them. At the moment, only 22 of the 39 states that have paper records of every vote require post-election audits to ensure the accuracy of electronic totals. It is long past time for Congress to require such audits throughout the country.

Similarly, the risk assessments that electoral jurisdictions now employ can only be effective if the risks they identify are correctable. But the jurisdictions often lack the funds to address their security risks. In many cases, election officials know they should be upgrading their equipment to make it more secure but they simply can’t do it. To take just one example, local election officials in 31 states recently reported that they needed to replace their voting equipment before the 2020 election, but nearly two-thirds of them said they did not have the money to do so, even after the distribution of the $380 million from Congress last year.

House Democrats recently passed an appropriations bill that would provide state and local election jurisdictions with an additional $600 million. House Republicans have proposed a smaller $380 million. Neither amount would fully secure U.S. election infrastructure, but either could underwrite welcome improvements. Ultimately, Congress must accept that election security is a national security issue, and just as Congress has the responsibility to protect the country’s ports from foreign assault, so too does it have an obligation to provide states with the funds needed to secure elections.
GUARD AGAINST BLACKMAIL

Not all election interference involves direct manipulation at the polls. Russia’s most successful gambit in 2016 was probably the hacking and release of embarrassing emails from Democratic Party servers and private accounts. Thanks to extensive U.S. media coverage, the effort paid off handsomely. The special counsel concluded that President Trump’s campaign knew about, encouraged, and willingly benefited from this strategy but did not actively participate in it.

Russia has a long history of using damaging information (kompromat) to embarrass or blackmail prominent officials in other countries. The digital age has made such tactics easier to pull off and their fruits easier to disseminate. Though hacking into another person’s e-mail account and stealing their information is illegal in the United States, such laws hardly matter to a rival government. The only way to effectively guard against digital blackmail is to invest in protecting politically sensitive targets. In an ideal world, the government would finance these enhanced protections, but even if Congress does not want to spend additional money there are other legal changes that would help. 

Campaigns are short-term operations, and as such they are unlikely to invest their own funds in cybersecurity. But some finely tuned changes to campaign finance rules would allow them to accept outside resources for this purpose. The Federal Election Commission has already taken several steps in this direction. In May it ruled that a nonprofit established by the Belfer Center at Harvard’s Kennedy School could provide cybersecurity assistance to campaigns on a nonpartisan basis without triggering campaign contribution limits. It recently issued another opinion allowing a for-profit company to provide discounted assistance as part of its business model. While these piecemeal efforts are helpful, a more comprehensive solution probably needs to come from Congress. As a first step, Congress could exempt the cost of cybersecurity enhancements from limits on how much well-heeled national party organizations, such as the DNC and RNC, can give to affiliated candidates.

Once compromising material is stolen, few means exist to contain its influence. The First Amendment likely prevents the government from restricting the media’s use of stolen information. But the government could encourage the U.S. news media to alert audiences to attempted election manipulation and to choose not to report on stolen information. The French government credits such efforts with helping blunt Russia’s attempt to meddle in its 2017 presidential election through an election-eve dump of hacked information from Emmanuel Macron’s presidential campaign, interspersed with fake documents. 

When it comes to campaign behavior, however, Congress can and should draw some bright legal lines, and it should do so sooner than later. The Mueller report includes examples of Trump campaign officials encouraging the release of hacked information and entertaining offers for dirt on political opponents. While some of this conduct could have violated existing laws, Congress should clarify the law to eliminate any doubt that a campaign or party’s solicitation or receipt of any benefit from a foreign government is prohibited. Congress should also require campaigns to report credible offers of free assistance or collaboration from foreign governments and political parties and all payments to foreign vendors.
CLOSE GAPS IN THE LAW

In 2016, Russia unleashed a campaign of disinformation and propaganda that helped inflame the American electorate. The campaign focused on amplifying social discord; lowering turnout, especially in minority communities; and helping Donald Trump to defeat Hillary Clinton. Russian operatives used paid posts on social media platforms to reach algorithmically selected audiences while remaining invisible to the wider public. Some of the paid posts referenced candidates or campaign slogans, but most addressed divisive political issues or spread conspiracy theories in order to stir up social tensions and discourage voting. While the posts themselves were paid, they were designed to be shared for free. 

Russia used a large number of sham social media accounts, Facebook pages, and websites to address the same topics as those in the paid posts. These unpaid communications were also designed for widespread sharing. Many came from real people using assumed identities online, but some were generated by bots masquerading as live humans. Russian state-backed media organizations like RT and Sputnik developed and helped to further spread the content that appeared in both paid and unpaid communications. Russia was also behind some more traditional campaign advertising: according to investigative reporters for The Guardian, people with ties to the Russian government made substantial donations to at least one U.S. nonprofit, the National Rifle Association, which spent more than $30 million on campaign ads in support of Donald Trump.

Safeguarding American sovereignty must be balanced against fundamental principles like the free flow of information and the decentralization of power.

All of these activities were possible because of gaps in U.S. law. So-called dark money groups like the NRA are not required to disclose any of their donors, making them easy conduits for foreign cash. Internet campaign ads can also fall into a regulatory gray area: transparency rules and the ban on ads from foreign nationals apply only to communications containing specific words that “expressly advocate” for or against candidates. As such these rules are easy to evade. Issue advocacy that doesn’t reference any candidate is entirely unregulated. And while agents of other governments operating within the United States—including state-backed media entities like Russia’s RT and Sputnik, which have significant penetration in U.S. markets—can be subject to the requirements of the Foreign Agents Registration Act (FARA), the Act contains numerous exceptions and is underenforced.

Congress can close many of these gaps. The bipartisan Honest Ads Act updates rules governing transparency in campaign advertising to include Internet campaign ads beyond those containing express advocacy. It also requires major platforms to create public online databases of their political ad sales, which would include digital copies of the ads themselves and information about the audience the ad targeted, the number of views, the ad’s cost, and its purchaser. Passing the DISCLOSE Act, which has been introduced in every Congress since 2010, would eliminate the problem of dark money altogether by requiring nonprofits, such as the NRA, to reveal their donors when they engage in substantial campaign spending. Another bill currently before Congress, called the Deceptive Practices and Voter Intimidation Prevention Act, would make it a crime to disseminate false information online for the purposes of preventing eligible voters from voting or registering to vote, as Russian operatives did to minority communities in 2019. Congress should pass that bill. Finally, Congress must also wrestle with the question of what additional mandates could be used to uncover unpaid deceptive foreign online activity, including the use of bots and deepfakes (highly realistic fake video and audio content), without infringing on civil liberties.

Effectively securing the next election will require not just passing new laws but also enforcing the laws that currently exist. The Federal Election Commission often fails to do so, in part because of frequent deadlocks among its six members. Congress should reduce the number of commissioners from six to five and give the commission’s professional staff the ability to independently investigate violations of the law. Similarly, Congress can address FARA enforcement by establishing a FARA enforcement unit within the Department of Justice, and by allowing the statute to be enforced civilly as well as criminally, which would lower the government’s burden of proof to establish and remedy violations. Congress should require FARA registrants—including media entities like RT and Sputnik—to disclose their status as foreign agents in public communications, including television and radio broadcasts and paid advertisements.

As FBI Director Christopher Wray said earlier this year, “our adversaries are going to keep adapting and upping the game.” The United States must do the same. The tradeoffs will be difficult: countering foreign interference, like fighting terrorism, requires policymakers to wrestle with the basic question of how to defend the United States without unduly compromising its core values. Safeguarding American sovereignty must be balanced against fundamental principles like the free flow of information and the decentralization of power. That calculus is not always easy. But it must be made. The longer political leaders wait, the likelier that citizens will live to regret their failure.

No comments: