The 2016 U.S. election constituted a watershed for democracies in the digital age. During the election cycle, fears proliferated among policymakers and the public that foreign actors could exploit cyber technologies [PDF] to tamper with voter registration, access voting machines, manipulate storage and transmission of results, and influence election outcomes. Russian information operations and disinformation on social media compounded these fears about election cybersecurity by raising questions about foreign interference with the election’s integrity. Similar worries have arisen with elections this year in France, Britain, and Germany, and the Netherlands opted to hand count ballots in its March election to prevent hacking from affecting the outcome. In May 3 testimony to the Senate Judiciary Committee, James B. Comey, former director of the Federal Bureau of Investigation, indicated that Russia had tried to tamper with vote counts in other countries and that it might attempt to do the same in the United States in the future.
Technical strategies [PDF] to protect election systems from cyber interference exist, such as stopping the use of voting machines connected by wireless networks and deploying machines that produce auditable paper trails. However, the events of 2016 demonstrate that more high-level political action is required to manage real and perceived cyber vulnerabilities in election systems. Government officials and nongovernmental organizations that support elections should adopt measures to protect election systems from online threats, deter cyber interference with such systems, and reassure citizens their right to vote is defended. Achieving these objectives requires local, national, and international actions to strengthen cybersecurity in election systems and to elevate election integrity in cybersecurity policies, human rights activities, and election assistance and monitoring.
Background
Digital technologies and the internet have affected how elections are conducted, including through internet voting and online voter registration. Although reliance on computers and communication networks for elections has garnered some attention [PDF], election cybersecurity has not been politically prominent within democracies.
Most democracies have not specifically criminalized cyber interference with election systems.
In the United States, the Constitution assigns responsibility [PDF] for elections to state governments. This “clunky” system means hackers have to breach numerous state and local electoral processes to achieve broad impact. After the “hanging chad” controversy of the 2000 election, Congress funded the adoption of electronic voting machines, which made computer, information, and network security critical to electoral integrity. The federal Election Assistance Commission (EAC) issued voluntary voting guidelines in 2005, which included security guidance for software, telecommunications, and wireless communications. However, in 2014, the Presidential Commission on Election Administration asserted [PDF] that the EAC’s process of adopting guidelines “has broken down” because of “a lack of commissioners” and “disagreement over the agency’s mission.” This commission identified tensions between computer experts and election officials over the security of electronic voting technologies. Although cybersecurity risks grew significantly after 2005 in the public and private sectors, the EAC took a decade to update its guidelines [PDF] to address these and other risks to election security.
Interest in, and security concerns about, electronic voting have also arisen in other democracies. Some, such as Estonia and Switzerland, began using online voting, but others returned to paper ballots after trying electronic voting technologies. The Council of Europe made recommendations for electronically enabled elections in 2004 and began updating them in 2015 to address technological developments, including new cybersecurity risks.
Challenges for Election Cybersecurity
In the United States, the constitutional assignment of election management to the states raises federalism problems for improving election cybersecurity. For example, state election officials [PDF], some members of Congress [PDF], and an EAC commissioner opposed the federal government’s designation of election systems as critical infrastructure. Additionally, the EAC has often lacked sufficient commissioners to function effectively, and proposed legislation seeks to terminate it. After the 2000 election, the federal government provided funds to help states modernize election systems, but when that funding ended, states often did not devote resources to improve and sustain updated systems.
Internationally, many democracies [PDF] are concerned about cyber threats to election systems. However, nationalist and populist movements have preoccupied the United States and European democracies with domestic problems and difficult relations over trade, defense and security issues, and Russia.
Generating U.S. leadership on election cybersecurity will be a challenge because the Donald J. Trump administration is unlikely to prioritize it. Without evidence, President Trump has attacked the U.S. election system as “rigged” by elites and riddled with domestic fraud, and he shows no willingness to confront Russia over its influence operations during the 2016 U.S. election or the 2017 elections in European democracies. This state of affairs requires actions at home and abroad not dependent on White House leadership.
Recommendations
A comprehensive strategy should heighten the political attention cybersecurity receives in efforts to ensure the integrity of elections; it should also make election integrity a more important part of cybersecurity policy.
At the international level, intergovernmental and nongovernmental bodies that monitor elections and provide assistance to electoral systems should craft harmonized international principles on the use of electronic voting technologies. These principles should address, among other things, election cybersecurity and should draw on recommendations from governments, international institutions, and nongovernmental organizations. The National Democratic Institute (NDI) has identified common features of existing recommendations, including on election system cybersecurity.
Such layered state, federal, and international actions would deter cyberattacks on election systems by making such attacks more difficult, costly, and ineffective. Furthermore, democracies should add specific offenses for interfering with election systems to domestic cybercrime laws and the Council of Europe’s Convention on Cybercrime. Criminal law should support the prosecution of hacking of election systems as it does cybercrime, cyber espionage, and economic cyber espionage.
Democracies should emphasize cybersecurity’s importance in protecting the right to vote in free and fair elections.
Democratic countries that have not already done so should declare that their election systems are critical infrastructure and that international law and cyber norms protecting critical infrastructure apply to such systems. Democracies should articulate that cyber interference with election systems violates the international legal principles of sovereignty and nonintervention; they should also identify diplomatic, trade, travel, and financial countermeasures, such as economic sanctions [PDF], that they will impose against state actors responsible for such interference.
Digital and Cyberspace Update
A newsletter featuring expert commentary from the Digital and Cyberspace Policy program on cybersecurity, digital trade, internet governance, and online privacy.
Allegations of, and fears about, cyber meddling in election systems undermine confidence in the democratic process and threaten citizens’ trust in voting. Protection and deterrence are necessary, but reassuring voters of the importance and effectiveness of election cybersecurity policies is also critical. The threats of foreign information operations and disinformation spreading through social media during elections make reassurance on election cybersecurity even more important.
First, government officials and nongovernmental organizations should identify the cyber threats election systems face before election cycles. Information about these threats would provide citizens with facts and guidance that can help make them less susceptible to rumors, disinformation, and sensationalist fears that are spread on social media. Second, government officials responsible for administering elections should demonstrate they can defend election systems from cyber threats through, among other things, explaining protective actions, testing defensive measures, and participating in oversight processes. Third, as election cycles unfold, officials should make clear to the media and the public how they are protecting election systems from cyber interference. Reassurance should include postelection reviews and revision of election cybersecurity strategies as needed.
No comments:
Post a Comment