Cybersecurity has become an increasingly salient topic in the realm of national defense. The reliance on technology for military, intelligence, and domestic infrastructure has made the disruptive potential of cyber-attacks for national security greater than ever.
Elections are uniquely at risk. The aftermath of 2016 highlighted the importance of cybersecurity in election integrity. Almost four-fifths of states in 2016 claim to have been victims of foreign interference, with most pointing to the Russian government as the source. This threat of election-related cybersecurity is intertwined with national security interests, the U.S. response to cyber-attacks in 2016, and the implications for future election cyberattacks.
i. Election Security as National Security
There is a vigorous public debate in the U.S. about how to ensure election integrity. Some issues, such as voter identification or campaign finance, divide along ideological lines about how to regulate politics and elections. Laws regarding foreign participation in American politics primarily concern national sovereignty. Safeguarding American government from foreign influence is a major theme in the U.S. Constitution – from its eligibility requirements for federal office, to restrictions against receiving “any present, Emolument, Office, or Title” from a foreign state. A country’s ability to independently manage its internal affairs is, by definition, tied to its sovereignty.
There are two major ways foreign influence can damage national security: by unduly influencing a certain political party or individual in a disadvantageous way for the target country, or by undermining the target country’s political process. In the former case, influencing election outcomes directly impacts who leads the government, and thus policymaking. A foreign government may seek to encourage shifts in foreign policy, national security strategy, or other areas in a way favorable to its interests. Altering those policies could damage the national security interests of the target country, since the foreign power is attempting to achieve a policy outcome that is optimal for itself, but not for the target country.
Even if foreign intervention does not secure policy changes, it can still damage the electoral process. The very fact of outside intervention, depending on how visible and widespread it is, introduces uncertainty into the minds of voters and other political actors regarding the validity of electoral outcomes. This has long-term ramifications for a government’s political legitimacy, which can lead to deterioration of the rule of law, a breakdown in governing institutions, or even resistance from those who perceive themselves to be disenfranchised.
ii. U.S. Election Structure and Cyber Security Doctrine
A consequence of federalism is the decentralization of electoral processes. The U.S. Constitution gives states significant power to administer not just state and local elections, but federal elections as well. Further, within each state, election administration is often delegated further to the county or municipal level. Among these jurisdictions are countless variations of voting methods (e.g. paper ballots, electronic voting machines) and separate voter registration records in different formats. Most states employ some kind of electronic voting method, while over a dozen use only paper ballots.
This decentralization and range of technological sophistication mean it is difficult for cyber-attacks to influence elections nationwide, but also difficult to coordinate a response to attacks across jurisdictions. This challenge is both legal and logistical: even if a federal authority could legally dictate procedures across multiple states that control their own election systems, how would it be able to enforce similar procedures in so many dissimilar jurisdictions?
The inability to coordinate prevents government agencies from developing comprehensive cybersecurity doctrine for elections. There have been major recent developments in cybersecurity for defense-related priorities – such as the creation of USCYBERCOM in 2009 and the articulation of Defense Department cybersecurity doctrine in 2015 – but those cannot help secure election integrity. Instead, the Department of Homeland Security (DHS) is the federal body that would need to coordinate federal action with the states, but even that role is shared with other intelligence agencies that monitor foreign threats and activities, like the National Security Agency (NSA) and Central Intelligence Agency (CIA). State sovereignty over election processes is an important constitutional safeguard, but the inability to build broad-based cyber defenses can undermine national sovereignty.
iii. 2016 Election Interference Methods
In January 2017, a declassified report released by the CIA, NSA, and Federal Bureau of Investigation (FBI) asserted that “Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the presidential election” in order to “undermine public faith in the democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.” The report further stated that “Putin and the Russian Government developed a clear preference for President-elect Trump.”
Russian Interference Timeline
The Russian influence campaign was multifaceted, according to the report. Its strategies can be divided into the following categories:
- The dissemination of Kremlin propaganda through state-owned media outlets like RT and Sputnik, online political advertising, and social media.
- Cyber operations against political parties. In particular, the hacking of DNC networks and leaking of internal communications to Wikileaks, coordinated by Russia’s military intelligence agency (GRU).
- Attempted cyber intrusions into state and local election boards, voting systems, and voter databases.
Although all three dimensions were part of Russia’s overall goal of disrupting and influencing the 2016 presidential election, the last category is most closely related to both cybersecurity and national security, because cyber intrusions into election-related systems can compromise sensitive voter information, election logistics, or electoral outcomes.
Category A is closely connected to fields like campaign finance and election law, and is outside of the scope of cybersecurity. Category B has a more obvious connection to cybersecurity, but operations targeted at political parties rather than public election infrastructure have less of a connection to national security. Political parties are sometimes referred to as “semi-public” entities, but their internal information systems are not managed by the government.
iv. U.S. Government Response to Election Interference
Throughout 2016, the U.S. government was aware of Russian efforts to influence the election. In July 2016, the FBI opened an investigation into contacts between Russian officials and Trump associates. By that point, Russian-backed hackers had already accessed Democratic and Republican Party servers for over a year. Clinton campaign chairman John Podesta was hacked in March, and the hacked DNC emails were publicized by Wikileaks in July. In August, President Obama and three of his advisers received CIA intelligence detailing Putin’s orders and goals for election intervention.
During the final months of 2016, the Administration debated internally how to prepare for, deter, or punish Russian interference. Obama instructed his aides to obtain a consensus from intelligence agencies about Russia’s actions and intentions, to assess vulnerabilities in the election system, and seek support to publicly condemn Russia. He also considered options to deter or punish Russia, such as cyber-attacks or sanctions to cripple its economy. During a September trip to China, he also confronted Putin in person.
Despite this, Russians reportedly attempted to penetrate election systems in at least 21 states, and at least three private providers of critical elections services. These efforts included examining voter databases, searching for systemic vulnerabilities, and attempting to alter data. A leaked NSA report found that GRU hackers had penetrated the computer systems of VR Systems, an election services provider, as early as August 2016, and used that access to send malware to 122 state and local election jurisdictions. The report concluded that it was “unknown” whether the efforts “successfully compromised the intended victims, and what potential data could have been accessed.”
Meanwhile, there was disagreement outside the White House about how to proceed. DHS Secretary Jeh Johnson and FBI Director James Comey met with key members of Congress in September to discuss Russian intervention. The parties divided along party lines between wanting to publicly accuse Russia and awaiting till after November due to concern that doing so would further undermine the integrity of the election. The Obama Administration soon became concerned that retaliatory measures against Russia, absent a consensus from the Intelligence Community, would appear politically-motivated during a closely contested campaign. Frustrated congressional Democrats eventually issued their own statement on Russia outside the Administration. Secretary of State John Kerry’s push to investigate or confront Russia was also stymied by the White House. The fact that Clinton was widely considered to be the electoral favorite by a large margin also convinced many government officials that an aggressive approach was not necessary.
Coordination with the states presented difficulties too. At least 25 states received assistance from DHS in countering hackers during the campaign. But when Secretary Johnson arranged a conference call with state officials to coordinate federal measures, some Republicans denounced what they considered to be excessive federal involvement.
In the immediate aftermath of Trump’s election victory, intercepted communications captured senior Russian government officials celebrating the outcome; former NSA and CIA director Michael Hayden described Russian efforts as the “most successful covert operation in history.” The Obama Administration publicly vouched for the integrity of the election results despite Russian hacking attempts. Intelligence officials likewise told the public that there was no indication that Russian hackers had altered the vote count on Election Day – but did not reveal many other details. It would be several months before the extent of Russia’s hacking attempts would begin to come to light; State officials were not even informed about whether their systems had been compromised until September 2017.
During the post-election transition, Obama settled on a more modest set of penalties than previously proposed: the expulsion of 35 diplomats and closure of two Russian diplomatic compounds in New York and Maryland – all suspected of being connected with espionage – as well as a narrow package of sanctions. Putin did not even respond publicly to the sanctions. Several months later Congress overwhelmingly passed a package of stronger Russian sanctions. This led to greater diplomatic deterioration: Russia expelled over 700 U.S. diplomats, while the U.S. seized a diplomatic compound in California.
In the few weeks before Trump’s inauguration, the Intelligence Community reached its consensus and released the declassified report outlining Putin’s role in the 2016 election. On the same day, Secretary Johnson formally designated the country’s election infrastructure as “critical,” a designation under the Patriot Act and Homeland Security Act of 2002 that would allow for greater federal oversight of voting systems. The move brought criticism, most notably from Georgia’s Secretary of State, who had been a DHS critic during the campaign. The National Association of Secretaries of State also adopted a bipartisan resolution in February opposing the designation, and one U.S. Election Assistance Commission (EAC) member also questioned the move publicly. While serving as Trump’s DHS Secretary, John Kelly voiced support for maintaining the designation, despite the pushback. In August 2017, the EAC convened the Election Critical Infrastructure Government Coordinating Council to develop the partnership between the states and DHS.
The disagreement over designating election infrastructure as “critical” stems mostly from concerns that it would enable the federal government to take a more active, direct role in election administration in the states, despite their constitutional prerogative to manage such processes. Sectors labeled as “critical infrastructure” gain more access to classified information, training, and other tools, but would necessarily involve more federal oversight in order to provide those resources.
v. Evaluation of 2016 Response and Implications for Future Elections
Information is still being discovered about the true extent of Russian interference with voting systems and voter data. U.S. government assurances that cyber-attacks did not change vote counts, if true, demonstrate a baseline success in cyber defense. Still, the Obama Administration failed to fully deter cyber-attacks and other interference methods, and its response after the election likely will not prevent future efforts, although Congress and some executive agencies have led the way to further punish Russia and mitigate future risks.
The question that remains is: what are those risks? Director Comey detailed the Russian threat to the Senate Intelligence Committee in stark terms: “they will be back.” The apparent success of the 2016 operations means that Russia and other foreign actors are incentivized to expand on their tactics in future federal elections, and perhaps even beyond that.
Increased awareness and focus from the U.S. government on foreign hacking is an important first step. Cooperation between the states and federal agencies could also mitigate the challenges of decentralized election administration. A specialized task force or creation of a whole new federal body whose sole goal is the protection of our cybersecurity may add an extra firewall, or further complicate the tangled web of agencies in this realm.
But persistent distrust among Americans of public institutions like the media and the Intelligence Community, colored by political and cultural divisions, make America ripe for a crisis in legitimation. That is a harder fix.
The threat goes beyond the U.S.: according to the NSA, Russia hacked France’s election infrastructure prior to its 2017 presidential elections, and was responsible for leaking damaging information about then-candidate Emmanuel Macron. A government-imposed media blackout may have been partially responsible for preventing it from influencing the election results. During Germany’s elections, a lack of verified Russian attacks (despite it having hacked data from its parliament two years prior) stemmed from numerous factors: higher trust of traditional media, agreements between the political parties not to exploit information from a cyberattack, and the exclusive use of paper ballots.
The example of those two elections yields potential insights. Although it is not legally feasible for the U.S. government to restrict information among media outlets like in France, attempts to rebuild cooperation between the political parties, and trust with the media, would go a long way in stymying future attempts at foreign intervention, should other preventative measures fail.