One of the central pillars of American democracy, or democracy anywhere for that matter, is a commitment to fair and free elections. Americans vote because they believe that their vote matters. And that belief is dependent on two things: First, that the information they use to make their decisions about candidates and issues is reliable. And second, that the infrastructure surrounding the electoral process is both secure and resilient. And both of those elements are now at risk.
Electoral security gained prominence as a national issue in the wake of the 2016 elections. There is evidence of possible foreign interference, and continued reports that a growing number of malicious actors may be targeting various parts of our electoral processes. These concerns have increased our awareness of numerous vulnerabilities that exist in our current electoral process, ranging from unsecured voting machines to foreign efforts to influence voters through social media.
As a result, election security was officially designated as a Critical Infrastructure by the Federal Government in 2017. This brought increased technical assistance and resources to bear on the problem. In particular, Congress appropriated $380M in 2018 through HAVA (Help America Vote Act) for state and local governments to improve election security, and additional funding may be forthcoming before the 2020 election. But money alone cannot solve this challenge.
The importance of Public Perception
One of the biggest factors setting this issue apart is the extent to which electoral Integrity is as much a function of perception and public confidence as it is of technical security. Electoral systems do not have to have actually been compromised for voters to lose confidence in the process.
It is useful to differentiate between confirmed (demonstrated or technically plausible), potential, and claimed threat activity. Even a threat that, after expert assessment, is determined to be unfounded or non-credible can still have an impact on voter confidence. To effectively combat fear, uncertainty, and doubt among the electorate, technical assessments need to be coupled with a proactive communications strategy that assures voters that due diligence is being applied to safeguard the integrity of the election process.
The challenge is that such messaging attempts to disprove a negative – to demonstrate that something didn’t or couldn’t happen. Similarly, simply describing a risk that is theoretically possible warrants nuance and context – for instance, reporting that a stand-alone voting machine can be compromised via hands-on access does not necessarily equate to a viable real-world exploit that can be used to successfully ‘attack’ an entire electoral system, either in practice or at scale. Of course, those communications need to reflect actual efforts to recognize and secure our electoral systems. This places a premium on election officials complementing their investment to secure election systems by creating – and exercising – both an Incident Response Plan and a proactive public communications strategy.
The systemic nature of establishing election integrity
Election integrity is a complex ‘system of systems’, with numerous opportunities for spillover and cross-contamination of real or apparent compromise. There is a system for voting, a political campaign system, systems used to share information about candidates and issues, along with multiple supporting ecosystems (supply chains, government networks, etc.). A failure or compromise in any of these can have ramifications for the entire process.
The voting process alone consists of a variety of functional systems spread across 8,000+ jurisdictions, with many election officials managing more IT assets than any other department in local government – and usually without any formal cybersecurity training or experience. Each of those thousands of jurisdictions has a local voting infrastructure consisting of myriad systems that can be directly targeted and compromised. These include:
In addition, there are indirect targets, such as official Government and political party web sites and social media accounts that are often overlooked as elements of electoral integrity. A failure to secure such channels could lead to serious consequences, such as the dissemination of false official information on polling day (e.g., misreporting locations of polling places) that could affect voter participation every bit as much as tampering with voter rolls or tallies.
Such disinformation can also be directed at communications channels such as local media or political parties, reporting false claims of concession or victory before the polls close. Relevant points of access and attack for all of these channels include targeting the personal devices or accounts of users or the official accounts and devices of political parties or news outlets, as well as exploiting the policies and technologies of those organizations that provide social media and other communications platforms.
The sum of these systems creates a degree of shared vulnerability not typically seen in other types of cyber-related threats, such as the theft of Intellectual Property. This is one area where the often overused metaphor “a chain is only as strong as its weakest link” genuinely applies.
This is not to say that the challenges we face are insurmountable. At its core, election security is a risk management problem, and because of that, well-developed practices in risk management and resilience should be built into the process for addressing its integrity.
Complicating the process further, however, is the complex web of players associated with elections, starting with all levels of government (local, state, and Federal Government), non-state entities (industry, ‘influencers’, vendors, and political parties), and, of course, the voting public. However, if approached strategically, this complex and multi-party ecosystem also means there are multiple options and strengths that can be brought to bear to create resilience.
Partnership is key to achieving that resilience, and building partnerships should be an on-going activity – not just one that occurs during election years. While local government is “where the rubber meets the road” in terms of voting, there are clear roles for the other players in the broader ecosystem.
Of course, of all the players involved in elections, the voting public plays the most important role of all. While issues around creating a more educated and informed citizenry is a topic for another day, American voters deserve our best efforts to ensure they have access to reliable information and secure voting systems free from tampering or influence. That is an essential hallmark of American democracy that we need to protect and preserve no matter the cost.
Learn more about Fortinet’s comprehensive, effective, and adaptive security solutions for today’s connected government.