Cybersecurity & Tech Democracy & Elections

2020 Is An Election Security Success Story (So Far)

Scott R. Anderson, Susan Hennessey, Rohini Kurup, David Priess, Jacob Schulz
Saturday, November 7, 2020, 11:33 AM

Heading into Tuesday, there was a very long list of things that could go wrong. Many have not come to pass so far.

Two voters walk up to a Fairfax County polling place in Virginia (PZ Sunrays/https://flic.kr/p/2k37xe1/CC BY-NC2.0/https://creativecommons.org/licenses/by-nc/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

On Saturday morning, the AP and major television networks called the U.S. presidential election for Joe Biden. The counting of votes continues, but... it’s over.

The election proceeded, in many ways, pretty much as expected. Experts warned for months that it would take days to project a winner as key states counted unprecedented numbers of mail-in ballots. Polls closed Tuesday night and, though the trajectory of the race has been clear since early Wednesday morning, the first projection came Friday. And as those same experts predicted, dramatic differences between those voting by mail and those voting in person produced red and blue “mirages” in various states. Press accounts in the days leading up to the election reported that President Trump planned to falsely and prematurely claim victory. He did. And predictably, even as certain defeat loomed, President Trump lashed out with inflammatory and unfounded rhetoric.

All of this was predictable; indeed, it was predicted. From a national security perspective, the surprise of the election was not what happened. It’s what didn’t happen.

Heading into Tuesday, there was a very long list of things that could go wrong. It’s still early, but so far, election security in 2020 is mostly a good news story. There are areas where we aren’t yet out of the woods; in particular, risks of disinformation and post-electoral violence remain. But already, there are clear successes and causes for optimism.

It’s not too soon to declare that Election Day itself went well. There were understandable concerns about violence at the polls; it’s been a banner year for far-right violence, gun sales are at record levels and the President had repeatedly instructed his supporters “to go into the polls and watch very carefully.” But violence did not erupt at polling places and instigators did not block access to voting sites. Only minimal voter intimidation efforts were seen. No domestic terrorism occurred.

What’s more, the voting itself was remarkably smooth. It was only a few months ago that professionals and analysts who monitor election administration were alarmed at how badly unprepared the country was for voting during a pandemic. Some of the primaries were disasters. There were not clear rules in many states for voting by mail or sufficient opportunities for voting early. There was an acute shortage of poll workers. Yet the United States saw unprecedented turnout over the last few weeks. Many states handled voting by mail and early voting impressively and huge numbers of volunteers turned up to work the polls. Large amounts of litigation before the election clarified the rules in every state. And for all the president’s griping about the counting of votes, it has been orderly and apparently without significant incident. The result was that, in the midst of a pandemic that has killed 230,000 Americans, record numbers of Americans voted—and voted by mail—and those votes are almost all counted at this stage.

On the cybersecurity front, there is even more good news. Most significantly, there was no serious effort to target voting infrastructure. After voting concluded, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, released a statement, saying that “after millions of Americans voted, we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies.” Krebs pledged to “remain vigilant for any attempts by foreign actors to target or disrupt the ongoing vote counting and final certification of results,” and no reports have emerged of threats to tabulation and certification processes.

Some pre-election reporting suggested that Russia was targeting election-related systems, though U.S. officials were quick to clarify that they were seeing only opportunistic scanning and not activity that might undermine the integrity of election infrastructure. Still, a persistent concern in the lead-up to the election was that a foreign adversary might alter voter rolls or tamper with voting systems in a manner that would undermine public confidence, even if it couldn’t change votes. According to Krebs, that didn’t happen.

U.S. officials and outside experts worried about ransomware operations against voting systems, denial-of-service attacks on websites Americans rely on for election information and efforts to disrupt electric grids or transportation services to produce chaos in major cities. None of that took place. There was also concern that even non-malicious technical malfunctions might disrupt voting and fuel conspiracy theories—risks that were illustrated during primary voting in places like Georgia, for example. But election day proceeded smoothly.

The U.S. election is on track to produce a clear winner and when it does, Americans can be confident in the integrity of the technical systems used to record, tabulate and report their votes. That is a huge success. Election administrators are able to express a high degree of confidence in the integrity of votes, which is especially critical as the sitting president wages a campaign to undermine public confidence in the legitimacy of the outcome.

There was also no consequential foreign interference in the form of a hack-and-dump operation. Given the demonstrated effectiveness of this tactic in 2016, it’s notable that it didn’t play a significant role in 2020. It’s unclear whether that is for lack of trying. There were reports that foreign actors targeted campaign-affiliated groups but it’s unclear if that was part of more traditional espionage. And some efforts to dump hacked information seemed to have just not turned up anything especially worthwhile. The explanation might be better defense and information security practices, it might be traditional deterrence, or something else entirely. But a lot of smart people fretted over a DNC leak redux; it didn’t arrive before the election, though there’s still plenty of opportunity for mischief between now and January 20, 2021.

It’s worth pondering more broadly over what lessons to draw from the apparent success. What worked and why? Certainly credit goes to CISA’s impressive work in defending and securing election infrastructure more broadly and to U.S. Cyber Command’s strategy of defending forward. But will we learn enough in the coming months to draw specific conclusions? Was the Trickbot takedown a sufficient warning shot to discourage ransomware? Did sanctions imposed after 2016 effectively deter foreign actors? Did the political circumstances diminish the incentives to engage in malicious conduct? Perhaps we deterred through denial—faced with fortified systems our adversaries failed or gave up.

The reality, of course, is that it was some combination—or the totality—of these efforts that paid off. The details matter because the 2020 election will likely be a model moving forward.

The picture is more complicated when it comes to foreign actor disinformation. It looks like direct attacks on election infrastructure might operate as a red line for adversaries, but disinformation campaigns still don’t seem entirely off the table. It is still early—analysts only learned after the election about some of the foreign information operations in 2016—but so far it seems that the election saw relatively little significant foreign disinformation penetrate the U.S. information ecosystem. U.S. intelligence officials did publicly attribute a harassing fake email campaign to Iranian actors, but there’s no real evidence of systematic disinformation efforts by foreign actors. At least none that were especially effective.

Rudy Giuliani and other Trump allies did try to peddle damaging information of unknown (likely foreign) provenance about the former Vice President’s son, but the reporters at U.S. papers of record refused to take the bait. A Republican Senate report filled with conspiracy fodder about the younger Biden—and sourced to a known Russian asset—never really got any traction beyond the far reaches of right-wing media. As Ben Smith wrote in the New York Times about the Wall Street Journal’s refusal to run with Giuliani’s Hunter Biden story, “gatekeepers appear to have returned after a long absence.” And the platforms responded forcefully, if a bit confusingly, when the New York Post ran with Giuliani’s unverified claims. Giuliani and other Trump allies continued their efforts but were saved of oxygen in mainstream outlets.

Of course, coordinated foreign disinformation wasn’t the whole story in 2016 and it wasn’t here either. This election season saw plenty of domestic disinformation attempts. The Trump campaign official account, the White House social media director, Trump surrogates and the second-highest ranking Republican in the House all tweeted manipulated pictures or videos to damage Biden. Republican institutional actors offered little pushback, but Twitter and Facebook responded quickly to enforce predetermined manipulated media policies. On Twitter, baseless allegations of voter fraud have swirled—some have caught fire, some have gotten labeled by the platform. And yes, there have been huge disinformation problem areas as YouTube, Tik Tok, Twitch and certain parts of Facebook have all proven vulnerable to disinformation and slower to respond.

All of the above is reason for optimism, but significant dangers remain.

Having successfully prevented or defended against foreign countries attempting to delegitimize the election, now that effort comes from President Trump himself. In the days since the election, as votes are counted, Trump has baselessly claimed voter fraud and falsely and prematurely declared victory. The press and social media companies were prepared for this moment. Twitter and Facebook prepared clear policies to justify adding labels to false claims. After the President erroneously claimed victory at 2 a.m. on election night, some Republican Senators offered tepid pushback and the Fox News live broadcast morphed into a full-throated rebuke of the President’s claim. On Thursday night, when Trump again falsely claimed victory and attacked the integrity of the U.S. election process, networks cut away from his speech in order to fact check the torrent of lies.

As ballots continue to be counted, and Trump’s defeat becomes inevitable, he and his supporters are ramping up efforts. The unrelenting treadmill of disinformation has continued apace and taken on a much more violent tenor. The president’s tweets demanding ballots stop being counted inspired supporters to come out in force to intimidate poll workers to “STOP THE COUNT” in Pennsylvania, Arizona and Michigan. Facebook anti-lockdown groups have repurposed into coordinating mechanisms for an “Urgent call to action in Detroit;” a YouTube video with 400,000 views talks of Democratic election stealing and asks its viewers how long they’ll sit by and “not do anything about it.” Faced with Twitter’s speedy response, the President appears to have looked for secondary avenues to promote his disinformation campaign. High profile conservatives have joined him in baselessly suggesting voter fraud. Other Republican candidates who lost their races are now refusing to concede.

These efforts are not aimed at ultimately prevailing in the election—there is no realistic hope that Trump will win a second term at the ballot box. Instead meritless litigation is being used to delay the period of uncertainty for no other reason than to delegitimize the outcome and make good on Trump’s election night promise to fight the outcome all the way to the Supreme Court. None of the Trump campaign lawsuits produce any evidence of claimed voter fraud, and some have already been thrown out by the court. None of the efforts show any signs of potentially prevailing on the merits. And even if they did, it’s not clear they would impact the outcome in any particular state, let alone of the overall presidential election. But this has not stopped Trump and his supporters from typifying these actions as efforts to protect Trump’s election victory against corruption and fraud by Democratic officials--or from generating new unsupported and ultimately inconsequential claims regarding purported irregularities that worked to Trump’s disadvantage.

So what explains the inconsistent and largely tepid pushback from Republicans if there is no colorable lane to victory left open? In part, it may reflect that they believe they will benefit if President-elect Biden is weakened by claims of voter fraud and electoral irregularities when he takes office. Whatever the motivation, the response of “establishment” Republicans has not been sufficient to prevent Trump’s voter fraud narrative from catching fire among his base. Trump’s effort is a disinformation campaign and threat to election integrity in and of itself. It also creates a ripe environment for foreign adversaries to use disinformation to further fan the flames and to undermine an incoming president.

More alarmingly, these claims increase the risk of post-electoral violence. Experts worry that Trump’s baseless claims of voter fraud may encourage right-wing extremist groups who have continued to spread conspiracy theories about Democratic election-stealing to incite violence. Most notable among the signs of violence, law enforcement arrested two armed men from Virginia, whom police identified as “Trump supporters,” near Philadelphia’s vote-counting center. And Facebook removed a pro-Trump group that called for “boots on the ground to protect the integrity of the vote.”

But there remains ample room for mischief left in the process for selecting a president. State dispute resolution procedures need not be resolved until Dec. 8—and may even extend past that date--and the electors will not cast their votes until Dec. 14. Then nearly a month will pass before Congress will finally count the electoral votes and ultimately determine the actual president-elect on or about Jan. 6 before the ultimate transition of power on Jan. 20. At each juncture, disinformation both foreign and domestic may help legitimate actions aimed at disrupting the process. Few seem likely to succeed, but the possibility is real enough as to warrant continued vigilance against those seeking to disrupt the democratic process—including, if it comes to that, the president and his political allies.

Regardless, there’s a lot to be proud of here. The country pulled off a free and fair election without significant cyber disruptions, foreign influence or unchecked disinformation—all during a pandemic and in the face of active efforts by the president to undermine both the administration of and confidence in the election. But the final chapter of the story of the 2020 election has yet to be written. The president will do, as T.S. Eliot wrote of the Rum Tum Tugger, as he do, and there’s no doing anything about that. The question is whether other actors will stand firm behind the integrity of an electoral process that has performed better than many Americans believed it could perform under the extraordinarily trying circumstances the country faced this year.


Scott R. Anderson is a fellow in Governance Studies at the Brookings Institution and a Senior Fellow in the National Security Law Program at Columbia Law School. He previously served as an Attorney-Adviser in the Office of the Legal Adviser at the U.S. Department of State and as the legal advisor for the U.S. Embassy in Baghdad, Iraq.
Susan Hennessey was the Executive Editor of Lawfare and General Counsel of the Lawfare Institute. She was a Brookings Fellow in National Security Law. Prior to joining Brookings, Ms. Hennessey was an attorney in the Office of General Counsel of the National Security Agency. She is a graduate of Harvard Law School and the University of California, Los Angeles.
Rohini Kurup is a J.D. candidate at the University of Virginia School of Law. Prior to law school, she worked as an associate editor of Lawfare and a research analyst at the Brookings Institution. She holds a bachelor’s degree from Bowdoin College.
David Priess is Director of Intelligence at Bedrock Learning, Inc. and a Senior Fellow at the Michael V. Hayden Center for Intelligence, Policy, and International Security. He served during the Clinton and Bush 43 administrations as a CIA officer and has written two books: “The President’s Book of Secrets,” about the top-secret President’s Daily Brief, and "How To Get Rid of a President," describing the ways American presidents have left office.
Jacob Schulz is a law student at the University of Chicago Law School. He was previously the Managing Editor of Lawfare and a legal intern with the National Security Division in the U.S. Department of Justice. All views are his own.

Subscribe to Lawfare