Cybersecurity & Tech Democracy & Elections

Cybersecurity Threats to American Elections

Michael Sulmeyer, Ben Buchanan
Wednesday, November 2, 2016, 5:12 PM

My colleague Ben Buchanan and I have written a paper on cybersecurity threats to American elections. While we examine operations that try to influence American voters—like the much-publicized hack of various Democratic Party entities—we also examine threats to voting infrastructure itself. We consider the motivations of hackers for targeting elections, the plausible threats to election security, and the effects of real and perceived manipulation.

Published by The Lawfare Institute
in Cooperation With
Brookings

My colleague Ben Buchanan and I have written a paper on cybersecurity threats to American elections. While we examine operations that try to influence American voters—like the much-publicized hack of various Democratic Party entities—we also examine threats to voting infrastructure itself. We consider the motivations of hackers for targeting elections, the plausible threats to election security, and the effects of real and perceived manipulation.

We tackle two vital questions. First, how concerned should we be about election cybersecurity? Second, how vulnerable is the United States to a foreign power or other actor trying to undermine the public’s confidence in our elections?

We argue that foreign intelligence agencies, most prominently Russia’s, have plausible motivations and capabilities for some kinds of electoral interference. In addition, there are other actors, such as terrorist groups, partisan activists, and groups with narrow parochial interests, which might seek to manipulate an election. There is a range of possible mechanisms for carrying out these threats, including targeting voters, voting rolls, voting machines, tabulation, and the dissemination of results. We draw on security audits and demonstrated cases of previous Russian operations in analyzing these risks. We argue that it is not just the reality of fraud that is concerning, but the perception of it. The effects of perceived illegitimacy can be deeply damaging and perhaps harder to counteract. In particular, persistent questions about electoral integrity may by itself advance foreign interests.

We put forth five recommendations for improving the cybersecurity of elections, showing their integrity, and guarding against threats. First, the federal government should designate election systems as critical infrastructure, catalyzing additional federal and state attention to improving cybersecurity. Second, backed by federal funding, states should purchase and deploy voting machines that generate a voter-verifiable paper audit trail. Third, states should expand their use of pre-election security audits to identify and remediate vulnerabilities. Fourth, states should establish or improve their post-election audit procedures, applying statistically rigorous methods to increase confidence in the reported results. Lastly, the United States should outline a clear policy on the seriousness of electoral interference as a means of deterring foreign adversaries.

You can read the full paper here.


Dr. Michael Sulmeyer is the Belfer Center's Cyber Security Project director at the Harvard Kennedy School. He recently concluded several years in the Office of the Secretary of Defense, serving most recently as the Director for Plans and Operations for Cyber Policy. He was also Senior Policy Advisor to the Deputy Assistant Secretary of Defense for Cyber Policy. In these jobs, he worked closely with the Joint Staff and Cyber Command on a variety of efforts to counter malicious cyber activity against U.S. and DoD interests. Previously, he worked on arms control and the maintenance of strategic stability between the United States, Russia, and China. As a Marshall Scholar, Sulmeyer received his doctorate in Politics from Oxford University, and his dissertation, "Money for Nothing: Understanding the Termination of U.S. Major Defense Acquisition Programs," won the Sir Walter Bagehot Prize for best dissertation in government and public administration. He received his B.A. and J.D. from Stanford University and his M.A. in War Studies from King's College London.
Ben Buchanan is an Assistant Teaching Professor at Georgetown University’s School of Foreign Service, where he conducts research on the intersection of cybersecurity, artificial intelligence and statecraft. His first book, "The Cybersecurity Dilemma," was published by Oxford University Press in 2017. Previously, he has written journal articles and peer-reviewed papers on artificial intelligence, attributing cyber attacks, deterrence in cyber operations, cryptography, election cybersecurity, and the spread of malicious code between nations and non-state actors. He is also a regular contributor to Lawfare and War on the Rocks, and has published op-eds in the Washington Post and other outlets. Ben received his Ph.D. in War Studies from King’s College London, where he was a Marshall Scholar. He earned master’s and undergraduate degrees from Georgetown University.

Subscribe to Lawfare