Election Security After Iowa

The Iowa caucus debacle is an illustration of election security failure in action. Inconsistencies in data, caused in part by an apparent coding error in a new smartphone app used for reporting results, delayed announcement of the caucus results—which in turn led to a media frenzy and drove conspiracy theories. The Democratic National Committee has now called for a recanvass in areas where irregularities were reported.

The lesson to be learned from this disaster is not merely one about the perils of smartphones in voting. It’s a vivid illustration of how public reaction to a mishap can be worse than the mishap itself.

The technical issues in Iowa weren’t all that severe, and while manual tabulation errors appear to have aggravated the accounting process, there’s no evidence to suggest an attack or electoral interference––we just had to wait longer than expected to find out what the results were. Set against the range of possible threats to election security and integrity, this was a pretty minor one. And yet the Iowa debacle showcased how unhinged conspiracies can inflict damage on democratic institutions that’s just as severe as more direct electoral manipulation—along with the risk posed by overblown electoral outrage. To the extent that Iowa was a dry run for more pernicious election security issues that might arise in the general election, just about everyone failed the test.

Discussions of election security often focus on hard security measures such as paper ballots, voter ID requirements and the security of registration databases—all of which safeguard against direct manipulation of election systems. But while there is still much work to do in securing balloting systems, there is far too little focus on the information ecosystem surrounding election security incidents. The U.S. government must take a hard look at indirect threats to elections, ranging from influence operations to organic reactions from the public and the media when incidents occur. This category of threat, deriving from cynicism, overreaction and misinformation, can be just as dangerous as a security breach.

If the Iowa caucus delay is any indication of how the public may react to an electoral snafu, a great deal more mayhem could arise from a far more serious threat. Iran and Russia have been shifting their sights toward targeting industrial control systems, including portions of the power grid, and the United States should be prepared for an attack on such systems, especially during election season—even temporary outages could influence voter turnout and force delays in voting and reporting. Moscow has shown a desire to undermine U.S. democratic processes, as evidenced by its interference in the 2016 presidential election, and Tehran has refined its tactics from indiscriminate attacks across tens of thousands of organizations to a laser-like focus on U.S. power and utility companies. The opportunity to wreak havoc on critical infrastructure while degrading public trust in democratic institutions is just the kind of attack that U.S. foes might dream up in an era in which adversaries are increasingly utilizing hybrid warfare techniques, blending information, technology and conventional means to achieve their objectives.

Consider a possible attack along the lines of Russia’s 2015 cyberattack against Ukraine. That effort, attributed to a Russian-linked group widely known as Sandworm, targeted and successfully compromised the networks of three Ukrainian power distribution centers and then remotely shut down electrical substations before destroying files. The attack left more than 230,000 people without power for between one and six hours. Disrupting power distribution at the right moment in the right portions of the U.S. grid, targeting a few select states or counties, could cause just enough disruption to bring on a level of chaos that would dwarf what happened in Iowa. Real, but relatively minor issues like lines at polling stations or delayed reporting could be spun up in a disinformation ecosystem to generate a serious legitimacy crisis.

A more holistic approach to election security that accounts for this cross-sector threat is necessary. Hard election security is important, as the U.S. Department of Homeland Security recognized when it designated election infrastructure as critical infrastructure in 2017. But there is a critical communications angle to securing U.S. elections that still must be addressed. In January 2020, the Atlantic Council’s Cyber Statecraft Initiative hosted the Cyber 9/12 Strategy Challenge in Austin, Texas, in which teams developed policy responses to a simulated crisis scenario very similar to the one described above. The competition made it clear that strategic communications is an integral dimension of cybersecurity and crisis management, and the most successful teams incorporated such a plan into their overall policy recommendations.

The National Infrastructure Protection Plan represents one model through which the U.S. government could account for disinformation exacerbating election security incidents. The plan provides for cross-sector coordinating structures, such as the Critical Infrastructure Cross-Sector Council, to address interdependencies between sectors, coordinate policy and identify where cross-sector collaboration could advance national priorities. To complement its focus on electoral process integrity and the security of balloting and registration systems, Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) should prioritize the development of a joint comprehensive strategic communications plan in coordination with the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response. Such a plan should involve a holistic disinformation risk assessment and outline clear mechanisms for each contingency, along with a campaign to build media literacy in order to prevent and mitigate public panic stoked by foreign influence campaigns.

A unified, direct and transparent strategic communications plan for fighting electoral disinformation is essential to counter doubt over the legitimacy of procedures that so many Americans take for granted. The U.S. government should not wait for a crisis bigger than Iowa to occur to develop such a plan.