Many challenges exist in the United States at the intersection of cybersecurity and elections, a cause championed by some and doubted by others. But with the 2020 campaign already underway — and lingering questions about how cybersecurity influenced the 2016 election — this topic is more important than ever before.
In particular, there is increased scrutiny about the opportunities and challenges that lie ahead for electronic voting (aka mobile or internet voting) amid security concerns and higher demand for safer voting options. What opportunities and challenges lie ahead for election officials who make voting technology decisions? What resources do those election officials need to do this? And further, what role does misinformation play in elections? In this piece, we will explore all of these questions and more.
The State of U.S. Elections Cybersecurity
Cybersecurity is one of the more pressing and critical topics of our time — especially in the context of elections. To begin, we’ll explain where the conversation about election cybersecurity stands today, the issues at the forefront of the discussion, its well-publicized failures, and the standards to follow to prevent those failures from happening again.
Advancing the Electoral Cybersecurity Conversation
The 2016 presidential election thrust the issue of cybersecurity to the forefront of public discussion and raised major concerns about our election infrastructure. Several federal agencies and government departments view elections as critical infrastructure, when before they hadn’t given it nearly the same level of attention.
Just recently, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released guidance on election security risks and how to address and mitigate concerns surrounding electronic ballot delivery and return — some of the first guidance ever provided on the issue. More than this, reviews and security reports published by industry partners have moved the conversation about security toward what progress needs to be made.
Some say there is still work to be done in the realm of secure mobile voting (this term will be used for the remainder of the post to capture the concept of electronic ballot return broadly). Researchers from MIT and the University of Michigan, for instance, recently released a report detailing vulnerabilities in the mobile voting election infrastructure. The researchers called attention to aspects of voting technology that could be at risk of malware attacks and the need for more protections.
That said, the work being done to ensure the secure delivery and return of electronic ballots has been instrumental in advancing the conversation around election cybersecurity itself. Now more than ever, people are asking, “Is electronic voting secure?”
Election Cybersecurity Issues
To maintain election integrity, certain cybersecurity issues have to be addressed —most notably, the issue of absentee ballots. Even though the Election Assistance Commission (EAC) works to establish tabulation standards, there is a gap between those and the federal standards set out for the electronic delivery and return of absentee ballots.
For instance, the Military and Overseas Voter Empowerment Act (MOVE) requires states to provide overseas voters an absentee ballot in at least one electronic format. While this might sound all-encompassing, different states enforce the act in different ways; this inconsistency can lead to security concerns. In fact, 19 states require ballots to be returned by mail, while the other 31 have varying requirements regarding how to return these absentee ballots.
The issue doesn’t end there. Beyond the method of return, other security risks can still pose a threat. As it stands, there are no enforced security standards for ballots returned by fax or email, posing a risk not only to the integrity of the vote but also to election integrity. Consider what might happen if voters’ emails were hacked or if they initially received a ballot that had been manipulated. Before people and institutions can believe in the security of electronic voting, the cybersecurity gap must be addressed.
High-Profile Failures in Context
Knowing the threat that these challenges pose to the future of electronic voting, it’s critical to note where election cybersecurity issues have already come to light. In recent months, the Iowa caucuses hurt the credibility of mobile voting when election officials had to count votes manually due to irregular reporting in the mobile voting application.
However, pointing to this specific primary as evidence that mobile voting doesn’t work isn’t the right response when considering it on a larger scale. The application used in Iowa would never have been used for an official election. Its problems reflect poorly on the commendable security work being done by industry partners while creating a false narrative about the failures of mobile voting. More than that, the state didn’t use resources available to it through a group of partners from areas such as security, philanthropy, and industry — all of which would have helped it succeed.
There is also the issue of actual security work. Because a shotgun approach to security assessment can undermine the opportunities presented by electronic voting, NCC is working hard to develop a working set of guidelines for industry partners and jurisdictions. We’re also doing this work in light of the fact that numerous security firms have reviewed the work of industry partners and portrayed them in a way that says the programs have no value because they have issues.
What Model Should We Follow?
While there is not one cohesive election cybersecurity policy that governs the process, we’ve found the Election Assistance Commission’s Voluntary Voting System Guidelines (VVSG) to be one of the best places to start. While the guidelines themselves don’t necessarily have enforcement power, many states use them as a standard for election administration and industry partners.
Some states that adhere strongly to these guidelines have emphasized overall security and cybersecurity in elections. Washington, Oregon, and Colorado, for example, stick closely to the guidelines and maintain a strong cybersecurity focus in all voting work.
At NCC, we continue to work with the EAC to find ways to apply the VVSG to cybersecurity in elections.
Hope for the Future of Cybersecurity in Our Elections
There are many reasons to be hopeful about the future of cybersecurity in our elections. Why do we say this? One reason — and perhaps the most prominent — is that election cybersecurity is now a conversation that is gaining attention and traction. Both U.S. election security and voter accessibility in the country still have significant room for improvement, but our election system is strong overall. As more people learn the value of cybersecurity in elections, there is every reason to be confident that solutions and improvement will follow.
Major corporations and high-level government entities are already part of the conversation. The future of cybersecurity is a chief priority for the Cybersecurity and Infrastructure Security Agency (CISA) and MITRE, too. Google and Microsoft are also focused on the issue, and local election officials around the country are working to find and implement security solutions.
The Role of Mobile Voting
Mobile voting has the potential to play a unique role in U.S. elections — a role that is bound to expand in the years to come as the conversations about cybersecurity and electronic voting continue to happen in more and more spheres. To be part of that conversation, it’s important to understand misconceptions about mobile voting, why it’s crucial to election cybersecurity, obstacles to its acceptance, and the opportunities it presents.
Misconceptions About Mobile Voting
The biggest misconception about mobile voting is that it’s not secure. While there is some truth to that, there are risks associated with every voting method. These security concerns should be the beginning of the conversation rather than the end of it. This concern could also be extended to another: that mobile voting could make it “too easy” to vote.
Many believe the right to vote is something that should be treated with respect, but those believers are split when it comes to how to practice that respect. Some feel that voting is a privilege and that people should take the time to show up at the polls. Others feel that mobile voting would increase voter participation and extend the opportunity to those who typically don’t or can’t physically make it to their polling place.
Voter access has to be central to the argument for secure mobile voting. Voters shouldn’t have to choose between voting securely and not voting at all. The current system does not promise security and disenfranchises millions of Americans, preventing them from voting because they can’t take time off from work or spend the money necessary for transportation to a polling place.
Increasing access by making mobile voting available appears to be one of the best ways to extend the respected and revered right to vote to more Americans, with the goal of steadily increasing U.S. voter turnout over time.
Why Mobile Voting Is Crucial to Election Cybersecurity
Mobile voting is a key component of election cybersecurity for two reasons. The first reason is that there are not currently enough standards and protections in place for mobile or mailed ballots. If an electronic ballot is manipulated by hackers or a faxed ballot is manipulated before reaching its destination, election integrity can be deeply impacted.
The other reason is rooted in the fact that aggregate security is stronger when there are more voters casting ballots — and more people will vote if they have better access thanks to mobile voting. Increasing voter participation domestically lets more people into the process and, as a result, introduces a bell curve of political moderation because of the broader, more representative sample.
Without that representative sample, politicians steer toward extremes rather than finding moderate, practical solutions. This situation can discourage voters in the middle from voting or getting involved with the political process, which ultimately harms the overall integrity of an election; the end result is a more extreme electorate and a significantly more polarized country. Making mobile voting widely accepted and available helps to ensure a more representative, engaged electorate.
The better we can answer the question of how to increase voter participation through mobile voting, the more secure our elections will become.
Obstacles to Mobile Voting in U.S. Elections
The narrative surrounding electronic voting is weak and driven by a select few: “experts” in Washington and a handful of universities. These people and institutions are quick to point to flaws in mobile voting and discuss the potential security issues involved, but they spend significantly less time talking about the proven security issues involved with all other voting methods. Instead, these experts should be exposing the current situation and identifying opportunities to move things forward, laying the groundwork and a vision for how to do exactly that.
In 2018, the National Academies of Sciences, Engineering, and Medicine argued that internet voting should not be an option because it isn’t secure. The same guidance wasn’t applied to email and fax voting, even though these methods present similar security risks. This is problematic for many reasons, but the biggest issue is that this narrative has caused many people to rule out mobile voting altogether instead of working to find cybersecurity solutions.
Opportunities for Mobile Voting to Grow
Just because there are obstacles to the acceptance and implementation of mobile voting doesn’t mean there are no opportunities. Two key audiences would benefit from this voting method most: overseas voters and voters with disabilities.
Both face barriers to voting — some because of present circumstances and others for decades. People voting while overseas are often asked to return their ballots by mail, but citizens have been barred access to elections as COVID-19 has caused governments to suspend international mail. This shows that the only question is by no means, “Is voting by mail safe?” Instead, we should be asking, “Is voting by mail even possible?”
For voters with disabilities, the voting process has never been simple. These people are increasingly frustrated by the lack of sensitivity to their needs in elections, even though they are still required to vote in person. Transportation, which must be specialized in some cases, presents a significant barrier to voting for some of these individuals, and polling locations are not always built to accommodate disabled voters. It isn’t hard to see, then, that one of the greatest advantages of electronic voting is improving voter access.
The Misinformation Quagmire
Keeping mobile voting applications secure is not the lone element plaguing election security. One of the main threats to election security today is misinformation campaigns. Here, we’ll explain why election officials have to address misinformation, explore the short- and long-term impacts of misinformation, discuss how cybersecurity measures can curb the effects of misinformation, and highlight how election officials have been left underprepared to deal with misinformation campaigns sufficiently.
Election Officials and Misinformation Campaigns
Election officials have the difficult responsibility of ensuring election security, transparency, and efficacy. If people don’t turn out to vote in their jurisdictions, it undermines this work and election results. Election misinformation is one of the most significant threats to election integrity and something that needs to be monitored as we approach the 2020 election. In fact, misinformation campaigns are specifically designed to reduce voter turnout in specific groups.
Misinformation campaigns might target certain marginalized populations and communicate false or partially true information about where to vote, when to vote, and how to vote. They also might try to confuse those populations about registration deadlines or election messages. This issue is exacerbated by the fact that most voters never interact with their local election offices, so they’re often unaware that they should only get their voting information from that office.
Social media is a common vehicle for these misinformation campaigns. When people share false information on social media, election officials feel as though the election is out of their control and struggle to prepare and combat the tactic. Some jurisdictions are releasing public service announcements to help voters verify information during a time when polarizing rhetoric and misinformation pose real threats to voter participation.
The Short- and Long-Term Impacts of Misinformation
The impacts of election misinformation extend far beyond getting voters to the polls. As we prepare for the 2020 presidential election, it’s essential to know that misinformation campaigns will call the validity of the election in question due to lingering concerns about the role of foreign interference from 2016. If misinformation proves to be a problem in November — especially if it keeps people from voting — the result will be political chaos in the short term.
In the longer term, as misinformation raises questions about the validity of individual elections, it could begin to erode trust in the institution. Fair, free, and trusted elections are part of the fundamental foundations of a democratic society. If people can’t trust that their vote was counted or that they have accurate information to inform their vote at all, it weakens the necessary link between elections and democracy — and the fabric of American society as a whole.
How Cybersecurity Can Curb the Effects of Misinformation
With the understanding that false information has the potential to threaten our elections and democracy, knowing how to combat misinformation is key to creating future elections in which voters can place their trust.
Two things are key in the fight to dismantle the effects of misinformation: understanding the value of media literacy and then teaching media literacy to voters across the country. Enhanced digital and media literacy give people the cybersecurity technologies and tools they need to discern fake information and accounts from those that are credible. But as more voters understand how to combat misinformation with media literacy, more voters are then able to keep watch for false information and help others do the same.
MITRE Corporation, a nonprofit that gives technical and engineering guidance to the federal government, offers election administrators SQUINT, a tool that flags sites containing suspicious or false information and then has the ability to qualify those sites as sources of misinformation before they reach too many people. As we continue to learn why media and information literacy are important, we’ll keep developing tools like this, educating voters, and maintaining the integrity of elections.
Necessary Resources for Cybersecurity Support
To ensure that election cybersecurity for this year’s contests and beyond, we have to understand how election officials have, to date, been left underprepared, what they can do in the immediate future to pursue and ensure cybersecurity, and what large-scale policy changes are necessary to make cybersecurity a secure reality for Americans.
Why Election Officials Are Underprepared and Understaffed
Until the 2016 election, cybersecurity simply hadn’t been part of the conversation. Because of that, local election officials don’t have the training or experience necessary to deal with cybersecurity issues — nor the tools necessary to ensure secure elections.
We have made progress over the past four years, but there is still a lot of work ahead. Individuals, groups, and nations want to break into American voting systems and spread propaganda and misinformation to undermine U.S. elections. Until we adequately prepare election officials with the knowledge and resources they need, we cannot ensure cybersecurity in our elections.
Immediate Steps to Take to Ensure Cybersecurity
It’s more important than ever to keep elections secure. To do that, election officials should use cybersecurity learning resources to their fullest potential to maintain confidence and trust in our electoral system. MITRE’s app SQUINT is by no means the only resource available, though.
The Cybersecurity and Infrastructure Security Agency (CISA) is also committed to working with election officials, state and local governments, vendors, and federal partners to manage risks in our election infrastructure. The agency works with these partners to protect voter registration databases, election storage facilities, polling places and early voting locations, and the IT infrastructure used to manage and administer elections.
Election officials should also connect with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the National Association of Secretaries of State, both of which have election security resources. MS-ISAC offers a central resource for information on cyber threats to infrastructure and information sharing between the public and private sectors, while the National Association of Secretaries of State works with governments at all levels, nonprofits, and private sector partners to secure data and build recovery plans when that data has been compromised.
Finally, the Election Assistance Commission (EAC) serves as an independent, bipartisan commission and develops voting systems guidance. Working with these organizations and agencies is one of the best ways to ensure a fruitful pursuit of election cybersecurity.
Where Do We Go From Here: Large-Scale Policy Changes Most Needed at this Moment
To ensure a secure future, the conversation must move from small groups and specific organizations to the federal level. The U.S. government will have to give serious consideration to the issues and opportunities associated with online voting systems. When recognition of those issues and determination to resolve them exists at the top level, election security can be a fruitful and productive pursuit.
Nothing fuels our democracy more than the ability to vote. Because of that, nothing is more important than protecting that ability and right — as well as the people who exercise it. When we can come together as individuals, society, and institutions to make election cybersecurity our ultimate goal, change is possible and democracy remains.