top of page

How the U.S. Can Prepare for a Major Election Hack

Note: This article first appeared at The Monkey Cage and is cross-posted here.

Prior to the 2016 election, at least 21 U.S. states’ registration databases or websites were targeted by hackers and seven states were successfully “compromised,” although there’s no evidence that votes were altered. As American intelligence agencies recently made clear, the risk to voting systems continues in 2018. Foreign actors could target registration records, electronic voting machines, or vote tabulations. And because American elections are controlled by individual states that employ a wide array of voting systems, a localized breach is especially feasible.

Amplifying the danger is that many Americans will react to vote manipulation somewhere in the U.S. with doubts about election results everywhere. Even if this interference does not actually change an election outcome, people may use any breach to cast doubt on outcomes they don’t want to believe. And this havoc is precisely what Russia wants.

Even without a major breach of voting systems, U.S. politicians, including Roy Moore and Jill Stein, have proclaimed electoral fraud. Donald Trump still asserts there was massive fraud in 2016, and many believe him. In an August poll, 68% of Republicans agreed that “millions of illegal immigrants voted” in 2016 and 47% believed Trump won the popular vote.

One response to this foreign threat is to bolster election security, which has been lagging ahead of the 2018 election. But U.S. authorities also need to think about what would happen after the election if there’s a breach to voting systems. The experiences of Kenya in 2007 or Honduras in 2017 show how disputed elections can spiral into violence.

How can Americans respond to this possibility? Here are 2 key lessons from other countries, including U.S. allies in Europe that have years of experience countering Russian misinformation and attacks.

Lesson #1: State election authorities need a plan

After a breach, the first line of defense will be state election officials. These officials can learn from international experts and countries like Estonia, Norway, and Sweden that have repeatedly faced Russian hacking attempts. As a recent Senate report explains, Nordic countries have pursued a proactive “whole of society” approach, including teaching media literacy in schools, training political parties, and empowering state agencies to identify and counter disinformation around elections. Sweden even used a popular cartoon character, Bamse the Bear, to teach kids about fake Internet rumors.

At a minimum, state election officials need a plan to audit their elections and communicate with journalists and citizens. Informing citizens about recount procedures and election security “can help make them less susceptible to rumors, disinformation, and sensationalist fears,” a Council on Foreign Relations report argues. For instance, after Ghana’s disputed 2012 election, the Supreme Court broadcast the resulting 50-day trial live on television to maximize transparency. Widely watched by Ghanaians, the trial affirmed the results and helped to ensure the decision was met without violence.

Belated efforts to improve cybersecurity information-sharing between the federal government and states can also extend to coordinating information among states, which could prove critical in reacting quickly to election manipulation. This could be modeled after the extensive intelligence-sharing among European allies, who recently founded an ambitious EU/NATO operation headquartered in Finland to counter Russian threats.

Although not foolproof, a key security principle is maintaining paper ballot records, either as the primary form of voting or as a backup record. Fifteen U.S. states currently have some precincts with no paper vote record. As old-fashioned as it sounds, there has been a turn away from electronic voting in Ireland, the Netherlands, and Pennsylvania. Dutch authorities switched entirely to hand-counted paper ballots in a 2017 election after a wave of cyber-attacks.

Ukraine’s 2014 election illustrates how paper ballots can be critical to election legitimacy. Four days before the election, pro-Russian hackers shut down the national vote tabulation system, forcing an emergency reboot. In a separate infiltration, a virus was caught minutes before it released false election results to the media. (Somehow, Russian state television still reported those false results.) Luckily, because Ukraine used paper ballots, the votes themselves were un-hackable and the results easily audited.

Lesson #2: Non-partisan actors are critical

The ability of state officials to reassure voters after a breach may be limited if they’re perceived as partisans. In the U.S. states, all but two Secretaries of State are affiliated with a party. When election disputes arise, figures like Katherine Harris and Kris Kobach have typically been viewed through a partisan lens.

There is potential value in establishing a non-partisan body that can identify potential problems and evaluate election results after the fact. In several countries, including the U.S., independent teams have helped to expose election vulnerabilities before elections, from security problems with Estonia’s internet voting to a flaw in Indian voting machines that allowed a hidden Bluetooth radio to change votes.

Non-partisan experts have also played an important role in disputed elections. In Mexico’s 2006 presidential election, Manuel López Obrador alleged fraud after his razor-thin loss. The resulting protests threatened to push Mexico into chaos. A targeted recount by a federal election tribunal run by the judiciary and a clean report by a European Union observation team helped to signal the election’s accuracy and partially tamp down opposition.

The U.S. could also benefit from an independent group tasked with reacting to a foreign election breach. A non-partisan team of experts on cybersecurity, election technology, and forensic analysis could rapidly evaluate the extent of manipulation, ideally assuring citizens the breach is limited. The team could be a key source for journalists and a means to coordinate information among state officials.

Some politicians and Americans will undoubtedly ignore the team’s conclusions. But if team members have established bona fides and security clearances (to access sensitive information), they may help to minimize disorder and distrust.

With the November 2018 election fast approaching, foreign election interference remains a real threat. And a foreign breach—even if limited and quickly identified—could lead many Americans to wonder if there were other, unnoticed breaches.

Heading off the impact of a breach requires serious planning now, not on November 7. The U.S. needs credible, coordinated information that can reassure skeptical voters—especially election losers who tend to see the electoral process as more flawed and democracy as less desirable. The stakes are high, as democracy withers without broad confidence in elections.

Michael K. Miller is Associate Professor of Political Science and International Affairs at George Washington University.

bottom of page