US elections are still far too vulnerable to attack—at every level

When Special Counsel Robert Mueller issued his report into Russian meddling in the 2016 presidential election, he called the interference “sweeping and systematic.” Unfortunately, the US’s response to it hasn’t been the same.
That’s the conclusion of a new study by a group of experts at Stanford University. It argues that while there have been some welcome improvements in the US’s electoral defenses, a coordinated national effort is still needed on multiple fronts to stop foreign hackers and trolls from undermining the integrity of next year’s presidential contest.
Fake news
The scale of the threat that faced America in 2016 is becoming even clearer. Cybersecurity company Symantec analyzed a data set of almost 3,900 accounts and nearly 10 million tweets connected to the Internet Research Agency (IRA), a notorious Russian troll farm that spewed out disinformation ahead of the election.
It found that the Russian influence operation was planned well in advance—on average, IRA accounts were created nearly 180 days before being used—and was alarmingly successful at getting fake news into the mainstream quickly: the most retweeted IRA account got 6 million retweets, and fewer than 2,000 of these came from other accounts linked to the agency.
The Stanford study, whose editor and coauthor, Michael McFaul, is a former US ambassador to Russia, concludes that more concerted and robust action is needed to combat disinformation campaigns. It calls for greater transparency around the ownership and operation of foreign media groups producing election-related content, and the creation of a social-media industry standard for flagging dubious material.
It also recommends stopping foreigners from buying online ads aimed at US voters ahead of elections, passing legislation that requires the media industry to police ad buyers more carefully, and getting US candidates to commit not to use stolen or fake material—though such promises may swiftly be forgotten in the heat of electoral battle.
In addition, the study calls for all voting equipment to have paper records so voters’ intentions can be verified if electronic machines are hacked. (Several US states still use machines that don’t leave a paper trail.) And it recommends that states adopt a more robust system for auditing election results than the ones currently in use in many jurisdictions. The need to take swift action on voting tech has been reinforced by news that the US Department of Homeland Security is investigating whether problems with voting equipment in North Carolina during the 2016 election were caused by Russian hacking.
Real threats
These and the Stanford group’s other recommendations make sense, as does the need for a coordinated US national plan for securing elections. But foreign hackers and trolls will still wage cyber and information warfare, even if they are implemented. Hence the study’s last section, which calls for the US to take more aggressive action to deter and disrupt interference campaigns.
“We haven’t taken a systematic approach to going after our adversaries,” says Chris Painter, a former State Department expert on cyber issues and coauthor of the report’s section on deterrence. American cyber warriors reportedly blocked the IRA’s Internet access briefly during last year’s US congressional election. But Painter and his fellow authors argue that while such covert cyber ripostes can be useful, America needs a more comprehensive deterrence strategy.
This would involve being up-front about the consequences—including everything from trade sanctions to visa restrictions, as well as cyber retaliation—that adversaries will face if they meddle in the country’s electoral process. There have been some efforts to do this already, but the Stanford experts think these could go further. “Drawing a red line won’t be much help, “ Painter says, “if you aren’t very clear about the consequences of crossing it.”
This story was updated on June 6th to reflect news of an investigation into malfunctioning voting equipment in North Carolina during the 2016 election.
Deep Dive
Computing
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
IBM wants to build a 100,000-qubit quantum computer
The company wants to make large-scale quantum computers a reality within just 10 years.
The inside story of New York City’s 34-year-old social network, ECHO
Stacy Horn set out to create something new and very New York. She didn’t expect it to last so long.
Making the world a data-driven place with the cloud
Cloud data modernizations is a key enabler to spur innovation and get real value out of your data, says PwC’s Anil Nagaraj and Microsoft’s Kim Manis.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.