An image of voters lined up at voting booths
Associated Press

Computing / Cybersecurity

US elections are still far too vulnerable to attack—at every level

With the 2020 presidential race fast approaching, America hasn’t learned the lessons of the last one.

Jun 6, 2019
An image of voters lined up at voting booths

When Special Counsel Robert Mueller issued his report into Russian meddling in the 2016 presidential election, he called the interference “sweeping and systematic.” Unfortunately, the US’s response to it hasn’t been the same.

That’s the conclusion of a new study by a group of experts at Stanford University. It argues that while there have been some welcome improvements in the US’s electoral defenses, a coordinated national effort is still needed on multiple fronts to stop foreign hackers and trolls from undermining the integrity of next year’s presidential contest.

Fake news

The scale of the threat that faced America in 2016 is becoming even clearer. Cybersecurity company Symantec analyzed a data set of almost 3,900 accounts and nearly 10 million tweets connected to the Internet Research Agency (IRA), a notorious Russian troll farm that spewed out disinformation ahead of the election.

It found that the Russian influence operation was planned well in advance—on average, IRA accounts were created nearly 180 days before being used—and was alarmingly successful at getting fake news into the mainstream quickly: the most retweeted IRA account got 6 million retweets, and fewer than 2,000 of these came from other accounts linked to the agency.

The Stanford study, whose editor and coauthor, Michael McFaul, is a former US ambassador to Russia, concludes that more concerted and robust action is needed to combat disinformation campaigns. It calls for greater transparency around the ownership and operation of foreign media groups producing election-related content, and the creation of a social-media industry standard for flagging dubious material.

It also recommends stopping foreigners from buying online ads aimed at US voters ahead of elections, passing legislation that requires the media industry to police ad buyers more carefully, and getting US candidates to commit not to use stolen or fake material—though such promises may swiftly be forgotten in the heat of electoral battle.

In addition, the study calls for all voting equipment to have paper records so voters’ intentions can be verified if electronic machines are hacked. (Several US states still use machines that don’t leave a paper trail.) And it recommends that states adopt a more robust system for auditing election results than the ones currently in use in many jurisdictions. The need to take swift action on voting tech has been reinforced by news that the US Department of Homeland Security is investigating whether problems with voting equipment in North Carolina during the 2016 election were caused by Russian hacking.

Real threats

These and the Stanford group’s other recommendations make sense, as does the need for a coordinated US national plan for securing elections. But foreign hackers and trolls will still wage cyber and information warfare, even if they are implemented. Hence the study’s last section, which calls for the US to take more aggressive action to deter and disrupt interference campaigns.

“We haven’t taken a systematic approach to going after our adversaries,” says Chris Painter, a former State Department expert on cyber issues and coauthor of the report’s section on deterrence. American cyber warriors reportedly blocked the IRA’s Internet access briefly during last year’s US congressional election. But Painter and his fellow authors argue that while such covert cyber ripostes can be useful, America needs a more comprehensive deterrence strategy.

This would involve being up-front about the consequences—including everything from trade sanctions to visa restrictions, as well as cyber retaliation—that adversaries will face if they meddle in the country’s electoral process. There have been some efforts to do this already, but the Stanford experts think these could go further. “Drawing a red line won’t be much help, “ Painter says, “if you aren’t very clear about the consequences of crossing it.”

This story was updated on June 6th to reflect news of an investigation into malfunctioning voting equipment in North Carolina during the 2016 election.