Can Washington Protect America's Electoral Process from the next Cyber Attack?

A projection of cyber code on a hooded man

Congress needs to act on a major elections-security initiative this year.

When one of us, after a four-decade career in the Marine Corps including nineteen months in command in Afghanistan, had the chance to address the National Association of Counties earlier this year, this was the key message:

We in the military have always been the ones on the front lines in defense of this country and its democracy. Now, it is you as well—those who are manning the voting centers, maintaining the voter registries, tabulating the tallies.

As Congress gets fully back to work this fall, the issue of how the federal government can help local and state election authorities secure the United States against an attack needs to be front and center on their agenda—because it has become a national-security issue of very high order. In particular, Congress needs to approve and appropriate funds for an initiative like that proposed by Sen. Amy Klobuchar and Sen. Lindsey Graham, and provide several hundred million dollars to make the country’s voting more secure.

Last year, a hostile power reached straight past the most sophisticated military and intelligence services on the planet, across vast seas and over towering mountain ranges, and sought to affect the fundamental outcome of the American 2016 presidential election through a strategic-influence campaign, which included cyber intrusions into the heart of the American voting system. In essence, the Russians, apparently on the direct orders of Vladimir Putin, took direct aim at America’s ability to choose its own government and thus, ultimately, its own way of life—arguably with some success.

Trump’s subsequent decision to build a national-security team that includes Secretary of Defense Jim Mattis, National Security Advisor H. R. McMaster, Ambassador Nikki Haley and Secretary of State Rex Tillerson has mitigated the potential damage. Congress has also sought to ensure that Trump sustain a foreign policy in line with many bipartisan precepts of American national-security policy. So it could have been much worse. But the central fact remains that a foreign power sought to abuse America’s democratic system to create outcomes that would serve its own interests, and not necessarily those of the American people. How is this any less dangerous to U.S. national-security interests, and our country as a whole, than a direct military attack?

Our concerns go way beyond the 2016 election. With 2018 and 2020 votes soon upon us, we need to ensure that the American voter is the only individual who will choose our future leaders.

In short, here’s what we know about what happened last year. Russia spread false news, largely through social media, using a network of trolls and bots, to support one candidate and weaken another. It also stole and then released to Wikileaks emails from the DNC that further damaged Clinton and her associates—though it must be said that mistakes by the Democrats are what made this latter insult to our democracy even possible, so there is surely blame to go around. The CIA, NSA and FBI are on record agreeing to the above, in their January 6 report on the subject. This past summer, Department of Homeland Security officials explained that at least twenty-one states had suffered some form of cyber intrusion or attack from foreign actors in the course of the campaign. And while Russia was the main perpetrator this time around, others from North Korea to Iran to China, as well as transnational-criminal networks, have challenged the integrity of U.S. cyber systems as well.

What’s scarier is what could happen next. In 2016, virtually no voters appear to have been denied their opportunity to vote by these foreign shenanigans, and no vote counts appear to have been affected. However, as computer expert J. Alex Halderman of the University of Michigan’s Center for Computer Security and Society recently explained at a Brookings Institution event, the safeguards against such problems in the future are far from adequate. Meanwhile, the fact that voting is a local and state responsibility makes it hard for the federal government to solve the problem. Even if Washington wanted to do such a thing, it would likely be challenged by states and counties locally in the courts. In any case, it has been miserly in providing funds to help local government address shortcomings with voting machines and related challenges.

We need to fix that resource allocation problem. The integrity of the vote is a national-security issue of the first order. The federal government needs to be more forward leaning in mandating that states and localities improve their resilience against future cyberattacks and in providing resources to help ensure this is accomplished quickly. That means there must be paper records of votes, state-of-the-art cyber provisions for electoral systems, and auditable ways of tallying votes that can be checked and, if necessary, redone. The fact that the federal government has now declared our voting system to be critical national infrastructure should trigger the kind of funding needed for states and counties to mount credible defenses now—before the 2018 midterm and 2020 presidential races.

It is the federal government’s responsibility to secure U.S. elections and ensure that unlawful foreign interference of any kind does not impact the voting process. Indeed, it is a national-security issue every bit as serious as making sure a Marine has a good rifle and the right training in how to use it. There is still enough time to act, but not much. Congress needs to act on a major elections-security initiative this year.

John Allen and Michael O’Hanlon are senior fellows at the Brookings Institution.

Image: Reuters