III. U.S. Efforts to Protect Democratic Institutions
When adversaries interfere with elections, they threaten more than the integrity of electoral process, they threaten collective faith in democracy. Indeed, a core focus of the Russian strategy to undermine confidence in the 2016 U.S. presidential election was not necessarily to target voting machines directly, but instead to use low-cost techniques through social media and otherwise to “undermine and distract the Clinton campaign,” which would, to Russia’s delight, result in a benefit to Donald Trump’s campaign.107 This is why so many state and private actors have taken action in response to Russia’s “sweeping and systematic” interference in both U.S. and European elections, and why it is so surprising that the U.S. federal government did not take more comprehensive and decisive action to counter this ongoing threat ahead of the 2020 election cycle.108 This section summarizes attempts within the U.S.’s public and private sectors to improve election security. It concludes by identifying particular weaknesses in the overall U.S. response to date, while Part V offers a series of steps for how to fill these governance gaps.
107. Eric Geller, Collusion Aside, Mueller Found Abundant Evidence of Russian Election Plot, POLITICO (Apr. 18, 2019, 12:35 PM), https://perma.cc/L3S3-9CJZ.
108. See U.S. DEP’T OF JUST., OFF. OF SPECIAL COUNS., REPORT ON THE INVESTIGATION INTO RUSSIAN INTERFERENCE IN THE 2016 PRESIDENTIAL ELECTION 1 (2019) [hereinafter MUELLER REPORT], https://perma.cc/QBB3- QGF4 (PDF) (“The Russian government interfered in the 2016 presidential election in sweeping and systematic fashion.”).
A. U.S. Efforts to Safeguard its Election Infrastructure
This section begins by discussing federal and state protections for voting infrastructure. We next move on to analyze companion efforts from civil society and the private sector. After that, we explore U.S. efforts to combat digital repression and then offer several critiques of U.S. efforts to make democracy harder to hack.
1. Federal & State Approaches to Election Security
In the United States, elections are primarily administered by the states.109 Unlike other countries with federal governments, such as Australia explored in Part IV, the U.S. federal government has historically played a minimal role in election oversight.110 Yet, as the Congressional Research Service has noted, “the federal government . . . has steadily increased its presence in campaigns and elections in the past fifty years. Altogether, dozens of congressional committees and federal agencies could be involved in federal elections under current law.”111 As a result, there is a patchwork of voting systems throughout the country, with many states—including core swing states like Pennsylvania—using outdated voting machines and, as of August 2019, more than ten using paperless ballots, which leave no paper trail preventing an effective post-election audit in the aftermath of a cyber-attack.112 While the federal government can regulate aspects of federal voting and appropriate funds for state voting systems113 along with, of course, providing for the common defense,114 the political response at the federal level can, as of this writing, at best be described as apathetic to election security concerns.115
109. See Elections & Voting, WHITE HOUSE, https://perma.cc/T7TU-24MA (stating that the federal government “grant[s] the states wide latitude in how they administer elections”).
110. See R. SAM GARRETT, CONG. RSCH. SERV., R45302, FEDERAL ROLE IN U.S. CAMPAIGNS AND ELECTIONS: AN OVERVIEW i (2018) https://perma.cc/3LYE2SBT (PDF) (“Conventional wisdom holds that the federal government plays [a] relatively little role in U.S. campaigns and elections.”).
111. Id.
112. See Tim Lau, U.S. Elections Are Still Vulnerable to Foreign Hacking, BRENNAN CTR. FOR JUST. (July 18, 2019), https://perma.cc/DGY8-WSVC (“Many states have outdated election security infrastructure . . . .”); CHRISTOPHER R. DELUZIO ET AL., DEFENDING ELECTIONS: FEDERAL FUNDING NEEDS FOR STATE ELECTION SECURITY 4 (2019), https://perma.cc/33FK-UF34 (PDF) (“Aging voting systems often use outdated hardware . . . .”).
113. See *Dylan Lynch & Wendy Underhill, *Election Security Cybersecurity: What Legislators (and Others) Need to Know, NAT’L CONF. OF STATE LEGIS. (Feb. 4, 2019), https://perma.cc/HLJ4-F5MY (stating that the federal government acts “in an advisory role” to states focused on election security).
114. See U.S. CONST. art. I, § 8 (“The Congress shall have Power To . . . provide for the common Defence and general Welfare of the United States.”).
115. See Li Zhou, Republicans Are Still Blocking Election Security Bills After Mueller’s Testimony, VOX (July 25, 2019, 11:47 AM), https://perma.cc/42S7-UBHC (explaining that Republicans were blocking “Democratic efforts to put stronger election security restrictions in place”); Josh Dawsey et al., As Security Officials Prepare for Russian Attack on 2020 Presidential Race, Trump and Aides Play Down Threat, WASH. POST (Apr. 30, 2019, 8:21 AM), https://perma.cc/Q3CA-G45H (“During discussions in the Oval Office, Trump has regularly conflated the threat of foreign interference with attacks on the legitimacy of his election . . . .”).
Congress did appropriate $380 million for state election security efforts after the 2016 election,116 along with another $425 million in December 2019.117 These are steps in the right direction, and are in line broadly with how much it would cost to replace paperless voting machines across the nation, and will allow more states to upgrade their voting equipment and conduct post-election audits.118 Yet these appropriations did not stem from any authority created in the aftermath of the 2016 election.119 Instead, these were part of a 2002 bill, the Help America Vote Act,120 passed as a consequence of the contested presidential election between George W. Bush and Al Gore in 2000.121 Multiple bills, some bipartisan, were subsequently proposed and passed by one of the two chambers of Congress, but thus far all have stalled.122 In particular, the most widely reported on bill, the Election Security Act, would have pushed states to implement back-up paper ballots and would have provided $1 billion in election security grants for modernization.123 However, Senate Majority Leader, Mitch McConnell, argued that such a bill would federalize the election process and take control away from states.124
116. See Press Release, U.S. Election Assistance Comm’n, U.S. Election Assistance Commission to Administer $380 Million in 2018 HAVA Election Security Funds (Mar. 29, 2018), https://perma.cc/2JSH-ZBA2; see also Blake Paterson & Ally J. Levine, Fund Meant to Protect Elections May Be Too Little, Too Late, PROPUBLICA (Aug. 21, 2018, 9:00 AM), https://perma.cc/YG9X-GAUP (“[Q]uestions remain about how much [the $380 million set aside for election infrastructure] will help secure the 2018 election.”).
117. See Miles Parks, Congress Allocates $425 Million for Election Security in New Legislation, NAT’L PUB. RADIO (Dec. 16, 2019, 5:02 PM), https://perma.cc/28PC-GYBT.
118. See BRENNAN CTR. FOR JUST., ESTIMATE FOR THE COST OF REPLACING PAPERLESS, COMPUTERIZED VOTING MACHINES 1, https://perma.cc/5PHX-RABA (PDF) (estimating the cost would “range [from] $130 million to $400 million”).
119. See GARRETT, supra note 110, at 8 (describing the Help America Vote Act of 2002).
120. Help America Vote Act of 2002, Pub. L. No. 252, 116 Stat. 1666.
121. See GARRETT, supra note 110, at 8 (“Congress enacted the Help America Vote Act (HAVA) in 2002, after the disputed 2000 presidential election raised concerns about election administration, ballot design, and voting equipment around the country.”).
122. See, e.g., Katherine Tully-McManus, House Passes Election Security Measure Requiring Cybersecurity Safeguards, Paper Ballots, ROLL CALL (Jun. 27, 2019, 4:49 PM), https://perma.cc/4HN6-63DX (noting that “an election security measure” passed by the House “faces stiff opposition from Republicans” in the Senate).
123. See Maggie Miller, 2020 Democrats Accelerate Push for Action to Secure Elections, HILL (June 30, 2019, 7:00 AM), https://perma.cc/79KU-S5JZ (describing the bill as a way to “strengthen cybersecurity information sharing and require all jurisdictions to perform post-election audits”).
124. See id. (reporting McConnell’s argument); see also Alex Padill, What Do States Need to Secure Upcoming Elections?, PBS NEWS HOUR (Aug. 2, 2018, 6:30 PM), https://perma.cc/2RXM-RGKR (asserting that election security should be viewed as a matter of national defense, to which $700 billion is dedicated each year).
The Senate Intelligence Committee released a report in 2019 on the 2016 election and provided recommendations for securing elections.125 These recommendations—including the need for paper ballots—have yet to be implemented in any concerted way.126 In addition, a widely disseminated report from the National Academies of Sciences, Engineering, and Medicine, entitled Securing the Vote, put together a series of recommendations, which included: election administrators“routinely assess[ing] the integrity of voter registration databases,” ensuring backups for pollbooks should disruptions occur, conducting regular penetration testing, requiring paper ballots along with post-election audits and the removal of“[v]oting machines that do not provide the capacity for independent auditing,” and empowering the National Institute for Standards and Technology (NIST) to “develop security standards and verification and validation protocols for electronic pollbooks in addition to the standards and verification and validation protocols they have developed for voting systems.”127 However, most of these recommendations have similarly not been acted upon as of this writing.128
125. S. REP. NO. 116-XX, at 54 (2019), https://perma.cc/5Q3Y-N78L (PDF).
126. See Dana Farrington, READ: Senate Intelligence Report on Russian Interference in the 2016 Election, NAT. PUB. RADIO (July 25, 2019, 3:08 PM), https://perma.cc/NY7Y-FK8M (stating “Congress has been slow to take action” on the report’s recommendations).
127. SECURING THE VOTE, supra note 22, at 5–7.
128. C.f. Miller, supra note 123 (noting that as of June 2019, the year following the Securing the Vote report, a technology entrepreneur was still concerned about “foreign interference in elections”).
As a matter of national defense, election security has received more attention at the federal level through agencies such as the Central Intelligence Agency, Department of Defense, Department of Homeland Security (DHS), National Security Agency, and Federal Bureau of Investigation.129 Most notably, DHS designated the election infrastructure130 as critical infrastructure.131 This means that DHS can offer states resources and intelligence insights to ensure election security.132 It does not mean, however, the same degree of regulatory oversight as is common in other jurisdictions, such as the European Union discussed in Part IV. Despite a multitude of efforts, the pains taken by various U.S. agencies and departments have been relatively ad hoc and siloed.133 This is likely why the Director of National Intelligence established the position of Intelligence Community Election Threats Executive (ETE) in July of 2019.134 The goal of that position is to coordinate election security activities across the federal government.135 Another useful step in this same vein has been the creation of Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) to help share information about cyber threats and best practices with election agencies and other interested stakeholders.136 But it is still unclear whether such coordination will ultimately address the problems associated with election insecurity in the United States, to say nothing of other vulnerable democracies.
129. *See *R. SAM GARRETT, CONG. RSCH. SERV., IF11265, CAMPAIGN AND ELECTION SECURITY POLICY: BRIEF INTRODUCTION 1–2 (2019) https://perma.cc/5QZ7-N2P4 (PDF) (discussing agency roles in election security).
130. “Election infrastructure” includes “storage facilities, polling places, and centralized vote tabulations locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.” Press Release, Jeh Johnson, Sec’y, Dep’t of Homeland Sec., Statement by Secretary Jeh Johnson on the Designation of Election Infrastructure as a Critical Infrastructure Subsector (Jan. 6, 2017), https://perma.cc/LGD8-D5BJ; see Danielle Root et al., Election Security in All 50 States: Defending America’s Elections, CTR. FOR AM. PROGRESS (Feb. 12, 2018, 12:01 AM), https://perma.cc/T9LE-DWDS (describing election infrastructure across the country).
131. See Johnson, supra note 130 (“Given the vital role elections play in this country, it has been determined that certain systems and assets of election infrastructure meet the definition of critical infrastructure.”).
132. See Kaveh Waddell, Why Elections Are Now Classified as ‘Critical Infrastructure,’ ATLANTIC (Jan. 13, 2017), https://perma.cc/6GXU-GP6D (“[The classification] makes it easier for DHS to offer [state and local organizations] resources and intelligence information.”).
133. See Julian E. Barnes,* Intelligence Chief Names New Election Security Oversight Official*, N.Y. TIMES (July 19, 2019), https://perma.cc/83TU-5CNU (noting that analysts viewed the intelligence community’s increased focus on election security before the 2018 midterm races as rather impromptu).
134. Press Release, Daniel R. Coats, Dir. of Nat’l Intelligence, Director of National Intelligence Daniel R. Coats Establishes Intelligence Community Election Threats Executive (July 19, 2019), https://perma.cc/V77W-AGS7.
135. See id. (“[T]he . . . Election Threats Executive (ETE) . . . will coordinate and integrate all election security activities, initiatives, and programs across the [Intelligence Community] and synchronize intelligence efforts in support of the broader U.S. government.”).
136. See Elections Infrastructure ISAC, CTR. FOR INTERNET SEC., https://perma.cc/93ZZ-QUT7.
At the state level, many state and local governments have organized and funded their own initiatives to improve election security in the absence of effective federal leadership.137 For example, California created the Office of Elections Cybersecurity.138 Virginia switched from paperless electronic voting to a statewide paper ballot system.139 Colorado instituted a risk-limiting audit that is being emulated by other states.140 Indiana passed a plan to phase out paperless voting machines fully by 2029.141 In total, as of this writing at least thirty-six states have made efforts to improve and are working with DHS or the National Guard to assess and identify voting systems.142 However, wait times for help, especially with DHS, are reportedly very long (up to nine months), and with state and local elections happening multiple times per year, it is likely that vulnerabilities will go unaddressed for several more election cycles.143
137. See Root et al., supra note 130 (describing New York’s new election security initiative, among others).
138 See Sara Friedman, California Creates Elections Security Office, GCN (Aug. 31, 2018), https://perma.cc/6635-PH67 (reporting on the new organization).
139. See Root et al., supra note 130 (describing Virginia’s switch to a paper ballot system).
140.* See* Jesse Paul, Colorado’s First-of-its-Kind Election Audit Is Complete, with All Participating Counties Passing, DENVER POST (Nov. 22, 2017, 1:59 PM), https://perma.cc/D6RK-P5DF (stating the process involves the“manual recount of a sample of ballots from the more than 50 counties that had elections this year and compar[ing] them with how they were interpreted by tabulating machines”).
141. See Tom Davies, Indiana Election Upgrade Leaves Widespread Paperless Voting, ASSOCIATED PRESS (Sept. 27, 2019), https://perma.cc/79GSJBNK (noting that paperless voting machines are not prohibited until 2029).
142. See Root et al., supra note 130 (explaining that those states are working with federal entities in “assessing and identifying potential threats to voter registration systems”).
143. See Tim Starks, The Latest 2018 Election-Hacking Threat: 9-Month Wait for Government Help, POLITICO (Dec. 29, 2017, 5:05 AM), https://perma.cc/RRY9-UGJD (“[S]ome states might not get the service until weeks before the November midterms and may remain unaware of flaws that could allow homegrown cyber vandals or foreign intelligence agencies to target voter registration databases and election offices’ computer networks . . . .”).
2. Private Sector & Civil Society Efforts
In the United States (and unlike Australia, as we will see), election security has very deep ties with the private sector and is a topic watched closely, but largely passively, by civil society organizations and academia.144 The private sector plays such a strong role because voting machines are manufactured without direct government involvement and are only subject to ex post testing.145 Thus, among the first lines of defense of election infrastructure security lies primarily in the hands of private voting machine manufacturers, who despite the various stress tests required by many states, produce equipment that may still contain vulnerabilities that can go undetected.146 While manufacturers have taken steps to boost election infrastructure security, such as by refusing to sell paperless machines to those jurisdictions that do not have paper voting machines as their primary machines, machines continue to be in operation without any serious recall regime in place and there are no legal obligations to notify election officials when vulnerabilities and breaches are detected.147 “I know America’s voting machines are vulnerable,” said J. Alex Halderman during Congressional testimony, “because my colleagues and I have hacked them—repeatedly—as part of a decade of research studying the technology that operates elections and learning how to make it stronger.”148 He has gone on to argue: “Our highly computerized election infrastructure is vulnerable to sabotage and even to cyberattacks that could change votes.”149
144. See Joseph Marks, The Cybersecurity 202: Even a Voting Machine Company Is Pushing for Election Security Legislation, WASH. POST (June 10, 2019, 7:13 AM), https://perma.cc/PU7B-V2PJ (noting that because one company’s “commitment to third-party testing is entirely voluntary, it also gets to say who those third-party testers are”).
145. See id. *(reporting that the company urged Congress to pass legislation that would “mandate security testing of voting equipment by outside researchers”); Tim Starks, *Voting Machine Vendors Under Pressure, POLITICO (July 12, 2018, 10:00 AM), https://perma.cc/LE5U-KQWG (stating that voting machine vendors sell electronic voting machines without paper backups).
146. For a list of standards and tests required of voting machines, see Voting System Standards, Testing and Certification, NAT’L CONF. OF STATE LEGIS. (Aug. 6, 2018), https://perma.cc/4JHL-V3VG.
147. See Lily Hay Newman, Election Security Is Still Hurting at Every Level, WIRED (June 6, 2019, 12:01 AM), [hereinafter Newman I] https://perma.cc/H8XC-QHHR (quoting the president of Verified Voting, as saying that “I don’t think the for-profit commercial model works particularly well for voting systems, because there’s not enough profit in them to do really good R&D”).
148. Steve Freiss, Hacking the Vote: It’s Easier Than You Think, MICH. ALUMNI ASS’N, https://perma.cc/J9QA-D6SX.
149. Alexander Freund, Democracy in Danger: Elections are Easy to Manipulate, DEUTSCHE WELLE (Oct. 16, 2018), https://perma.cc/7Q63-LXBG.
Halderman demonstrated, for example, how a mock contest between George Washington and Benedict Arnold could be won by the latter, simply by infecting a voting machine’s memory with malware.150 The vulnerabilities that Halderman and his group have exploited include not only outdated voting machines, but also election-management systems that design ballots, which election officials often access via memory cards that may be corrupted.151 Other cybersecurity researchers have corroborated these findings, including those affiliated with the Defcon hacker conference, and found numerous vulnerabilities in many voting machines still in use across more than twenty-six states in 2019.152
150</sup>. See Jen Schwartz, The Vulnerabilities of Our Voting Machines, SCI. AM. (Nov. 1, 2018), https://perma.cc/GP64-2MHX (“[W]ithout a paper trail of each vote, neither the voters nor a human auditor could check for discrepancies. In real elections, too, about 20 percent of voters nationally still cast electronic ballots only.”).
151. See id. (discussing how malicious code can be introduced to the election-management systems).
152. See Lily Hay Newman, Some Voting Machines Still Have Decade-Old Vulnerabilities, WIRED (Sept. 26, 2019, 2:41 PM), https://perma.cc/S6E7-L38X [hereinafter Newman II] (highlighting “detailed vulnerability findings related to six models of voting machines” including one model “used in 28 states in 2018” and another model “used in 26 states that same year”).
Within civil society and academia, numerous comprehensive reports on election security have been written exploring what to do about these problems.153 The most notable of these publications include the National Academies of Sciences’ Securing the Vote mentioned above; the Brennan Center for Justice at New York University School of Law’s Defending Elections; and the Center for American Progress’s Election Security in All 50 States. 154 However, once again, because of political stagnation, there has been very little implementation of their policy proposals.155 As for active participation in election security, some universities play a role in certifying and testing voting machines, but this role is limited.156
153. See, e.g., SECURING THE VOTE, supra note 22, at xii (outlining numerous recommendations “designed to harden our election infrastructure and safeguard its integrity and credibility”).
154. See generally id.; DELUZIO, supra note 112; Root, supra note 130.
155. See supra notes 115–143 and accompanying text.
156. See, e.g., CONN. GEN. STAT. ANN. § 9-241(b) (West 2020) (allowing Connecticut’s Secretary of State to enter into agreements with universities to assist with ensuring the integrity of voting equipment); see also IND. CODE. ANN. § 3-11-16-4 (West 2020) (allowing Indiana election officials to work with universities to perform audits and assist with certifications).
B. U.S. Attempts to Combat Digital Repression
Unlike the tentative steps that have been taken to protect U.S. election infrastructure, the U.S. government’s response to misinformation remains nascent, which is in part due to demanding requirements of the First Amendment and deep divisions about the proper role of the federal government in policing content.157 There are, however, a patchwork of state laws aimed at combatting the effects of misinformation.158One example is a California law that requires the state’s Department of Education to provide a list of education materials on its websites to teach students how to distinguish misinformation from real news and advertisements.159 The impetus behind the law was a Stanford University study,160 which found that 82 percent of middle school students could not distinguish between advertisements and news stories.161 Other states have followed suit, by including more programming related to misinformation and disinformation in their educational programming.162
Congress has unsuccessfully tried to pass the Honest Ads Act,163 a bill that requires platform political ads to follow the same rules as the Federal Election Campaign Act of 1971, such as identifying the organization or person sponsoring the ad.164 In addition, the Act would require platforms to engage in“reasonable efforts” to ensure that ads are not purchased“directly or indirectly” by foreign governments.165 Major tech companies have strongly opposed such a bill, arguing instead for self-regulation.166 Some, such as Twitter, have come out with new limits—and even bans—on political ads on their platforms due, in part, to concerns over enabling the spread of misinformation,167 but as of this writing Facebook has not followed suit.168
157. See Sara Prendergast,* It Must be True, I Read It on the Internet: Regulating Fake News in the Digital Age, MICH. TECH. L. REV. (Mar. 4, 2019), https://perma.cc/8UYS-ULF2 (discussing the hesitancy of the United States to combat misinformation); John Samples, *Why the Government Should Not Regulate Content Moderation of Social Media, CATO INST. (Apr. 9, 2019), https://perma.cc/E5DP-RK8T (noting that a California bill aimed at reducing the spread of misinformation on social media through the creation of an advisory board was vetoed by former Governor Jerry Brown, citing First Amendment concerns).
158. See Funke & Flamini, supra note 28 (listing state actions).
159. See CAL. EDUC. CODE § 51206.4 (West 2020) (ordering California’s Department of Education to provide a list of resources on media literacy); see also Funke & Flamini, supra note 28 (noting that California is one of a few states to enact legislation promoting media literacy); Susan Minichiello, California Now Has a Law to Bolster Media Literacy in Schools, PRESS DEMOCRAT (Sept. 18, 2018), https://perma.cc/7VBR-RSKW (reporting that Gov. Jerry Brown signed the bill to encourage media literacy).
160. See Minichiello, supra note 159 (discussing the bill’s origins).
161. See SAM WINEBURG ET AL., EVALUATING INFORMATION: THE CORNERSTONE OF CIVIC ONLINE REASONING 10 (2016), https://perma.cc/FC3T9VQ6 (PDF) (“More than 80% of students believed that the [fake] advertisement . . . was a real news story.”).
162. See Funke & Flamini, supra note 28 (stating that at least twenty-four states are attempting to improve media literacy).
163. S. 1989, 115th Cong. (2017).
164. See id. (requiring advertisement sponsors to provide their name, address, phone number, etc.); see also Tim Lau, The Honest Ads Act Explained, BRENNAN CTR. FOR JUST. (Jan. 17, 2020) https://perma.cc/G56T-HJH8 (noting that the Honest Ads Act is still a proposed law before the United States Senate).
165. Honest Ads Act, S. 1989, 115th Cong.; see Natasha Bertrand, Senators Have a New Plan to Fix a Major Loophole that Let Russia Take Advantage of Facebook and Tech Giants, BUS. INSIDER (Oct. 19, 2017), https://perma.cc/VF2B-7H3A (stating that the Act’s requirements are a departure from the Federal Election Campaign Act of 1971).
166. See Ben Brody & Bill Allison, Lobbying Group for Facebook and Google to Pitch Self-Regulation of Ads, BLOOMBERG (Oct. 23, 2017, 8:49 PM), https://perma.cc/3VRB-VCFR (“[G]oogle, Facebook, and Twitter . . . pitch self-regulation instead of a proposed federal law requiring more disclosure for political advertising on their online platforms . . . .”).
167. See Kate Conger,* Twitter Will Ban All Political Ads, C.E.O. Jack Dorsey Says,* N.Y. TIMES (Oct. 30, 2019), https://perma.cc/Q2L3-T6XG (“Twitter announce[d] that it would eliminate political ads, starting Nov. 22, [2019].”).
168. See Danielle Abril, Google and Twitter Changed Their Rules on Political Ads. Why Won’t Facebook?, FORTUNE (Nov. 22, 2019), (“Despite a recent political ad ban from Twitter and new limitations from Google, Facebook has yet to back down from its ‘anything goes’ policy.”).
C. Critiques of U.S. Response
While there are many efforts afoot within the public and private sectors to improve the security of U.S. election infrastructure and combat digital repression, as the foregoing analysis made clear there remains a great deal to be done. Consider the work done at Defcon since 2017 that was referenced above.169 Defcon is the world’s largest “white hat”hacker conference, and it reports out the numerous ways its participants have been able to hack into U.S. voting machines annually.170 In its 2018 report, conference participants found, among other vulnerabilities, that: (1) a tabulator used by twenty-three states could be hacked via a network attack; (2) a machine used in eighteen states was able to be hacked within two minutes, which is remarkable considering that it takes the average voter six minutes to vote; and (3) hackers had the ability to wirelessly reprogram an electronic card used by many Americans to activate the voting terminal.171 The latter issue would allow a single voter to cast multiple ballots in a given voting session.172 As Senator Ron Wyden said at Defcon in 2019, “Election officials across the country as we speak are buying election systems that will be out of date the moment they open the box.”173 He added: “[This is] the election security equivalent of putting our military out there to go up against superpowers with a peashooter.”174
169. *See supra *note 152 and accompanying text.
170. See Taylor Telford, Hackers Were Told to Break into U.S. Voting Machines. They Didn’t Have Much Trouble., WASH. POST (Aug. 12, 2019), https://perma.cc/T85A-YCKJ (reporting on a conference that involves skilled hackers attempting to break into U.S. voting machines); see generally MATT BLAZE ET AL., DEF CON 26 VOTING VILLAGE: REPORT ON CYBER VULNERABILITIES IN U.S. ELECTION EQUIPMENT, DATABASES, AND INFRASTRUCTURE (2018), https://perma.cc/H7F8-LCV4 (PDF) [hereinafter DEFCON 2018] (reporting the findings of the Voting Village in 2018); MATT BLAZE ET AL., DEF CON 25 VOTING MACHINE HACKING VILLAGE: REPORT ON CYBER VULNERABILITIES IN U.S. ELECTION EQUIPMENT, DATABASES, AND INFRASTRUCTURE (2017), https://perma.cc/5Y83-ZLWV (PDF) [hereinafter DEFCON 2017] (discussing the findings from the 2017 Voting Village).
171. See DEFCON 2018, supra note 170, at 5 (noting various vulnerabilities in the U.S. voting process); see also Lily Hay Newman, Voting Machines Are Still Absurdly Vulnerable to Attacks, WIRED (Sept. 28, 2018, 11:04 AM), https://perma.cc/K3HW-CA82 [hereinafter Newman III] (“Many of the weaknesses Voting Village participants found were frustratingly basic, underscoring the need for a reckoning with manufacturers.”).
172. See DEFCON 2018, supra note 170, at 21 (explaining the vulnerabilities).
173. Telford, supra note 170.
174. Id.
The vulnerabilities exposed at Defcon stem from the lack of comprehensive federal and state oversight discussed above. Leaving voting machine hardware and software to the private sector without adequate regulatory oversight is insufficient to protect election security.175 Moreover, the failure of effective federal oversight has meant a greater burden on state and local officials, who often do not have the expertise necessary to compare and assess the quality of voting systems when making purchasing decisions. 176 Some with the means and will, such as Los Angeles, with its $300 million Voting Solutions for All People program, have taken it upon themselves to make major investments in new technology and practices, but these are outliers.177 Furthermore, many state and local governments remain insufficiently trained to respond to cybersecurity threats178 and still more jurisdictions are using voter databases that are over a decade old—a lifetime in tech terms.179 The continued weakness of the U.S. response leaves election security a “significant counterintelligence threat,”180 which adversaries may continue to exploit, along with abusing social media firms with lax policies to combat digital repression.181
The United States is not alone in facing these vulnerabilities, though. Both advanced and emerging democracies around the world are similarly grappling with how best to enhance the security and integrity of their own elections and democratic societies. Part IV focuses on some of these efforts, notably from the European Union, Asia, Australia, and Oceania. Implications for policymakers stemming from this analysis are explored in Part V.
175. See Newman III, supra note 171 (detailing the “nation’s vulnerable election infrastructure”).
176. See Newman II, supra note 152 (“[W]e’re still using antiquated equipment that should be replaced, both for security and reliability reasons . . . [which] is one reason why Congress and the states need to step up on election security spending.” (quoting the deputy director of Brennan Center’s Democracy Program)).
177 See Matt Stiles, Sweeping Change Is Coming for L.A. County Voters. If Things Go Wrong, He’ll Get the Blame, L.A. TIMES (Aug. 19, 2019), https://perma.cc/27GC-NK42 (PDF) (stating that major investments into better election technology is rare).
178. See Elizabeth Warren, My Plan to Strengthen Our Democracy, MEDIUM (June 25, 2019), https://perma.cc/WK9T-PDQ7 (noting that a number of states do not train election officials to deal with cyber security threats).
179. See id. (“Forty-two states use voter registration databases that are more than a decade old.”).
180. Julian E. Barnes & Adam Goldman, F.B.I. Warns of Russian Interference in 2020 Race and Boosts Counterintelligence Operations, N.Y. TIMES (Apr. 26, 2019), https://perma.cc/AXD3-TRDN (quoting FBI Director Christopher Wray).
181. See id. (citing weak social media policies as a contributor to mass misinformation).
Table of Contents
- I. Introduction
- II. Unpacking the Cyber Threat to Democracies
- III. U.S. Efforts to Protect Democratic Institutions
- IV. Lessons from Other Democracies
- V. Implications for Policymakers
- VI. Conclusion