The U.S. midterm elections are less than 50 days away. There are many reasons to be concerned that some adversaries of the United States will attempt, again, to sow chaos in the upcoming U.S. election, and undermine the legitimacy of these contests.
Christine Santoro, Esq., (Chief Legal Officer, OSET Institute) in her Sep. 20th, 2018 article, Will Foreign Adversaries Attack U.S. Midterm Elections or Elsewhere?, analyzes the threat:
Most experts believe that Russia … will continue to interfere in U.S. elections on some level(s). Others are raising concerns about China and even Iran.
Three Types of Attacks
This interference will be in the form of three different types of attacks, first identified in OSET’s Critical Democracy Infrastructure Briefing. The three types of attacks are:
- Defamation: de-legitimizing elections by “using weaponized content or generating false content to undermine voters’ confidence in the election”
- Disruption: disrupting the election process, before or during voting, or afterwards to disrupt reporting of the election result. This type of attack is especially dangerous when accompanied by a defamation attack, as both combine to throw the legitimacy of the election into doubt even without altering the votes cast or tallied.
- Subversion (Type III) is the “direct manipulation of [election] devices, machinery or systems .. the most dangerous and insidious type of attack.” This direct digital attack of voting machinery “will unlikely occur effectively at the ballot casting device but rather target tabulation and tally equipment.”
Attacks are happening now, and will increase
Already, Dan Coats, the Director of National Intelligence, has sounded the alarm regarding imminent and ongoing defamation attacks from Russia against the U.S.:
Russia is trying to spread propaganda on hot-button issues using social media … Moscow’s strategy is to exacerbate sociopolitical divisions … We continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States.
FBI Director Christopher Wray stated in August that Russian intelligence is focused on “malign influence operations,” which he called “information warfare.” Later that month, Facebook shut down over 30 pages and accounts with suspected ties to Russia.
The U.S. is not the only country whose elections are being targeted by Russian attacks:
- Anders Fogh Rasmussen, Co-chair of Transatlantic Commission on Election Integrity (TCEI), says, “I have no doubt Moscow will deploy the full playbook of measures to spread confusion and fear: cyber-attacks, assassinations, disinformation, conventional attacks in Eastern Ukraine. We cannot allow this to happen.”
- Victor Pinchuk, based on his work with the Ukraine Elections Task Force, warns: “if we do not prevent it, what might happen in Ukraine in 2019 may also be repeated across the West in 2020.”
What will happen in the 2018 U.S. midterms?
Counselor Santoro identifies the most likely attacks that will occur in the next two months:
- Defamation attacks are happening now: “Russia continues to taunt the U.S. with Type-I attacks using disinformation, fake news, and instigation of social warfare on Facebook and other media sites.”
- Disruption attacks are less likely: “the window for [voter registration attacks] may have passed … there [remains] possibility of attempts to hack election results sites.” Fortunately, “the official tabulation records and tabulators are not on-line,” so remain safe from Russian attacks, at least for now.
- Subversion attacks are very unlikely, in part because this year is not a Presidential election year: “the stakes are not as lofty in the midterm elections, so foreign adversaries can afford to save their dry powder for this one.”
Although this sounds like relatively good news, the danger is, if anything, increasing:
Our foreign adversaries (again, in particular the Kremlin), are in for the very long game … they’re monitoring and preparing in the misguided belief they can successfully subvert our election and manipulate our government when the stakes are high enough in 2020.
What can we do to protect our election systems?
We aren’t helpless in the face of this gathering storm. But we must take action to protect U.S. electoral systems. Ms. Santoro identifies the most important steps we must take. Our voting systems must be:
- “completely rid of remote access capability“
- “fortified with paper ballots of record” and
- “tabulation and tally devices must somehow become truly hardened“
Beyond simply securing voting machines,
- digital election infrastructure must be rebuilt “for higher integrity … driven by a new critical infrastructure mindset in terms of security-centric engineering.”
Although we know that Russia is currently pursuing defamation attacks against the U.S. election system, and will continue to do so until the 2018 midterms are concluded, we may be able to prevent the much more dangerous disruption and subversion attacks in 2020, but only if we start working now to secure the U.S. election infrastructure.
The OSET Institute‘s TrustTheVote Project addresses these issues with our modular ElectOS public software framework/platform, designed from the ground up to deliver verifiable, accurate, secure, and transparent (in process) elections.
More information and how you can help
- Read Christine Santoro‘s original article, Will Foreign Adversaries Attack U.S. Midterm Elections or Elsewhere?, on the OSET Institute website.
- Read Counselor Santoro‘s related and provocative article last year examining the question of whether foreign state hacking of an election is tantamount to an act of war.
- Read the Critical Democracy Infrastructure Briefing to learn more about the vulnerabilities of current digital election systems
- Learn more about the TrustTheVote Election Technology Framework and how the TrustTheVote Project counters the three types of attacks.
- If you are an election official, get involved with the TrustTheVote Project to help guide the development of public technology to increase integrity, lower costs, and improve future elections.
This Monday, state officials in Maryland acknowledged that problems with their “motor voter” systems are more significant than originally described:
[A]s many as 80,000 voters — nearly quadruple the original estimate — will have to file provisional ballots Tuesday because the state Motor Vehicle Administration failed to transmit updated voter information to the state Board of Elections.
— Up to 80,000 Maryland voters will have to file provisional ballots, state says (Washington Post. 6/25/18)
This announcement, made only hours before the polls opened for Maryland’s Tuesday primary, will mean more than just a minor inconvenience for the tens of thousands of voters affected. Sen. Joan Carter Conway (D-Baltimore City), chairwoman of the Senate Education, Health and Environment Committee, said that this situation will “confuse voters, suppress turnout, and disenfranchise thousands of Marylanders.”
Yet the significance of this programming error is broader still. Sen. Richard S. Madaleno Jr. (D-Montgomery), who is also running for governor of Maryland, called the incorrect registration of thousands of voters a “catastrophic failure.” In his statement, he continued, “The chaos being created by this failure subjects real harm to our most cherished democratic values,”
Is this election season hyperbole? Not at all, says John Sebes, Chief Technology Officer of the OSET Institute (the organization that runs the Trust The Vote project). In his recent article, Maryland Voter Registration Glitch: A Teachable Snafu, Mr. Sebes identifies the wide-ranging problems that will follow from these kind of disruptions at a larger scale:
If a foreign adversary can use cyber-operations to maliciously create a similar situation at large scale, then they can be sure of preventing many voters from casting a ballot. With that disruption, the adversary can fuel information operations to discredit the election because of the large number of voters obstructed.
— John Sebes, OSET Institute
It is, in fact, the credibility of the entire election itself that is at stake. These kinds of technical problems don’t need to be the result of nefarious interference in the election process. Mr. Sebes continues,
The alleged system failure (hack, glitch, or whatever) doesn’t even need to be true! If this accidental glitch had occurred a couple of days before the November election, and came on the heels of considerable conversation and media coverage about election hacking, rigging, or tampering then it would be an ideal opportunity for a claimed cyber-attack as the cause, with adversaries owning the disruptive effects and using information operations to the same effect as if it were an actual attack.
— Maryland Voter Registration Glitch: A Teachable Snafu by John Sebes
Maryland is clearly vulnerable to this kind of attack on the credibility of their electoral process. Already, some are sounding the alarm that these voter registration problems weren’t identified quickly — plus, there’s no way to verify the process itself:
Damon Effingham, acting director of the Maryland chapter of Common Cause, said it was “preposterous” that it took MVA officials four days to figure out the extent of the problem and that there is no system to ensure that its system is working properly.
— Up to 80,000 Maryland voters will have to file provisional ballots, state says (Washington Post. 6/25/18)
What’s the solution?
John Sebes and the Trust The Vote project have spent years developing open source election software and systems to address these issues. But that alone isn’t sufficient. Mr. Sebes identifies the steps that election officials can take now to prevent the kind of problems that Maryland is experiencing this week:
- “It’s partly a technology effort to re-engineer election systems to be less fragile from errors and less vulnerable to attack.”
- “How to ensure the correctness and integrity of poll books[?] … that depends on emerging open data standards and the question of certification of poll books.”
- “Given the great importance of public credibility … election officials must also plan for proactive public communication.”
Mr. Sebes concludes:
The Maryland glitch is not so much about failed integration of disparate data systems, but much more about unintentional catalyzing of opportunities to mount “credibility attacks” on elections and the need for a different kind of preparation.
Read the full article, Maryland Voter Registration Glitch: A Teachable Snafu by John Sebes, on the OSET Institute website.
The OSET Institute runs the TrustTheVote Project, a real alternative to nearly obsolete, proprietary voting technology. TrustTheVote is building an open, adaptable, flexible, full-featured and innovative elections operating system called ElectOS. It supports all aspects of elections administration and voting including creating, marking, casting, and counting ballots, as well as managing all back-office functions. Check out this overview of the TrustTheVote Project to learn more. If you’re involved in the election process, as an election official, or an academic or researcher, join the TrustTheVote Project as a stakeholder to help develop and deploy open, secure, reliable, and credible election technologies. If you’re concerned about the health of our election systems, you can donate or volunteer. If you have any questions about the TrustTheVote Project, contact us today.
To prepare for the new General Data Protection Regulations (GDPR) for EU countries, the TrustTheVote Project web support team and OSET Institute Legal reviewed all of our data privacy and security policies to ensure that we meet (or exceed) the standards set by the GDPR. Data privacy and security is one of the foundational values of the TrustTheVote Project, and we want to be sure that we’re consistently applying best practices and principles.
We also believe it’s important to support and promote international norms for digital privacy. Although the OSET Institute is headquartered in California, our mission is global in nature, because verifiable, accurate, secure and transparent election technology is a mandate for all democracies, worldwide. Trust in elections depends on digital privacy and security. That’s why we support the principles of the GDPR, both all of our web properties, and in the software we build for safe and secure elections, ElectOS.