This is the 6th of a 7-part series of election security vignettes intentionally kept as brief as possible to stick to the main point of the title above. Its intended to acquaint relatively new-comers to election integrity and security, and that includes anyone and everyone from concerned citizens, to journalists, to policy makers.
With all the talk of securing our democracy from threats, you’re probably aware of three different kinds of attacks, but maybe not so much what “election security” means in each context. Let’s consider that now:
- Propaganda attacks on the broad democratic process: the proverbial bots, trolls, fake people on social media, including those masterminded by foreign adversaries, as well as the transitive effect of well-meaning people having been fooled by disinformation, repeating it via social media to spread misinformation widely.
- Cyber-attacks on the broad democratic process: hacking targets like campaigns, candidates, parties, PACs, etc., to obtain embarrassing private information to drive propaganda attacks, and in general to weaken public confidence in the ability to believe many of these actors.
- Attacks on election infrastructure: specifically, with targets that are operated by election officials for voter registration, election administration, conducting ballot casting and counting, and election results reporting.
Discussions using the term “election security” sometimes touch on all three, but it’s most important for the last one. Security is about (among other things) availability, prevention of harm, detection and recovery from harm.
That kind of security doesn’t really apply in the first case. Given modern communication technology and the nature of social media, we will never have security from propaganda. The Facebooks and Twitters of the world will continually fight a Red Queen’s Race to maintain some level of detecting and ejecting bad actors, but propaganda will always be with us, and the only real increase in defense might be increased public awareness and some larger portion of media consumers armed with sufficient good sense and media savvy to not be part of the problem.
That kind of security could apply in the second case, in the sense that all these many many non-government actors in our democratic process are also organizations subject to cyber-attacks. But there are so many of these organizations, and so many with little cyber-defense abilities. Some individual well-funded actors may be able to maintain some cyber defenses and detection/recovery, but our adversaries will always find weak and attractive targets. Collectively, we will all remain vulnerable.
The third area is the critical infrastructure of elections, including technology operated by election officials. The term “election security” certainly applies there, and much of the election security discussion is about election infrastructure. But here the term “election security” comes in at least three completely different flavors, often poorly understood or jumbled together.
Which is terrible, because I believe we all really, really need to understand the differences, in order to understand what our governments are doing for election security, and whether it is making a significant difference.
So, in addition to the three kinds of threats to democracy that you may know, inside one of them – threats to election infrastructure – there are three more kinds of election security that you really need know about… next time.