Building the People’s Voting System

Murphy’s Guide to the 2020 Election

The Things That Will Go Wrong Are Already Poised To Do So

This is a guide to the items the OSET Institute has identified as potential issues for the upcoming 2020 Presidential Election. (Downloadable copy available here.)  While we are acutely focused on the potential problems of by-mail ballot processing and adjudication, this is an overview of a range of possible issues, which go beyond the recent (and appropriate) focus on by-mail voting. The November 2020 election will present a combination of familiar process and technology issues that have been happening for years (and which are disruptive in their own right), plus a host of new challenges associated with recent changes due to the COVID-19 crisis.

We begin with a survey of what could go wrong, both new and familiar. From there, we examine the potential attacks we are on guard for at this time; and we conclude with our summary forecast of the five things most likely to go wrong, ordered by likelihood and impact. Given that the only constant is change, this assessment will be frequently updated.

Section I: New Murphy’s Law
What Is Likely to Go Wrong Due to COVID-19

Many election administration processes have changed across the country in response to COVID-19 risks. Furthermore, due to many senior citizen poll workers declining to work the polls for health reasons, there is also widespread difficulty in finding adequate numbers of new poll workers, or even temporary workers to support in-person polling places or election headquarters (to assist in processing by-mail ballots, for example). When lack of human resources is combined with altered processes, this creates a compressed time frame for training, combined with a dramatic increase in confusion, mistakes and process errors. Both process errors and technology errors can combine to leave some jurisdictions with chaos on Election Day (as was vividly on display in Georgia’s June 9 primary election, for example [1]).

1. A surge in absentee/by-mail voting presents implementation challenges

What it might look like:

2. A surge in absentee/by-mail voting could reduce transparency, with attendant risks to public faith in legitimacy of results

The surge in ballots cast through the mail means that a significant portion of election administration operations in 2020 could move beyond easy public viewing, unless election officials take methodical and proactive measures to increase transparency and public confidence in election operations.

Unlike in-person voting, which is a public event that easily lends itself to visual monitoring at multiple polling places, processing and scanning of by-mail ballots typically takes place in a centralized location, within the walls of the central elections office. “All-mail” states with experience in these types of elections are accustomed to designing transparency into their implemented operations, for example with windows where the public may observe secure rooms where ballots are opened and processed, or through closed-circuit cameras that allow the public to view operations on a public webpage. However, many jurisdictions that are less accustomed to extensive by-mail voting operations may not take such steps to ensure transparency on processing and counting ballots – and that could increase opportunities for speculation, partisan disinformation, and reduced faith in the legitimacy of outcomes.

What it might look like:

Section II: Typical Murphy’s Law—
What Usually Goes Wrong, and Probably Will Again

In addition to the new challenges that come with changes due to COVID-19, prudence dictates that the nation should expect the same kinds of lamentable issues that have plagued election administration in the U.S. for years: sub-optimal voting experiences due to human error, technology malfunctions, or both.

1. Poll Workers or election officials are likely to make mistakes

Poll workers or election officials do not always do the right thing, due to insufficient training, human error, and/or lack of resources. This section is limited to problems associated with human errors, and does not include technology malfunctions.

What it might look like:

2. Technology malfunctions should be expected

It has become a truism that technology used to support elections in the U.S. typically causes disruptions during every election cycle. The technology-related issues below have already occurred during past elections, and are likely to appear again.

What it might look like:

Section III: Beyond Murphy—
Potential Attacks the OSET Institute Will Be Watching For

1. Disinformation In General: Lies, Lies, Damn Lies

2020 will be a ripe situation for disinformation, because the President of the United States is himself providing air cover to disinformation actors, with claims of “rigging” and “fraud.” Other political operators are pouring considerable money into so-called “integrity watch” operations that will be motivated to find problems to justify the expenditures. Disinformation actors will have ample content, due to spurious “suspected fraud” findings, along with the “more of the same” larger numbers of typical dysfunction. [7]

Examples of what it might look like:

2. Disinformation Aggregation: A Mixture of True and False

A particularly worrisome phenomenon is the likelihood that disinformation actors could have “a field day” by aggregating true reports of typical dysfunction, spurious similar reports, speculative “suspected fraud” reports by real people, and intentionally fabricated similar reports. The artful combination of just-enough factual information to make something seem plausible, in conjunction with false or misleading information, is a toxic mix – with the capacity to go viral through social media.

In addition to that, as noted above, the potential opacity of by-mail ballot processing and counting opens up a field ripe for exaggeration and fabrication— especially when counting will require multiple days and the public visibility will not be 100% consistent.

Examples of what it might look like:

3. Actual Cyber-Attacks: Penetrating Election IT Infrastructure

We know from 2016 that state voter registration databases were uniformly targeted with some penetration, and we “suspect” (but cannot comment officially) that some local election officials were successfully attacked at least by phishing, and possibly also by way of “VPNfilter” and other pervasive persistent cyber-attacks. There is no reason to expect the 2016 adversaries (and new ones) to stand down in 2020.

However, it takes time and effort to detect and investigate real reports of possible attacks, and professional and/or government assistance is required, including threat intelligence from the intelligence community; so any intelligence community involvement with the Department of Homeland Security (DHS) is likely to result in classification of the findings. As a result, credible reports of cyber operation may come too late to be part of the election news cycle. On the other hand, because the election news cycle is likely to last well beyond November 3, there is more calendar time for leaks to occur that could compromise confidence in election results, before the results are final.

A particular factor for 2020 may be an increased number of jurisdictions (and possibly an increased number of voters) using Internet voting methods from Voatz or Democracy Live, which can return voter-marked ballots electronically, without a paper record. DHS warnings about such systems may decrease usage, but have already increased public awareness of such systems, making them even more valuable targets for disruptive cyber-attacks that are publicly visible and that can decrease voter confidence.

Examples of what it might look like:

4. Pseudo-Attacks: Impersonation That Leads to Disruption (Even if Detected)

There are many parts of the election process vulnerable to pseudo-attacks, which involve impersonation activities that are based on actual voter information that is at least partly publicly visible, and which can be used to disrupt the activities of actual voters. Such attacks undermine voter confidence and election legitimacy.

Examples of what it might look like:

5. Capacity Attacks: Overwhelming Systems to Cause Disruption

In addition to process-based capacity attacks (e.g., so many absentee ballot requests or absentee ballots that local election officials cannot handle them in a timely manner), technology can also be employed to undermine capacity. The classic case is termed a “distributed denial of service” (DDOS), which is an attack on network-connected systems such as state election services web sites; related county web sites; election night reporting systems; and the Internet-connected back end systems that coordinate a county-wide real-time connected electronic poll book system. While DDOS attacks can be mitigated, the initial impact can be substantial, with real impact if such is timed properly.

Examples of what it might look like:

6. Pseudo-Suppression Attacks: Dirty Tricks to Stop Voters from Voting

Prior elections have seen a number of “dirty tricks” tactics to impede voters from casting a legitimate ballot, or to make them think they have voted when in fact they have not.

In 2020, tactics like this are even more of interest when conducted not by domestic political actors working for perceived political gain, but rather by foreign adversaries with much greater capability and capacity, and who conduct the attacks to implicate domestic political actors.

Such attacks on in-person voting operations would be especially effective in 2020, since, due to COVID-19, many jurisdictions have a much smaller number of voting places. In such an environment, any method of hampering voting place operations could have a disproportionately large effect, and a substantial negative impact on public confidence in the election process. Finally, we have seen in recent primaries that likely non-malicious capacity problems have led to suspicions of suppression; they provide a model for malicious threat actors to similarly suppress the vote in November.

Examples of what it might look like:

Conclusion and Short List

The 2020 Presidential Election has rightly been anticipated to be one of the most divisive and consequential elections in recent U.S. history. Turnout is expected to be record-setting, partisans on both sides are displaying extremely high levels of motivation and commitment, and the election is taking place in the midst of unprecedented challenges: a global pandemic; widespread social unrest; and conditions that have radically upended election administration across America.

The nation’s typical challenges in recent years, which have led to long lines for voters, concerns about the integrity of results and ragged election administration in general, still persist – but they have been greatly compounded by public health concerns, disruptions to in-person voting, a dramatic increase in by-mail voting, and baseless claims from the President about so-called “fraud” and “rigged elections.” The President has not committed to accepting the legitimacy of the election results. These conditions are startling and dangerous for our democracy. For the same reason, we hope that this Executive Briefing is valuable and helpful to election officials, policy makers, the media and other stakeholders in making preparations to protect our democracy and public faith in the legitimacy of November’s election results.

In this Briefing, we have illustrated a combination of threats, ranging from implementation challenges, lack of resources, process changes, and human error; to technological vulnerabilities, whether inherent to deployed voting systems, or exploitable by motivated malicious actors who might make cyber-attacks; as well as historically low levels of voter trust that have created multiple opportunities for disinformation campaigns, especially through social media.

While the Briefing is comprehensive and includes dysfunctions that range widely in terms of likelihood and severity of impact, we conclude with this short list of what we believe are most likely and most impactful. We will revisit this list with issues to watch in specific battleground states, as we get closer to September. Finally, we also caution that the possibility of more dramatic and worrisome — though perhaps less likely — attacks should not be ignored.

Most Likely Dysfunctions to Anticipate in the 2020 Presidential Election

  1. High volume of absentee by-mail ballot requests, which leads to delayed mail deliveries and voters without ballots.
  2. In-person polling place dysfunction (including long lines for voters and inoperable election equipment), due to poor poll worker training on operational procedures and consolidation of in-person polling places due to the pandemic; and difficulty in recruiting adequate skilled poll worker staff.
  3. Long lines for voters, due to delays with electronic pollbook check-in, including some that might be credibly claimed to be DDOS attacks.
  4. Errors in voter record lists which may be imputed not only to prejudicial intent, but also to a repeat of 2016-like cyber-attacks on voter registration systems.
  5. Disinformation actors leveraging real incidents for disinformation campaigns, including spurious additional incidents.

End Notes

Here is a downloadable PDF of this Briefing for offline use.

  1. NPR, “Chaos in Primary Elections Raises Fears For November,” June 15, 2020. https://www.npr.org/2020/06/15/876474124/chaos-in-primary-elections-raises-fears-for-november
  2. OSET Institute, “The Bipartisan Truth About By-Mail Voting.” https://trustthevote.org/wp-content/uploads/2020/05/27May20_BipartisanTruthAboutByMailVoting_v3.pdf
  3. WAMU/DCist, “D.C. Plans To Open 80 In-Person Polling Sites For November’s General Election,” July 28, 2020. https://wamu.org/story/20/07/28/d-c-plans-to-open-80-in-person-polling-sites-for-novembers-general-election/
  4. The Washington Post, “Postal Service memos details ‘difficult’ changes, including slower mail delivery,” July 14, 2020.
    https://www.washingtonpost.com/business/2020/07/14/postal-service-trump-dejoy-delay-mail/
  5. Eddie Perez, Twitter, July 16, 2020. https://twitter.com/eddieperezTX/status/1283780212828901387
  6. AP, “Activists cite tabulation flaw in mail-in ballots in Georgia,” June 13, 2020. https://apnews.com/66c2b4b36609d83aa5c08235f947ea59
  7. Many of the specific examples of potential dysfunction in this section are inspired by the Cybersecurity Infrastructure Security Agency (CISA), “Elections Cyber Tabletop Exercise Package/Situation Manual,” January 2020
    https://www.cisa.gov/sites/default/files/publications/Elections-Cyber-Tabletop-Exercise-Package-20200128-508.pdf
  8. For a dramatic example of how Election Day chaos could be generated without needing to actually attack any election-specific assets, see NBC News, “How a fake town and real hackers battle test officials for Election Day 2020,” November 6, 2019. https://www.nbcnews.com/tech/security/how-fake-town-real-hackers-battle-test-officials-election-day-n1077836
  9. OSET Institute, “Stop the Nonsense About ‘Counterfeit’ By-Mail Ballots – Here are the Facts,” https://www.osetfoundation.org/blog/2020/6/30/ballotnonsense
  10. Another similar example of a possible pseudo-attack that could be performed in bulk (and also easily trapped and stopped in bulk) involves the “Federal Write-In Absentee Ballot” (FWAB) that any overseas or military voter is entitled to use. The FWAB which is essentially a “made-at-home” ballot where the voter can simply list the name of a contest for office, and the name of the candidate of their choice, for as many or few of the contests that they are eligible to vote for. It is not hard to create a false FWAB and combine it with the required signed affidavit for a real voter (voter lists are readily available to adversaries), or for large numbers of spurious voters. It is also not hard to create signatures that will not match – even if election officials will detect these on signature verification. Even though it is likely that these fraudulent ballots would be caught, the attack can swamp the capacity of an elections office to process real ballots.

SITEWIDE SEARCH