Building Cyber Defenses For U.S. Elections

Outdated technology. A patchwork of different systems. Front-line staff without formal training. From the standpoint of malicious hackers, U.S. political campaigns and election systems present a rich array of vulnerable targets without critical information or training. 

“Frankly, the United States is under attack,” Director of National Intelligence Dan Coats told the Senate Intelligence Committee in February, adding that Russia is attempting to “degrade our democratic values and weaken our alliances.”

“This is not going to change or stop,” said National Security Agency Director Admiral Mike Rogers.

Despite the ongoing threat, Washington—hamstrung by internal divisions—has yet to develop a comprehensive plan to bolster our democratic defenses.

Undaunted, a group of young civil servants is working directly with political operatives and state and local officials to fortify campaigns and elections against cyberattacks and information operations: Harvard Kennedy School students affiliated with the Belfer Center’s Defending Digital Democracy Project (D3P).

Founded and led by Belfer Center Co-Director Eric Rosenbach, the Pentagon’s former “cyber czar,” D3P has become a kind of digital avengers squad, featuring cyber security professionals, communications specialists, lawyers, political consultants, and national security experts. At a time when even IT operations have taken on partisan overtones, D3P is emphatically bipartisan: it is co-directed by Robby Mook, Hillary Clinton’s 2016 campaign manager, and Matt Rhoades, Mitt Romney’s 2012 campaign manager.

D3P’s engine room is run by students. Nearly two dozen HKS and MIT students have enlisted with the project to align research outputs with stakeholder needs. To that end, 17 of the students last fall began fanning out to states including California, Oregon, Nevada, Virginia, Colorado, New Jersey, Wisconsin, Minnesota, and Florida to conduct field research with officials, hear their concerns, observe their systems and processes, learn how they are protecting the security and integrity of their elections, and help identify areas of vulnerability. Students will visit additional states this semester.

The result of their work? Four distinct “playbooks”—practical guides to help campaign staff and state and local election officials better safeguard critical systems and deter and respond to misinformation.

“Our team visited with over 34 different election offices, surveyed 37 states and territories, and directly observed three elections across three states, so the guidelines we provide are based on the insights and concerns we heard from election officials across the country,” said Caitlin Conley, a U.S. Army Major attending Harvard Kennedy School who led D3P’s efforts on the playbooks. “Our recommendations are practical, and they can make a real difference in the 2018 elections and beyond.”

“State and local election officials are now on the front lines of a battle to maintain trust and confidence in America’s digital democracy.  We developed these playbooks to serve as a resource for state and local election officials, their teams, and their institutions to help build stronger cyber defenses for election systems,” said Eric Rosenbach. “The playbooks are the result of many months of hard work and cooperation between the D3P team and our national, state, and local partners.”

The playbook recommendations are based on D3P’s extensive field research, observation of three recent elections, an in-depth survey, and multiple tabletop exercises conducted with bipartisan groups of election officials. They also reflect best practices and insights from the nation’s top software and network engineers, including from D3P’s private sector partners Google and CrowdStrike. Rather than simply highlight the weaknesses and vulnerabilities of the nation’s election systems, the D3P team strove to work directly with election officials to develop measures to strengthen their cyber defenses and incident response capabilities.

States are taking notice. Already, West Virginia and Kentucky have shared copies of D3P’s campaign playbook with all candidates seeking office. Other states have opted to go further in increasing the awareness and preparedness of their officials by planning to conduct their own “tabletop exercises” based upon the training and experiences provided by the D3P team. These simulations portray outside actors deliberately attacking election systems to test existing protections.

Although the factors that affect voting security vary from state to state—different election methodologies and schedules, demographic variations, voting cultures, and constitutional requirements, among others—the D3P team has distilled 10 recommendations that apply universally across all jurisdictions.

“I don’t think there’s just one thing that makes a state successful. I think it’s almost like a recipe where there’s a bunch of things that have to come together in order for it to work,” said Jennifer Nam, M.P.A. ’18, a project team leader who before coming to Harvard spent a decade in the U.S. Army doing intelligence work.

See the playbooks and learn more about the Defending Digital Democracy Project at belfercenter.org/D3P »

For this cover story, portions of Christina Pazzanese’s Harvard Gazette article, “Wanted: A firewall to protect U.S. elections,” were used, with permission.