Paper - Cyber Security Project, Belfer Center

Hacking Chads: The Motivations, Threats, and Effects of Electoral Insecurity

Summary

This paper addresses a growing concern to one of the most fundamental components of our democracy: how cybersecurity risks can influence the integrity of our elections. This past summer's hacks and attempted network intrusions into a variety of Democratic Party networks and into election infrastructure highlight the urgency of the issue. The mounting evidence of Russian involvement, confirmed in an unprecedented statement by the Obama Administration in October, underscores the stakes. While there previously have been occasional — and mostly unfounded — concerns about localized voter fraud in U.S. elections, this is the first time a foreign nation attempt to influence a U.S. election by taking advantage of weaknesses in our cybersecurity.

Two vital questions emerge. First, how concerned should we be about election cybersecurity? Second, how vulnerable is the United States to a foreign power or other actor trying to undermine the public's confidence in our elections? In examining these issues, we consider the motivations of hackers for targeting elections, the plausible threats to election security, and the effects of real and perceived manipulation.

We argue that foreign intelligence agencies, most prominently Russia's, have plausible motivations and capabilities for some kinds of electoral interference. In addition, there are other actors, such as terrorist groups, partisan activists, and groups with narrow parochial interests, which might seek to manipulate an election. There is a range of possible mechanisms for carrying out these threats, including targeting voters, voting rolls, voting machines, tabulation, and the dissemination of results. We draw on security audits and demonstrated cases of previous Russian operations in analyzing these risks. We argue that it is not just the reality of fraud that is concerning, but the perception of it. The effects of perceived illegitimacy can be deeply damaging and perhaps harder to counteract. In particular, persistent questions about electoral integrity may by itself advance foreign interests.

We put forth five recommendations for improving the cybersecurity of elections, showing their integrity, and guarding against threats. First, the federal government should designate election systems as critical infrastructure, catalyzing additional federal and state attention to improving cybersecurity. Second, backed by federal funding, states should purchase and deploy voting machines that generate a voter-verifiable paper audit trail. Third, states should expand their use of pre-election security audits to identify and remediate vulnerabilities. Fourth, states should establish or improve their post-election audit procedures, applying statistically rigorous methods to increase confidence in the reported results. Lastly, the United States should outline a clear policy on the seriousness of electoral interference as a means of deterring foreign adversaries.