America makes some strides in securing elections from Russia

America makes some strides in securing elections from Russia
© Thinkstock

The 2016 election made clear that our digitized election systems are vulnerable. Many ballot machines, voter registration systems, and election management systems were antiquated. Political campaigns had feeble cybersecurity practices and were not ready for damaging online attacks. Social media platforms ignored the risks of data mining and propaganda operations. We were unprepared for Russian tactics two years ago.

But it will be different this time. Election officials at all levels of government have made substantial efforts to secure our election infrastructure. Basic cybersecurity practices have been applied across most of the 50 states, and more than $800 million of federal and state funding has been allocated to secure election systems against online threats, including $380 million appropriated by Congress. More than 30 states are spending on new defenses to prepare for the 2018 election, conducting cybersecurity assessments and training, implementing stronger authentication and access controls for election systems, and replacing vulnerable ballot machines and voter registration systems.


Federal agencies have programs to protect campaigns and election systems and to practice incident response plans for cyberattacks on election systems. The Department of Homeland Security named election systems as critical infrastructure last year and created two information sharing and analysis centers to share cybersecurity information among election officials. It has also held a three day exercise with 44 states to practice coordinated responses to cyberattacks. Along with the Federal Bureau of Investigation, both have cybersecurity training and support programs for campaign and election officials across the country.

Delaware and Pennsylvania will have voter verifiable paper audit trails for all votes by the 2020 election. Florida and Missouri already use paper ballots for all but their accessible systems for voters with disabilities, and five more states have committed to implementing voter verifiable paper audit trails, although they may not be ready by the 2020 election. Some states have gone even further. California has allocated $134 million to upgrade and secure its election systems and has established an office of elections cybersecurity within the office of the secretary of state.

There is more to do. All 50 states need voter verifiable paper audit trails and manual audits of those paper records to identify any manipulation of electronic voting records. Public officials must allocate funding to robust cybersecurity practices for election systems, including voter registration, election management, and election night reporting, and to maintain and upgrade these systems. Campaign and election officials must do more with the Department of Homeland Security and the Federal Bureau of Investigation to secure their systems, and take advantage of initiatives by private companies. But it is wrong to say we are unprepared this time.

Russia did not manipulate or disrupt voting in 2016. Hardening voting machinery would not have protected us in that election. Russia used stolen documents, social media manipulation, conspiracy theories, and false narratives promoted in the news. Russian trolls continue to promote conspiracy theories and divisive rhetoric, groups linked to Iran are using crude campaigns to imitate Russian tactics, and scammers in Bangladesh have even exploited political causes on social media to sell shirts.

The dilemma for Russia is that the scare tactics of 2016 will be less effective in 2018. Information operations will not be as disruptive. Social media companies are increasing transparency and countering malicious content on their platforms, and the public has become rightly skeptical of sensational stories on social media. Campaigns and party organizations have strengthened cybersecurity to keep documents and email more secure. The real question is what Russia will decide to do next. Will it replay the 2016 formula, try something new, or just sit back and enjoy the spectacle? We have made it harder to use the cheap attacks launched before. This means interfering with electoral machinery, while more difficult and riskier, might be more attractive than it was before.

This points to the greatest weakness in our election defenses. We were too slow to impose consequences on Russia for election interference. The Obama administration took no action when it found out what was going on months before the 2016 election. The Trump administration did not impose sanctions on Russia for election interference until earlier this year. All this emboldens the bad actors because Russia and others still think there are no serious penalties for interference and manipulation.

If Russia yields to temptation in the midterms, it will find this country is better prepared, even if not fully secure. Election officials will need to continue to work to strengthen defense of their systems. Social media companies must step up efforts to combat manipulative behavior on their platforms. Most of all, the United States must send a credible message that election interference will be swiftly punished. This means a public statement by the government to make a clear and direct threat of retaliation. Without that, all our hard work may be for nothing.

James Lewis is a senior vice president and director of the technology policy program at the Center for Strategic and International Studies. William Carter is a resident fellow and deputy director of the technology policy program at the Center for Strategic and International Studies.