How to Think About Election Cybersecurity: A Guide for Policymakers

The drama of modern American elections boasts a full cast of characters. There are voters, who make up their minds about whom to support in a turbulent information environment; there are political campaigns, which increasingly rely on digital tools alongside traditional methods to operate and persuade voters; and on the frontlines, there are state and local election officials, who have primary responsibility for administering elections in the country’s 8,000 voting jurisdictions. Running secure and trusted elections has never been a simple production. After the 2016 election, during which the Russian government launched an unprecedented attack on the United States’ democratic institutions, it is even more complicated. 

In responding to the weakness exposed in the 2016 election, the United States finds itself having an enormously complex election security discussion. For some, election cybersecurity is a story about Russian influence operations. For others, it tells of the dangers of Big Tech. For others still, it is about the persistent challenges of election administration. In truth, it is all these stories, and more. It is difficult to think of another issue that straddles so many different communities of practice and expertise, that is as likely to shift so rapidly as technological capabilities evolve, and that is so central to our democratic process. These realities present at least two challenges to productive conversations. 

First, because election cybersecurity means radically different things to different communities even as they engage overlapping material, what is often missing is a clear understanding of which piece of the debate is being considered, as well as an articulation of where that piece fits in the larger story of election cybersecurity. 

Second, in addition to the urgent, short-term steps that need to be taken to improve our election cybersecurity before the 2018 midterm and 2020 presidential elections, more questions loom on the horizon. While it is difficult to create space to consider the medium-term while the short-term is so urgent, the seriousness of the questions on the horizon demands that we do so.

This report is a response to those two challenges. Rather than repeat analysis that the election security emergency has already inspired, we aim to provide a guide to understanding that body of work and the implications for the future. The report offers a brief history of voting reforms to place this conversation in a broader context. Then, it breaks down the threat of election hacking into three separate threats: manipulating voters, manipulating votes, and causing disruption. These distinctions offer a conceptual framework through which to understand the current state of response to the 2016 election. Finally, the report looks forward to consider key questions looming just beyond the current debate, and the factors to consider in responding to them.