The Washington PostDemocracy Dies in Darkness

How the U.S. can prepare for a major election hack

A New York Board of Elections employee demonstrates the use of a ballot scanner in 2016. (Drew Angerer/Getty Images)
Placeholder while article actions load

Before the 2016 election, at least 21 U.S. states’ registration databases or websites were targeted by hackers and seven states were successfully “compromised,” although there’s no evidence that votes were altered. As U.S. intelligence agencies recently made clear, the risk to voting systems continues in 2018. Foreign actors could target registration records, electronic voting machines or vote tabulations. Because American elections are controlled by individual states that employ a wide array of voting systems, a localized breach is especially feasible.

Amplifying the danger is that many Americans will react to vote manipulation somewhere in the United States with doubts about election results everywhere. Even if this interference does not actually change an election outcome, people may use any breach to cast doubt on outcomes they don’t want to believe. This havoc is precisely what Russia wants.

Even without a major breach of voting systems, U.S. politicians, including Roy Moore and Jill Stein, have proclaimed electoral fraud. President Trump still asserts there was massive fraud in 2016, and many believe him. In an August poll, 68 percent of Republicans agreed that “millions of illegal immigrants voted” in 2016 and 47 percent believed Trump won the popular vote.

Is democracy in a worldwide decline? Nope. Here’s our data.

One response to this foreign threat is to bolster election security, which has been lagging ahead of the 2018 election. But U.S. authorities also need to think about what would happen after the election if there’s a breach to voting systems. The experiences of Kenya in 2007 or Honduras in 2017 show how disputed elections can spiral into violence.

How can Americans respond to this possibility? Here are two key lessons from other countries, including U.S. allies in Europe that have years of experience countering Russian misinformation and attacks.

Here's what we know about the Kremlin's playbook for creating division in the U.S. (Video: Jenny Starrs/The Washington Post)

Lesson No. 1: State election authorities need a plan

After a breach, the first line of defense will be state election officials. These officials can learn from international experts and countries such as Estonia, Norway and Sweden that have repeatedly faced Russian hacking attempts. As a recent Senate report explains, Nordic countries have pursued a proactive “whole of society” approach, including teaching media literacy in schools, training political parties and empowering state agencies to identify and counter disinformation around elections. Sweden even used a popular cartoon character, Bamse the Bear, to teach kids about fake Internet rumors.

At a minimum, state election officials need a plan to audit their elections and communicate with journalists and citizens. Informing citizens about recount procedures and election security “can help make them less susceptible to rumors, disinformation, and sensationalist fears,” a Council on Foreign Relations report says. For instance, after Ghana’s disputed 2012 election, the Supreme Court broadcast the resulting 50-day trial live on television to maximize transparency. Widely watched by Ghanaians, the trial affirmed the results and helped to ensure the decision was met without violence.

Belated efforts to improve cybersecurity information-sharing between the federal government and states can also extend to coordinating information among states, which could prove critical in reacting quickly to election manipulation. This could be modeled after the extensive intelligence-sharing among European allies, who recently founded an ambitious E.U./NATO operation headquartered in Finland to counter Russian threats.

Although not foolproof, a key security principle is maintaining paper ballot records, either as the primary form of voting or as a backup record. Fifteen U.S. states have some precincts with no paper vote record. As old-fashioned as it sounds, there has been a turn away from electronic voting in Ireland, the Netherlands and Pennsylvania. Dutch authorities switched entirely to hand-counted paper ballots in a 2017 election after a wave of cyberattacks.

Ukraine’s 2014 election illustrates how paper ballots can be critical to election legitimacy. Four days before the election, pro-Russian hackers shut down the national vote tabulation system, forcing an emergency reboot. In a separate infiltration, a virus was caught minutes before it released false election results to the media. (Somehow, Russian state television still reported those false results.) Luckily, because Ukraine used paper ballots, the votes themselves were un-hackable and the results easily audited.

Lesson No. 2: Nonpartisan actors are critical

The ability of state officials to reassure voters after a breach may be limited if they’re perceived as partisans. In the U.S. states, all but two secretaries of state are affiliated with a party. When election disputes arise, figures such as Katherine Harris and Kris Kobach have typically been viewed through a partisan lens.

There is potential value in establishing a nonpartisan body that can identify potential problems and evaluate election results after the fact. In several countries, including the United States, independent teams have helped to expose election vulnerabilities before elections, from security problems with Estonia’s Internet voting to a flaw in Indian voting machines that allowed a hidden Bluetooth radio to change votes.

Nonpartisan experts also have played an important role in disputed elections. In Mexico’s 2006 presidential election, Manuel López Obrador alleged fraud after his razor-thin loss. The resulting protests threatened to push Mexico into chaos. A targeted recount by a federal election tribunal run by the judiciary and a clean report by a European Union observation team helped to signal the election’s accuracy and partially tamp down the opposition.

The United States also could benefit from an independent group tasked with reacting to a foreign election breach. A nonpartisan team of experts on cybersecurity, election technology and forensic analysis could rapidly evaluate the extent of manipulation, ideally assuring citizens the breach is limited. The team could be a key source for journalists and a means to coordinate information among state officials.

Some politicians and Americans will undoubtedly ignore the team’s conclusions. But if team members have established bona fides and security clearances (to access sensitive information), they may help to minimize disorder and distrust.

Getting rid of gerrymandering is harder than you think.

With the November 2018 election fast approaching, foreign election interference remains a real threat. A foreign breach — even if limited and quickly identified — could lead many Americans to wonder if there were other, unnoticed breaches.

Heading off the impact of a breach requires serious planning now, not on Nov. 7. The United States needs credible, coordinated information that can reassure skeptical voters — especially election losers who tend to see the electoral process as more flawed and democracy as less desirable. The stakes are high, as democracy withers without broad confidence in elections.

Michael K. Miller is associate professor of political science and international affairs at George Washington University and a founder of Authoritarian Warning Survey (@authwarning).