The Email Election

A campaign that has been defined by email hacks, email leaks, and email investigations has left the public bruised

October 28, 2016

This campaign has at times appeared to turn on emails.

There have been email hacks; email leaks; and (once again) email investigations.

Unusually, a campaign that has defied precedents at every turn has also given rise to a new level of speculation not previously witnessed about whether actors outside of the electoral system will breach American cybersecurity defences to interfere with the results of the vote for a new president. 

On the one side, Republican candidate Donald Trump has been openly postulating that the election will be “rigged” against him – more so in the final weeks of the campaign as polls show his chances of winning fading away.

On the other side, Democrat Hillary Clinton’s campaign has been dogged by leaks of hacked emails, including from the Democratic National Committee and campaign chairman John Podesta. Hackers have also made serious attempts at breaching voter registration systems in at least 20 states, succeeding in at least two of them.

The Obama administration has blamed Russia for hacking and releasing the Democrat emails in an attempt “to interfere with the U.S. election process.” Officials say most of the hacking attempts against states likely originated in Russia as well.

This campaign has illustrated the two main ways elections are vulnerable to cyber interference: attacks that target how votes are counted and cast, and attacks that target electoral processes and institutions more broadly. Each presents its own challenges and potential solutions. But when the integrity of election results is called into question, the answer may have less to do with technology and more to do with building public trust in the system.

Hacking voting machines

In a sense, the U.S. national election can be seen as about 10,000 smaller elections happening simultaneously. That’s because there is no single, central national election system. Instead, states and counties are responsible for running their own elections, including choosing and operating voting machines and tabulating votes.

Their vulnerability to attack varies widely. Voting machines are not directly connected to the Internet, but in some cases they might be linked to election-administration computers that are. Malicious programs can also be installed in voting machines physically or through infected ballot cartridges, Princeton computer science researcher Andrew Appel told a U.S. Senate committee hearing last month.

Further complicating the situation, about 10 states primarily use Direct Recording Electronic (DRE) machines, which use touch-screen computers or similar technology to record votes without tracking them on paper, Appel said. If hackers broke into these machines to change or delete votes, there would be no way to verify it against a physical voting record.

It’s not unheard of for hackers to meddle in another country’s elections. In 2014, a pro-Russian group hacked into Ukraine’s central election computers, deleting files and altering vote counts. But the highly fragmented nature of the U.S. election system makes it less likely to fall victim to the kind of co-ordinated attack that would sway the results of a national election. The chairman of the U.S. Electoral Assistance Commission, Thomas Hicks, told a Washington Post panel it would take “an army” of people to pull off that kind of operation. However, in a tight race, the outcome in one state – or even one district – could tip the balance of a presidential election.

Other election hacks

But there is more than one way to “hack” an election. Other means can instead aim to disrupt different parts of the electoral process – and that’s why countries like Canada, where electronic voting is not widespread, should still pay attention.

For example, in Arizona and Illinois this summer, hackers compromised voter registration databases. In Illinois, they stole the personal data of 200,000 voters. This information is valuable because it can be used to misdirect voters on election day – for instance, by sending them to vote at the wrong place or time – or to delete registered users from the system, making it more difficult for them to vote and possibly causing delays that can deter people from voting.

Similarly, hackers could also meddle with local campaign office data, such as schedules for driving voters to the polls as part of get-out-the-vote efforts. Or they could steal and publish campaign donors’ personal information, which could deter supporters from donating for fear of having their data exposed. Or, as seen in the DNC and Podesta hacks, hackers could attempt to influence an election by releasing or manipulating potentially-damaging information about a candidate to sway public opinion.

Security and transparency

The challenges facing the international community when it comes to election cybersecurity are in some ways similar to other global cyber threats, such as corporate espionage or attacks on electronic infrastructure. There has been a growing movement to establish international norms against cyberattacks on other states, as recommended by the Global Commission on Internet Governance. For example, the UN Group of Governmental Experts that was convened to examine global cyber threats recommended in 2015 that member states should respect international law in their use of cyber technologies and refrain from cyberattacks on other states’ critical infrastructure. According to Scott Shackelford of the Center for Applied Cybersecurity Research, “This critical infrastructure norm — to which many of the cyberpowers, including Russia, have already agreed — could be leveraged to explicitly include elections.”

There are a number of steps election organizers and national security officials can take to protect the integrity of their systems from cyber intrusions. The Department of Homeland Security already works with local election bodies, at their request, to scan for cybersecurity vulnerabilities and help fix them. It also trains local election workers to detect and respond to security threats.

But as with other cyber threats, the threats to elections – whether they come from foreign or domestic sources – can never be completely eliminated. That is why it is important to ensure public trust in elections as a democratic institution, so that when there is a breach, the public will believe it has been appropriately corrected.

And that is why there is so much concern about Trump convincing his supporters that the election is rigged against them. “The biggest threats to the integrity of this November’s election and our democratic system are attempts to undermine public confidence in the reliability of that system,” Lawrence Norden of the Brennan Center for Justice wrote in his testimony to a U.S. Senate committee. “Any attempt to attack our voting systems is far more likely to sow doubt about results than it is to change a large numbers of votes.”

There are steps election officials can take to build trust in the system quite apart from technical measures. For example, planned and rigorous audits should be conducted after elections to detect anomalies and verify the system’s integrity. Experts agree that some form of paper balloting is essential for this.

Election officials should also be as transparent as possible with the public. Detailed voting results should be easily accessible and audit findings should be widely shared. The more information is open and available, the harder it is for allegations of secrecy or collusion levelled against election bodies to gain traction.

When bad actors use Internet technology to meddle in voting or campaigning, the results can be disruptive but often temporary. Far more damaging would be if the public lost faith in elections as a fundamental institution of democracy. Building the accountability and transparency of electoral systems is the best possible defence against it.

Openness is the antidote to the corrosive effects of these hacks, leaks, and probes. 

This article first appeared on October 17 under the headline 'How To Restore Public Trust After Campaign Hacks'

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Stephanie MacLellan is a digital democracy fellow with the Public Policy Forum.