Mon, Nov 7, 2022

Real Risks To the Integrity of the 2022 U.S. Elections Go Beyond Cyber Attacks

As the 2022 U.S. midterm elections approach, a key source of political risk is the integrity of the electoral process. The successful functioning of elections as a means of selecting political leadership in the U.S. is a bedrock principle of American democracy, but also key to maintaining political stability. As we have learned in recent years, when the integrity of the electoral process is in question, it can impair the functioning of the government, threaten political stability and even lead to political violence.

It is crucial to understand that there are two sources of distinct threats to the integrity of the elections. What usually first comes to mind are actual technical threats to the process. Registering to vote, casting votes and counting those votes; these threats can occur in the physical world, but the larger risks today come in the form of potential cyberattacks. However, as the past two years have taught us, non-technical threats, deemed social threats, to the integrity of elections can pose just as significant risk as well.

Technical Threats

In the United States, the fact that election administration is decentralized makes securing elections from cyberattacks that much more challenging. There are opportunities abound for determined adversaries to attempt to undermine the integrity of the voting process using technical means. These are four such potential sources of vulnerabilities:

  • Voter registration: Voters may need to change their voter registration information many times over the course of their lifetime. Voter registration is generally voluntary, not mandatory, which makes the registration process–which has increasingly moved online–as one potential source of attack for adversaries.
  • Voter lists on day of the election: What would the outcome of an election mean if duly registered voters were unable to cast ballots on election day due to poll workers’ inability to access voter registration information because of cyberattacks?
  • Functioning of electronic voting machines: All election districts that rely on electronic voting are ultimately relying on the software that runs those machines to function on election day.
  • Recording and aggregating of vote totals: Finally, perhaps the most serious overarching technical threat to the integrity on any election is if disruptions can be made to the vote counting process.

Reassuringly, successful cyberattacks in past U.S. elections in any of these four areas are practically non-existent. This does not, however, mean that we should be letting our guard down, and the day may come when a determined adversary finds a way to successfully disrupt the registration, voting, or counting process.

Social Threats

There are three distinct types of non-technical threats to the integrity of elections: the promulgation of election specific disinformation about the actual voting process; the general spread of disinformation about candidates; and allegations of non-existent cases of electoral fraud.

While the integrity of any election is dependent on ensuring that all eligible citizens have the opportunity to cast a ballot and registering to vote has arguably become easier via the Internet,  it has also become easier to spread misinformation about the voting process via social media channels.

If the rationale for choosing a government via democratic elections is that it allows voters to gather information about the candidates and then make an informed choice among those candidates as to whom they prefer, then misinformation about candidates, the positions they’ve taken on issues and even features of their personal lives can all serve to “pollute the well” of democratic politics.

In the United States, there are few instances of documented cases of electoral fraud in recent decades. Almost every lawsuit filed alleging fraud in the 2020 presidential election was found to be lacking merit by judges appointed by presidents from both sides of the political aisle. Therefore, today the greater risk to electoral integrity comes not from the actual occurrence of electoral fraud, but rather from political candidates who echo unsubstantiated claims of electoral fraud in an attempt to reject the results of elections. In the aftermath of the 2020 U.S. elections, such claims paralyzed the presidential transition process and eventually led to political violence.

What can we do?

It is crucial that we all function as careful consumers–and sharers–of information both in the lead up to and aftermath of the election. If you come across suspicious information, check its source: is it from a reputable news organization or a meme from a friend? Think twice before sharing information that seems salacious or suspicious. Try to understand the way in which election results are reported–and how the way mail-in-ballots or early votes are counted in your state–and whether that means that the results reported on election night may change in the days to come simply because of the order in which votes are counted.

For firms, it is important to realize that the days following elections in the United States in the 2020s may not be as calm or as clarifying in terms of the results, as they were previously. Be prepared to take the necessary steps to defend democratic institutions before elections take place, so it is clear that your response is not about defending a particular set of results but about supporting the process. Despite what the loudest voices may say on social media, polls show vast majorities of Americans support democratic institutions.

With a clear, collective voice, we should continue to demand that election administration efforts invest in the necessary cyber defenses to protect our elections from anti-democratic adversaries. While such efforts are likely to go unnoticed if they are successful, the costs of potential failures could be astronomical.

Joshua A. Tucker is a Senior Advisor at Kroll. He is also a Professor of Politics and Co-Director of the Center for Social Media and Politics at New York University.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.