US Elections 2020 and the Cybersecurity Challenges

A few hours after the calling of the 2020 US election results from the various states in favour of the challenger, former Vice-president Joseph R. Biden, the incumbent President Donald J. Trump charged that the election was ‘rigged’.1 The US elections were held under tremendous scrutiny, given the widespread apprehension that foreign agencies might try to interfere again through the cyberspace domain, as was alleged to have happened in the 2016 elections.

The US electoral process begins with the primary elections and caucuses to select a potential presidential nominee. The primaries use secret ballots for voting. The voting procedure varies from state to state and some autonomy is granted to the states with respect to the voting rules.2 Each political party selects a presidential nominee and a vice-presidential mate. To win the election, a candidate must receive a majority of electoral votes from an ‘Electoral College’.3 This exclusive and exhaustive US system of election, however, is also not immune from security threats.

Potential security threats include disinformation campaigns, fake news, software hurdles, data breaches, ransomware attacks, ballot tampering, and even attacks on physical infrastructure. These threats can have serious repercussions on the democratic process and have national security implications, especially so if the involvement of a foreign government is established in executing these threats. Due to the ongoing pandemic, the 2020 US elections saw an increased use of online ballot delivery and returns. Cyber-enabled elections are inherently prone to hacks and data manipulation, which can potentially alter the electoral results.

Cyber vulnerabilities during elections

One month prior to the US elections, reports noted that registered Democratic voters had received threatening emails from the White nationalist group, Proud Boys, demanding that the recipients vote for Trump in the upcoming presidential election.4 These emails, according to the Director of National Intelligence, John Ratcliffe and FBI Director, Christopher A. Wray, were actually spoofed emails from Iran. Also, some publicly available voter registration information was obtained by Iran and Russia with the intention to harm Trump’s re-election efforts.5 The 2016 US Presidential elections had similar allegations about Russian hackers spreading misinformation via fake profiles on social media.  Such campaigns are designed to intimidate voters and sway their preferences.

Disinformation is defined as the purposeful dissemination of false information intended to mislead or cause harm.6 Digital platforms have increased the vulnerability of the general public to manipulation by such false information. Targeted digital advertising on social media platforms prior to elections is a common form of spreading propaganda and influencing public opinion. According to a Facebook review of ad buys, around 3000 ads, focussed on divisive social and political messages by a number of non-authentic accounts and pages, likely operated out of Russia, were bought from June 2015 to September 2017.7

Fake news is a term related to disinformation but distinct from it. It refers to misleading content on social media that can range from false information about the chosen candidates of political parties to feeding marginalised populations with false or partially true information.8 It can also be intended to create confusion. For instance, it could include spreading false registration deadlines or election messages in order to disrupt the smooth functioning of the electoral process.9 In order to curb the menace of fake news, there needs to be a certain level of awareness among people to get voting information only from verified election offices.

Software like Democracy Live’s OmniBallot, online voting app Voatz, etc. provide electronic ballot solutions. These software have been used in a number of elections, especially by the US military, differently-abled citizens and overseas citizens.10 OmniBallot is used for online voting by at least three states in the US — West Virginia, Delaware and New Jersey. Other states like Utah and Colorado have conducted pilots of the online voting app, Voatz.

Researchers from MIT and University of Michigan have flagged the possible cyber threats and flaws in the OmniBallot system. OmniBallot’s electronic ballot return (online voting) function, for instance, cannot achieve software independence or end-to-end verifiability, the two key goals for secure Internet voting.11 End-to-end verifiability (E2E) is a technique that scientists have been working on for several years to ensure secure remote voting. Researchers had reverse-engineered the OmniBallot app and stated that OmniBallot makes use of third party software and services like AngularJS, FingerprintJS, Google Analytics, reCAPTCHA and Democracy Live and is vulnerable to vote manipulation.

Apart from software hurdles, the online voter registration systems are vulnerable to cyberattacks from hackers, including nation-state actors, to gain access to voter registration database. The US Cybersecurity and Infrastructure Security Agency (CISA) election infrastructure cyber risk assessment report therefore had recommended measures like same-day registration and provisional ballots to reduce the impact of integrity attacks to voter registration databases. Same-day registration, however, also utilizes network connected technology such as electronic poll books, which again are vulnerable to cyber risks.12

Trump’s allegations on election irregularities

Trump has repeatedly claimed that cyber frauds have occurred in the 2020 US elections, although there is no evidence for the same. He has alleged that the Democrats have ‘stolen’ the elections from him, which he was ‘easily winning’. 13 The Trump campaign has filed lawsuits in Georgia, Nevada and Pennsylvania, alleging that the ‘mail-in ballots’ were ‘improper’. Trump even fired the Director of CISA, Christopher Krebs, accusing him of issuing a “highly inaccurate” statement when Krebs refuted claims about election fraud. Most recently, the lawsuit in Nevada was denied while that in Georgia was dismissed by the court due to lack of substantial evidence. 14

According to CISA, 2020 US elections had security measures like pre-election testing, state certification of voting equipment, software checks, logic and accuracy tests, multiple audits of the voting software, including a post-election logic and accuracy test of the voting system, to ensure accuracy and reliability.15  The CISA also offered a suite of free, voluntary services to election officials to minimize cyber risks. These included a Phishing Campaign Assessment, Vulnerability Scanning and Remote Penetration Testing to identify and mitigate vulnerabilities in election systems.16 In a joint statement, the Election Infrastructure Government Coordinating Council and the Election Infrastructure Coordinating Executive Committees, have certified the November 3, 2020 US elections as the most secure in American history.17 

Conclusion

Cyber-enabled elections are definitely prudent and efficient as they reduce manual efforts by speeding up the counting of ballots, reduce the cost of elections, and can provide increased voter participation. But there are risks associated with such processes. The onus lies on the election officials to put in place safe, secure, transparent and efficient systems. Use of high-end technologies, ensuring end-to-end verifiability, protection of voter database, managing risks to the election infrastructure and curbing the menace of disinformation are important goals in building confidence and trust in the e-electoral system.

Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.

Keywords: Cyber Security, Elections