The Brennan Center for Justice recently released a fairly thorough, well done report on the security needs and vulnerabilities of the U.S. election system—a topic of considerable attention here at the Institute.  It’s a vital element of the current debate and discussion of democracy administration and national security.  This is the first of a three-part series examining the Brennan Report on election security.

This new policy work is a good illustration of the quality work people at the Brennan Center produce, and it offers a good outline and discussion about our election system. However, we have some disagreements with the content and its portrayal of certain aspects of our election system. For sake of avoiding redundancy, we need not review or comment on the areas of agreement with our colleagues and friends at Brennan—we encourage you read their work. Rather, our 3-part series here focuses on our where we differ.

The Brennan Report is one of the first works to recognize that there are multiple differentiated paths with which a malicious actor could compromise an American election, which we will refer to as:

  1. Subversion (direct-result-manipulation);
  2. Defamation (de-legitimizing elections); and
  3. Disruption (diminishing turnout—technically a form of suppression).

1. Subversion (Direct Result Manipulation)

This is exactly what it sounds like: the alteration of election results to favor one candidate over others. The most straightforward way to alter election results in such a direct fashion is to access and alter (“hack”) voter tallies, either by adding additional votes or by deleting or changing existing votes. (A common misconception born out of it making good theater for news reporting is the notion of a criminal hacker attacking a ballot-casting device in a polling place.  Actually that is not a likely scenario, although it is certainly a potential avenue.  The more likely point of attack is the machinery that tally the ballots from the precincts—either at a precinct-level or back in the central election office for the entire jurisdiction). When most people consider election tampering they tend to think of this direct-result-manipulation, but in fact, these attacks are relatively uncommon, at least in the U.S.  As the Brennan Center points out in their report while discussing Russian interference in the 2016 election: “while it is important to emphasize that there is no evidence these actions changed the vote count, the attack makes clear that our country is not immune from foreign interference in our elections.” Put another way, protection from direct-result-manipulation is hardly the bar we should be aiming for; there are other threats to consider.

2. Defamation (De-Legitimizing Elections)

This is one of those "other threats."  It involves undermining voter’s confidence in elections and the end result.  De-legitimization attacks can involve disinformation campaigns, the mere discovery of a direct-result-manipulation attempt, and other forms of tampering. The ultimate goal of de-legitimization strategies is not necessarily to change the election result, although this is possible by affecting how voters view the election, but rather to throw doubt on the entire process.  The Brennan Security Report explains, “Russia’s primary goal is to sow chaos, not necessarily to support a particular candidate.” It turns out that the perception that an election has been compromised can be more dangerous that an election actually being compromised.

3. Disruption (Diminishing Turnout)

The third and final vector of election assault is technically a form of suppression—in this case, that means efforts to discourage or disable participation.  For this type of an assault, a malicious actor can attack an election by diminishing its accessibility, or at least creating such a perception. This ties into the voter registration vulnerabilities discussed in the Brennan Security Report.  By manipulating voter registration systems assailants can prevent legitimate voters from exercising their right to cast a ballot. Altering party affiliations or addresses for registered voters can result in voters not being sent their absentee ballots or being turned away at the poll booth, at least temporarily, which if nothing else, will cause a disruption and result in longer poll lines. If these assaults were targeted to certain regions they could easily alter the result of the election or appear to do so which would then de-legitimize the election.

Assessing the Threats

The Brennan Report describes the existence of these three avenues of attack on elections and we commend them. However, the remainder of their report does not take into account all of these threats in terms of addressing prevention (and any one of these three methods can compromise an election.)  To increase the security of elections we must be able to prevent all of them.  Each security method or protection should be discussed in terms of which form of attack it prevents and which vulnerabilities it opens up.

For example, the report points to the built-in protection of a distributed system, calling it: “perhaps the most important measure of protection.” Essentially, because the US election system is dispersed over thousands of counties it becomes more difficult to attack all of them in some systematic or coordinated matter.  There are two problems with this theory.

  1. First, there is no need for a coordinated or systematic broad attack to disrupt or throw an election.  A highly targeted attack in a very contentious swing state jurisdiction where an electoral vote lies in the balance may be all that is required. 
  2. Second, while a distributed system makes attacking a large number of jurisdictions more difficult, this only deals with one threat avenue—direct-result-manipulation. It does nothing to prevent the de-legitimization of an election, or diminishing turnout (the suppression of votes). Voter registration files can still be compromised and disinformation campaigns can still run unimpeded by this so-called built-in protection. Even the threat that highly distributed disjoint systems supposedly addresses is done so, inadequately. There are a variety of election systems used throughout America’s 3,300 counties and some 7,000 jurisdictions, but these systems are remarkably similar making the number of techniques required to compromise the various machinery far lower than we would expect. There are only about five or six fundamentally different types of voting systems. Add to this our first observation of requiring only a targeted attack, and the notion of a highly diffused, distributed hodge-podge of voting machinery is not adequate protection against a determined adversary.  

We cannot rely on a distributed system to protect our election; it’s a false sense of security, and hardly a protection at all, but rather a feature of our election infrastructure that happens to make compromising our voting systems somewhat less convenient—but only slightly when one considers that a widespread attack is simply unnecessary.

In fact, measures that protect from one of these threats may even catalyze vulnerabilities to another method.  Case in point: The Brennan Report astutely recommends post-election audits as a way to detect for election tampering. We wholeheartedly agree, but this only protects direct-result-manipulation. It ironically, can actually make de-legitimization easier.  If counties performed risk limiting audits and a few detected a high degree of variance or even revealed an apparent attempt to tamper with an election, combining that revelation with a disinformation campaign could throw the entire election into doubt and descend the process into chaos. This is absolutely not to say that risk limiting audits are ill-advised (hardly the case), only that we should be cognizant of how each security measure interacts with the various vulnerabilities of election systems. In this example, they do not protect against disinformation attacks.

The Brennan Report correctly identified the multifaceted threat environment of elections. While we agree with this view, the OSET Institute's position is that any security assessment of election systems and any policy prescription or recommendations that follow, should be predicated on how they interact with all of these threats.

Next time, we examine some of the Brennan recommendations.  Your comments are encouraged as always!

Sergio
Election Infrastructure Analyst
Office of the CTO

Comment