Next month, America will elect a new president. Most likely there will be no cyber hanging-chad moment, no massive breach that calls into question election results or faith in the democratic process.
But it would be a mistake to breathe a collective sigh of relief on November 9th and conclude the danger is past. The danger is just beginning. The 2016 election is a warning of darker hacks to come.
Director of National Intelligence James Clapper recently announced what many cyber experts had long suspected: High-level Russian officials authorized hacks of the Democratic National Committee and other campaign-related sites.
This is the first time a foreign power has inserted itself directly into an American presidential election. Russian President Vladimir Putin wasn’t just probing our digital systems. He was probing our political response to see how far he could go to sow distrust in the most important cornerstone of any democracy: free and fair elections. Our response has not helped.
FBI Director James Comey has sought to reassure Americans that our decentralized voting system is just too “clunky” for one massive breach to affect the outcome. But sometimes small changes can have big effects. Lyndon Johnson’s 1948 Senate victory hinged on a single sketchy precinct where he was popular with dead voters. The 2000 presidential election was decided by just 537 votes in Florida.
In a tight race, cyber bad actors don’t need to disrupt everything. They just need to hit a few counties in Pennsylvania or Florida, two big battleground states that use electronic voting but in some precincts do not use verifiable paper audit trails to confirm results.
Pennsylvania and Florida are not alone. Thirteen other states lack paper audit trails in either all or some voting locations. Even when a race isn’t tight, nefarious actors do not actually have to throw an election to succeed: Simply casting doubt on the legitimacy of the process in these states could be enough.
Others advocate calling election hacking “acts of war” to deter the Russians. This feels good and sounds tough. But deterrence 101 teaches that if you call something an act of war, you’d better be willing to go to war if it happens.
Declaring an action unacceptable and then accepting it only weakens US credibility everywhere, on every issue. There’s a reason the Pentagon has been careful to avoid this language: It’s unclear how cyber escalation might work or where it could lead. Many cyber weapons have a “use it and lose it” quality. Once they are in the wild, they can be reverse engineered and possibly used against us.
Crossing from the cyber to physical worlds is even more uncertain. What happens if we respond to election “hacks of war” with military strikes? What will the adversary do next? Going up the escalation ladder is a murky and dangerous business with sobering possibilities: Would we really launch nuclear strikes over vote counts in Beaver County, Pennsylvania?
Instead of deterrence by punishment, the US should implement a policy of deterrence by denial. The goal is to deny adversaries the outcomes they seek — in this case, by rendering cyber election hacks insignificant to our democratic process.
The strategy starts by building better defenses, including legislating minimum cyber security standards for party, PAC, and campaign-related websites for presidential elections. That would include paper audit trails in every state, starting with large battlegrounds, so that our election process can be resilient even if attacked.
Building resilience also requires changing minds, not just systems. Public education is essential. Future cyber attacks could alter the integrity of data so the truth will be hard to know.
Today, when a breach occurs, we assume the information released must be true. In the future, we need to assume that anything leaked could be false, designed to deceive and manipulate. Because increasingly, it will.
Finally, the US government needs to start attributing election-related breaches as quickly as possible unless there is a compelling intelligence reason not to. For months, the Russian government’s election hacking was the worst-kept secret in Washington; everyone knew it, but the White House refused to acknowledge it. This sends all the wrong signals, emboldening bad actors to do more tomorrow than they did today.
Fast attribution would help establish international norms that election hacks are outside the bounds of civilized society; move election intrusions from the realm of secret intelligence operations that are rarely discussed to diplomatic agenda items that can be publicly and regularly discussed; and decrease public anxiety by making a vague threat more concrete.
It is one thing to say, “Someone is burglarizing your neighborhood but we’re not sure who,” and quite another to say, “The bad guy stealing in your neighborhood is Vladimir Putin. Here’s his picture. Here’s what you can do to protect yourself.”
The ultimate aim of election hacking is to change how we think about ourselves and our government. If we do not take concerted action now, the 2016 election will be remembered as the warning nobody heeded.