Protecting U.S. Elections in the Time of CoronavirusSeptember 2020
Topics: Policy, Information Security
The U.S. intelligence community concluded that adversaries like Russia attempted to interfere with the 2016 presidential election. Those adversaries are at it again. In a roundtable discussion, three of MITRE’s top experts in election integrity gave their thoughts on the threats we face, how they’ve evolved, and what might be done about them. We've also summarized our guidance in a new report, Six Steps to a Safe, Trusted Election in November.
Why is election integrity so difficult? What are the biggest threats to election integrity in 2020?
Samuel Visner, director, National Cybersecurity FFRDC (NCF): Administering a free and fair election in a large and diverse democracy is particularly challenging for a country like ours that's governed in a decentralized manner. We rely upon the integrity and competence of state and local officials. Equipping local officials in all 3,069 U.S. counties with the tools they need to administer elections properly isn't easy.
The discussion on this topic has focused on national races. But any question regarding the integrity of even the most local of races can cast doubt on the integrity of the entire elections process, potentially leading to voter apathy and low voter turnout. The election ecosystem consists of voting machines, vote tally systems, election-night reporting systems, voter registration systems, and electronic poll books. We also have news media and social media carrying messages attempting to sway voter sentiment.
Safeguarding the integrity of all these systems, at local, state, and national levels is complex and requires constant vigilance.
What’s different about election integrity in 2020 compared to 2016?
Emily Frye, co-lead for election integrity: Four years ago, we were less aware as a nation that cyber threats were going to hit our election systems. In 2020, the nation has much greater awareness and coordination, and a body of tools in place—both through state initiative and the Election Integrity Information Sharing and Analysis Center (EI ISAC). The threat is greater, but our preparedness is greater too.
The complications created by the pandemic are another difference. We don’t have a playbook based on the lessons from the 1918 flu, and as a society, so much has changed that we need to create new options anyway. Our communications mechanisms are faster and more ubiquitous. And international influence efforts have the potential to divide Americans.
We need to provide the nation with tools and capabilities to pull together, not split apart. To stay safe, rather than to expose the vulnerable. To maximize voter clarity and turnout, rather than confuse people so they make mistakes or forego voting because they're uncertain how to proceed.
Where has there been progress since 2016? What needs the most work?
Frye: The problems with misinformation (information that is inaccurate) and disinformation (false information that is intended to deceive) in the digital ecosystem have become more pronounced. As the intelligence community recently made public, Russia, China, and Iran all have specific agendas and are actively seeking to influence our citizens. Today, we have SQUINT [an app that helps election officials communicate proactively with voters and local media] and individual efforts by social media platforms—but to me, this is the place where we need to dive deep and work hardest this fall.
How might adversaries influence and change the vote tally?
Visner: We haven’t seen evidence that large-scale changes in the vote tally have resulted from efforts to alter recorded results. Yes, adversaries are targeting our voting infrastructure, and we need to protect it. These attacks on our voting infrastructure can raise questions that may undermine confidence in those systems, even if they’re not successful.
But it’s even easier for adversaries to undermine Americans’ confidence in our election results and to sway voter sentiment through influence operations. The director of the National Counterintelligence and Security Center issued a statement in July that called out Russia, China, and Iran for pursuing a range of influence operations that seek to sway races or simply undermine confidence in our democratic system.
Is voting by mail a safe option during the COVID-19 pandemic?
Marc Schneider, co-lead, election integrity: It’s worth noting up front that voter fraud has been extremely rare. Over the last 20 years, the highest rate of voter fraud has been 0.0046 percent. The highest vote-by-mail voter fraud has been 0.0001 percent. You can compare that against the likelihood of an asteroid hitting the Earth on the day before the election, which is 0.41 percent.
There’s been talk about rejected mail-in ballots in this year’s California primary—1.06 percent, which is much higher than the national average. Of those rejected ballots, 69 percent were because the ballots missed the deadline, and 27 percent were rejected because of signature related issues, such as the signatures not matching or no signature at all.
There are 19 states that offer “ballot curing,” where the state can send letters and emails that give the voter a chance to address a rejected ballot. We could further reduce the number of rejected ballots if more states adopted this practice.
Compare that to the total number of ballots cast nationwide – 0.73 percent of ballots missed the deadline, and 0.28 percent of ballots had signature issues. California has put in place new policies to mitigate these issues.
Election fraud is very rare, but when it has occurred it primarily affected local races, where a relatively small number of votes can sway the outcome. It would likely require the resources of a nation-state adversary to harvest enough ballots to tip the balance in a presidential or congressional race.
Much has been done to help make sure that voting by mail is done securely. You typically mark your ballot and put it into an envelope, seal it, and then put that into a second envelope, which you sign, along with a witness in some states. Once election officials receive the envelope, they check the signatures on the outer envelope against a signature database, open it, and then put the blank envelope with the ballot into a different stream for processing. Systems like the U.S. Postal Service’s Intelligent Mail barcodes can track ballots from when they leave the election office, arrive at your home, and return to the election office, giving visibility into the process.
Even with the resources of a nation-state, an adversary would still need to manipulate the ballots in such a way as to avoid detection by the security measures in place. This is virtually impossible to do at scale.
The National Institute of Standards and Technology has issued guidelines to help state and local government officials better protect IT systems used to support elections. Where else can those officials turn for useful information?
Schneider: MITRE has published guidance that goes into specific technical details that state and local government officials may find helpful for protecting the integrity of voter registration databases. They can also leverage the Center for Internet Security’s election security best practices, and the Global Cyber Alliance’s Elections Toolkit.
—interviews conducted by Jeremy Singer
Explore More at MITRE Focal Point: Critical Infrastructure