Editor’s Note: CNN political commentator Robby Mook ran the 2015-16 presidential campaign for Hillary Clinton and is now a senior fellow at Harvard University. The opinions expressed in this commentary are his.
Election security has come under scrutiny over the last year – and deservedly so. The 2016 election opened our eyes to how new technologies we rushed to purchase after the butterfly ballots and hanging chads of the 2000 election created new vulnerabilities hard to imagine at the time.
We have known how bad this problem is for over a year, so the logical question is: What have we done about it?
Sadly, not as much as we could have. But the reasons are more complicated than you might think.
Secretaries of state and state and local election administrators have been scrutinized for hardware, software, and vendor choices. This scrutiny is healthy, but often fails to address the big picture: Yes, our election equipment and procedures are in need of an upgrade, but so are the policies that shape those choices in the first place.
The reality is that, even when officials want to do the right thing, red tape, contorted lines of authority and a lack of resources and inaction from Congress and state legislatures often hold them back. Our laws, procedures and financial commitment to elections need fixing – and that won’t happen unless we pressure our lawmakers to do it.
Many people don’t realize that election system is not monolithic. It is not run like the Transportation Security Administration, a national bureaucracy with a unified leadership structure, budget and security protocols. Quite the opposite – there are around 7,000 election jurisdictions nationwide. Some states run their elections centrally, some delegate authority to counties or localities.
Everything from budgets, equipment, human resources and policy are set differently and at different levels of government. Even the titular heads of elections vary by state, ranging from an elected “secretary of state” to administrators or commissions selected by governors or legislators. The system’s diversity can make it more resistant to attack, but it also means one-size-fits-all solutions aren’t workable.
Moreover, election officials at every level are confined within the restraints of law, budget and bureaucratic architecture as much as any other part of government. Even if an election official decides her state needs new machines with a paper audit trail, she can’t necessarily go out and buy them – she may need the legislature to appropriate millions of dollars and go through a procurement process.
Similarly, if she feels that her state needs new software, she may be locked into a contract her predecessor put in place years ago. The same applies to vendor security. Many contracts were put in place without strict provisions about reporting security incidents, or allowing third party audits. Cybersecurity simply wasn’t top of mind even a few years ago.
Then there’s the question of who controls cybersecurity in the first place. Some election officials are able to hire their own cybersecurity staff, others have to work through a central cybersecurity office run by the governor. You get the idea; there are many hurdles that prevent quick fixes.
There are other complications. The integrity of our election system is ultimately a question of perception, not reality. The Russians don’t actually need to manipulate vote tallies to achieve their desired outcome of distrust and chaos. They need only create the perception of interference. Even if we could completely guard against cyberintrusions – which is impossible – nation states could use social media to spread falsified documents and propaganda, or steal emails of election officials, to make people believe that an election was rigged.
Given this reality, we can’t just secure databases and machines, we have to secure our civic ecosystem against the kind of foreign-born lies and distractions that we saw documented in Friday’s indictment of Russians by special counsel Robert Mueller. This requires collaboration between our national security and intelligence services, law enforcement, social media platforms and our election officials.
Congress must act to align our intelligence services so they will be best equipped to detect and prevent information operations. Social media platforms should not wait for rules or regulations to fully disclose the content that is spread on their platforms and force users to declare who they are. It would also be beneficial if they’d mandate that only humans can traffic information, not botnets.
Our election system is deeply vulnerable and in dire need of an upgrade. We don’t need more evidence of that.
We need to start posing the right questions to policymakers. Do election administrators have the funding they need to make necessary improvements to our election systems and the tools to hold vendors accountable for security? Do they have access to the intelligence they need to anticipate incoming threats? And are the state’s IT and procurement systems sufficiently modern to account for a dynamic threat like cybersecurity?
None of these challenges should be excuses for negligence, but they explain why change has been painfully slow. We must focus our attention and advocacy on the people who can really change all of this: our legislators, especially our state legislators and governors, who have the power to remove financial, bureaucratic, and policy hurdles that slow reform. Congress has a unique ability to bring financial and intelligence resources to bear.
There is good legislation ready for a vote. At the federal level, a bipartisan group of senators have introduced a very sound bill that would provide states with an infusion of money, badly needed intelligence on cyberthreats, and federal support to get election technology up to date and keep it current. Yet another bipartisan bill has been introduced to better utilize national security tools to reduce foreign manipulation of elections.
We should all support these bills. They’re not just common sense, they’re solutions that have been staring us in the face for years. Members of the House and Senate should be pressured to bring them to a vote before the election recess.
Although congressional action is critical, state legislatures are even more important. After all, they fundamentally write our election rules. They could appropriate funds and untangle bureaucracy, so election administrators could get to work immediately making needed changes. We must hold their feet to the fire, too.
We will never know exactly what effect foreign propaganda had on the 2016 election. As for hacking, it seems nation states were never able to manipulate vote totals or quite literally hack the election. But unless we act now, we may not be so sure next time.