On Election Security

The ideas and thoughts presented in this piece are my own.

Election security has been a hot topic of late.

US adversaries have perceived an opening in our volatile domestic politics since the 2000s, and have increased information and influence operations designed to attack our collective trust in every aspect of our elections — from voting; to tabulating votes; to disseminating the results;?to polling places, voting processes, laws, and infrastructure; to the legitimacy of the voters, the candidates themselves, and ultimately the winners of elections.

Our elections are a core aspect of our representative democracy. They are based on the concept of "one person, one vote", that the vote cast be understandable and verifiable at the time by the voter, and auditable by spot checks of the process, and able to be accurately counted, and re-counted when necessary. Every voter deserves to know that their lawful vote will count, and that their vote will not be altered, nor offset by an unlawful vote.

But because a person's vote is private and cannot be independently verified by the voter after the fact, it is a process that is fundamentally based on trust: trust in the process, trust in those conducting the process, and trust in the systems we have built. Whether elected, appointed, or hired, we trust that election officials at all levels of government will execute the duties of their office in a way that implements the decisions of voters.

Recently, a colleague asked me to speak at a forum sponsored by the Carter Center, President Jimmy Carter's service organization, and the Tommy G. Thompson Center on Public Leadership. The idea was to get together election officials, researchers, and experts to talk about the process of conducting elections, and why the process, while complex and imperfect like all processes, can be trusted to reflect the will of the people.

My message is simple: from a technical cybersecurity standpoint, nothing is completely secure. Any system that uses hardware or software, and has humans involved, can be "hacked". This is a fact of life. But there is a counterbalance to that, which is that elections are distributed, and countless checks, balances, and dedicated people are involved in the process. It is our job to keep elections secure, auditable, and trustworthy.

The general and midterm elections since 2016 have been objectively the most secure and reliable elections, from a technical and cybersecurity perspective, that we have ever conducted in this country. Our elections are designated as national critical infrastructure, which affords them additional resources and protections, to include assistance to the local, county, and state governments that do the work of implementing our elections.

But while maintaining robust technical defense of our elections is of critical importance, it's not the technical cybersecurity of elections that concerns me. We are being attacked in the cognitive domain: information and influence operations across social media and on encrypted platforms like Telegram spread rumors, misinformation, and misconstrued or misunderstood out-of-context tidbits of information, all with a single purpose:

To destroy the trust that Americans have in the administration and outcomes of our elections, which strikes at the very heart of the legitimacy we collectively grant those who represent our interests in government.

This coincides with a decline in trust in institutions across society, whether it is the media, universities, politicians, experts, public servants — or elections.

As someone who works in the cyber domain, one thing I hear a lot relative to election security is that the security concerns would be fixed if we went back to paper ballots. The perception is that elections can be "hacked", and the results can be altered undetectably by a bad actor. US adversaries have deep interest in doing everything they can to?increase exactly that distrust and doubt.?

They don't have to "hack" our elections — they don't need to expose themselves to that risk. All they have to do is perpetuate the idea that elections can't be trusted, and they are having great success with this strategy.

And that is the core issue. It's not one of the specific models or vendors of voting machines, or of precise laws or rules for absentee voting, or mail-in voting, or drop boxes, or voter identification, or get-out-the-vote drives, or whether it is theoretically possible to compromise some particular aspect of our voting systems.

It is trust in the process.

We could have exclusively paper ballots, and we would still be facing the same issue: a large and growing number of Americans don't trust the process. And that lack of trust is not based in actual, provable problems with voting or elections. It is based on the perception that our elections are being manipulated, and that the results cannot be trusted. No single person is going to ever be able to personally witness and verify every vote cast and counted, even with paper ballots; in the end, it still comes back to the fundamental issue of trust.

The various claims about voting systems or alleged improprieties — even when countered with valid and benign explanations — are beside the point. For every issue that is addressed, the explanation is either rejected, or another objection or issue is raised.?

This is no longer an issue of "cybersecurity" or "election hacking". Our own collective trust in society and in each other is what has been compromised, and the purpose is to destabilize and disrupt our society, in order to serve the interests of our adversaries.

We are rapidly approaching a time where artificial intelligence systems will be able to generate photos, audio, and video that are indistinguishable from reality. Believing what it is that you think you're seeing with your own eyes — at least when disseminated online — will no longer be an option when malign actors can create not just a photo, but a video, complete with audio, appearing to show anything. This is beyond deepfakes: it is cognitive warfare.

Our adversaries know this. They see this as a vulnerability. Arguing about whether the United States is a democracy or a republic — as occurred at this forum — is just another symptom of our ailment (it's both: our federal constitutional republic is a type of representative democracy).

When I cast a vote, I am not concerned about the vote being properly counted. What I am concerned about is that increasing numbers of my fellow citizens who see themselves on the "losing" side of an election will believe the election was illegitimate; that it has been stolen — regardless of the candidate or party that has won or lost. Instead of collectively agreeing to compromise in our imperfect system of shared and competitive governance, this tradition has now been replaced by a belief that sinister forces have actively compromised the results and every part of the process — and that those responsible for securing our elections are complicit.

We are a diverse society with a wide array of people, all with our own hopes, ideas, families, and dreams. We have implemented an imperfect system of government, but one that is still the best this world has ever seen, especially when viewed in the context of our collective power to do good for humanity.

What has enabled this system to continue to exist is our trust in each other, our trust in the rule of law, our trust in the frameworks that we have built for ourselves as individuals, and together as a society. When we lose that trust, we lose one of the core components of our strength — again both as individuals, and together as a society. The loss of trust weakens us as a nation.

There are forces in the world that want to weaken us as a nation, especially without the need to engage in open warfare.

America is too powerful for any adversary to defeat militarily, so these adversaries look to use own divisions to destroy us.

Don't let them.

The ideas and thoughts presented in this piece are my own.