- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Responding to reports that Russian hackers stole voter lists in Arizona and Illinois, federal officials are scrambling to help states protect voting systems from cyberattacks in the next sixty days. Secretary of Homeland Security Jeh Johnson has warned election officials in all fifty states that voting systems could be compromised and offered federal support. Private cybersecurity firms have offered assistance on a pro bono basis as have a large number of white hat hackers.
Yet the enormity of the challenge raises questions about the effectiveness of making voting systems immune from cyberattack before election day. According to the New York Times, some 9,000 jurisdictions have a role in overseeing voting. An accurate count of the number of polling places, let alone the numbers and types of voting machines does not exist. While the National Institute of Standards and Technology has issued guidance on securing them (hint: don’t connect them to the internet), the ability of election officials to thwart an advanced and dedicated adversary like Russia is limited. Even disconnecting systems is no panacea. If Russia were motivated enough, a Stuxnet-like piece of malware could be introduced into systems.
More likely than not, Russia will not go to those lengths. Instead of a multiyear campaign carried out by the FSB, the Kremlin is more likely to employ some of its favorite patriotic hackers to conduct less sophisticated but still disruptive attacks. As former National Security Council official Richard Clarke and others have hypothesized, Russia could create chaos on election day simply by deleting voters from voter lists. These individuals would be forced to cast provisional ballots, causing delays at voting lines and throwing into doubt early election results.
In short, fortifying our voting system so it will deflect any attempts by Russia to interfere with it are likely to fall short. Instead, Russia must be deterred from making the attempt. That begins and ends with Congress.
Normally, the standard operating procedure following the leaked details of an FBI investigation would be some strong words at a White House press briefing, possibly followed by a formal rebuke from the State Department. Given the partisan nature of the issue and President Obama’s outspoken support for Secretary Clinton, Moscow is likely to interpret his administration’s threats as empty. Meddling in the election could, after all, replace the current commander-in-chief with someone who continues to praise Putin.
That is why Congress must take the first step in coordination with the Obama administration. Congress should issue a resolution condemning interference in our election by cyber or other means, accompanied by a joint statement of the leaders of the House and Senate. The resolution should make clear that the United States will regard any foreign attempt to interfere with the outcome of the election as a hostile act. It must be clear that Congress will support the use of all instruments of national power in response to any attempt. At press briefings, when reporters ask if Congress would support military action against Russia, Congressional leaders should refuse to take any responses off the table.
The resolution must demand that Russia provide assistance to the FBI in investigating the two known incidents and actively pursue investigations into other incidents. It must be clear that Washington will hold Moscow responsible for any attacks on the election coming out of Russia. The actions of patriotic hackers will be treated as if they were launched by Putin from his desktop computer. Failure to assist in investigations will be taken as evidence of culpability.
While Congress is issuing a clear, bold and public rebuke of Russia, the Obama administration should covertly deliver a less diplomatic but chilling message. Rolling up known Russian intelligence infrastructure (both cyber and human), targeting Putin’s reportedly vast wealth and that of cronies, and building up military forces in Russia’s near abroad should all be on the table. The goal of this campaign must be to achieve escalation dominance over Russia.
Efforts to secure the voting system from cyberattack should no doubt continue. Investments in technology to protect these systems and make them more secure could reduce or remove the threat in future election cycles (block chain holds some promise here). But in order for the United States to deter Russia, Russia needs to understand that the United States is willing to put more at risk to protect the sanctity of its elections than Russia is to disrupt them.