In this year’s Preventive Priorities Survey, a cyberattack on U.S. critical infrastructure was ranked as the number one threat. Given heightened tensions with Iran following the death of Qasem Soleimani, ongoing Russian election interference, and the ever-present prospect that tensions with China could boil over, the likelihood of a significant cyberattack on the United States in the next year is high.
Whether the target will be the electoral system or the electrical system will depend on which actor is carrying out the attack and for what reason. The most recent Worldwide Threat Assessment [PDF] concluded that Iran has the capability to conduct disruptive attacks against corporate networks, China could disrupt natural gas pipelines, and Russia could do the same for the electric grid. All three countries—and North Korea—have already begun operations to influence the 2020 election.
While Russia was not explicitly identified as the leading source of concern, the U.S. intelligence community has unequivocally stated that Russia used cyber means to influence the outcome of the 2016 presidential election. Russia has now twice tested its capability to use cyber means to shut down the power grid in Ukraine. These outages, which were of limited duration and scope, were likely trial runs for a larger attack against an adversary, such as the United States, with which it does not enjoy the same overwhelming conventional dominance as it does against Ukraine.
Although Russia has thus far confined its election interference to influence and information operations against the United States, it may choose to change its tactics if efforts to combat these operations are successful. Russia might choose to move from a narrow, targeted attempt to sway opinions or change votes to a disruptive attack that would cast doubt on the legitimacy of the outcome of the election. If Russia uses its capability to cause a local, temporary disruption of the power grid on election day on the coasts—or even more localized events (say shutting down traffic lights in a blue area of a swing state like Michigan) that frustrate efforts of voters to get to the polls—its actions would, at a minimum, reduce turnout and harm faith in the election process.
Fears that Russia and other nations might interfere in the United States’ 2020 presidential election have led to renewed efforts to secure voting systems and to press social media companies to do a better job of ridding their platforms of bots and Russian trolls. With almost a year to go, there is some hope that the United States will be better positioned to contain these disinformation and misinformation campaigns in the fall than it was in 2016.
However, at this stage, there is likely little the United States can do before the November elections to secure the power grid or other critical infrastructure. While local, state, and federal governments and agencies should undertake a crash effort to find and root out foreign actors inside critical infrastructure, the resources and authorities for doing so are currently unavailable. Instead, the best course of action for deterring such activity is for President Donald J. Trump, his Democratic rivals, and Congress to issue a clear message that election interference will not be tolerated and will be viewed as a hostile act that invites a harsh response. To create a deterrent effect, the president should be clear about the kinds of responses that the United States would consider. Should these warnings fail to materialize, the Federal Election Commission, the Department of Homeland Security, and state election officials should begin planning now for how they would manage the crisis caused by critical infrastructure disruption around the election.
About the Preventive Priorities Survey
Since 2008, the Council on Foreign Relations’ Center for Preventive Action (CPA) has conducted an annual survey of foreign policy experts for their collective assessments on contingencies that represent the greatest risk to U.S. interests. This year, CPA began soliciting contingencies in October 2019, narrowing down a list of possible conflicts from nearly one thousand suggestions to thirty contingencies deemed likely and potentially harmful to U.S. interests. In early November, CPA sent the survey to nearly six thousand experts and received about five hundred responses. The survey results were scored according to their rankings and the contingencies were sorted into one of three preventive priority tiers (I, II, III) according to their placement on CPA’s risk assessment matrix.
The results reflect the expert opinion of respondents at that time. As such, it should be viewed as a snapshot assessment. Recognizing this, CPA tracks ongoing conflicts with the Global Conflict Tracker. For a database of publicly known state-sponsored cyber incidents since 2005, see CFR’s Cyber Operations Tracker.
View the full results of the Preventive Priorities Survey to see which other contingencies were deemed top tier priorities for 2020.