In 2018, the United States—for the first time in its history—held elections amidst wide-ranging efforts to protect this vital democratic process from foreign cyber threats. The Russian hacking and disinformation operations during the 2016 elections caught government officials, political campaigns, and voters unprepared and caused unprecedented controversies. For the 2018 mid-term elections, actions by local, state, and federal governments, the private sector, and civil society attempted to prevent the U.S. body politic from again being damaged by foreign cyber intrusions and information warfare. The 2018 elections ended without the cyber crises that marked the 2016 elections, but this outcome should not obscure the difficulties encountered this year in protecting U.S. elections from cyber threats. Despite progress, 2018 ended with the United States facing a daunting, unfinished policy agenda on strengthening election cybersecurity and responding to cyber-enabled disinformation campaigns aimed at dividing citizens and discrediting democracy.
Never before has a U.S. election cycle witnessed governmental, commercial, and non-governmental activities on election cybersecurity and cyber-enabled influence operations on the scale seen in 2018. This level of effort was achieved despite President Donald J. Trump’s continued reluctance to show leadership in responding to Russian behavior. During a July summit, President Trump appeared to accept Vladimir Putin’s denial of Russian election meddling, a contentious statement so at odds with the facts that Trump had walk back what he said. Indeed, more evidence appeared in 2018, including from Facebook and reports prepared for the Senate, of the scale and intensity of Russian cyber interference during the 2016 election season.
Failure of presidential leadership did not prevent the federal government, private sector, and civil society from acting against the threats of cyberattacks on election systems and disinformation campaigns. The U.S. government indicted and sanctioned Russian officials for their roles in the cyber operations against the U.S. elections in 2016. Congress appropriated $380 million to help states improve election cybersecurity. The Department of Homeland Security (DHS) led initiatives, including improved information sharing, that deepened federal-state cooperation and strengthened state and local election cybersecurity. Legislators proposed laws, such as the Secure Elections Act, that would improve election cybersecurity. U.S. Cyber Command began offensive cyber operations to warn Russian operatives not to interfere with U.S. elections. The Department of Justice and social media companies, including Twitter, took action to address the spread of foreign-source disinformation. Google, academic institutions, and think tanks continued or developed ideas, strategies, and tools to help political campaigns, political officials, and voters cope with foreign cyber threats.
The effectiveness of these activities is difficult to assess. Improvements in election cybersecurity were made in 2018, but neither the 2016 nor the 2018 elections saw cyberattacks that disrupted U.S. election infrastructure, which might mean that Russia did not prioritize such attacks. Indeed, in 2016 and 2018, Russia’s primary efforts involved disinformation operations not manipulation of election systems. Statements by U.S. officials, companies, and experts throughout 2018 that Russia was, again, weaponizing social media on a large-scale to affect a U.S. election indicate that the indictments, sanctions, defensive measures (e.g., taking down social media accounts linked to Russian operatives) and threats of cyber retaliation intended to deter Russia from precisely this behavior did not have sufficient deterrent effect. Further, domestic actors copied the “Russian playbook” in spreading misinformation during the 2018 elections, which benefited Russia by blurring foreign and domestic activities.
Looking ahead, election cybersecurity requires consolidating and expanding the progress achieved in 2018, which demands White House leadership, robust commitment from DHS, the passage of new laws, and additional federal funding for hardening election systems against cyber intrusions. Although DHS will remain a key catalyst and partner, the politically divided Congress that begins in January 2019 might have difficulty adopting the laws and appropriating the funds necessary to advance election cybersecurity, especially without a crisis from the 2018 elections galvanizing action. Continued action is, however, imperative. Russia and other adversaries might have closely watched the 2018 elections to assess changes in U.S. election cybersecurity in order to develop strategies for targeting election systems in 2020.
In terms of disinformation operations, less consensus exists about how to counter this threat, which might metastasize more in 2020 as artificial intelligence and “deep fakes” enhance the arsenal of information warfare. The scale of Russian information warfare during the 2016 and 2018 elections have produced calls for dramatic measures, such as regulating social media and inflicting damage on foreign states rather than just threatening it. A divided Congress will have trouble imposing regulations on social media. To have a credible deterrent effect for 2020, the U.S. government would have to retaliate more harshly against Russia for its interference in the 2018 elections—an escalation this White House appears unlikely to take.
Thus, the efforts against cyber threats to U.S. elections in 2018 only constitute the end of the beginning for this critical policy area.