The Russian interference in the 2016 U.S. election—designed, according to the U.S. intelligence community, to hurt Hillary Rodham Clinton and help Donald J. Trump—was an unprecedented and successful attack on the integrity of the U.S. political process. As such, it should have been a wake-up call to the United States: if Russia could utilize the online domain—through computer hacking and social media manipulation and propaganda—to play such an important role in a U.S. election once, then it would do so again. Indeed, Director of National Intelligence Daniel Coats warned in July 2018 that Russia is continuing to try to “wreak havoc over our elections,” even if the evidence, so far, of the 2018 midterm elections being affected by outside interference is inconclusive. Other states and even nonstate actors will also likely seek to emulate this model.
The United States has yet to respond with an effective agenda designed to safeguard the democratic process against foreign interference. President Trump waited until he had been in office for eighteen months and the midterm elections were less than one hundred days away before he finally convened a pro forma National Security Council meeting to address the topic, but no major new authorities or initiatives resulted. He subsequently signed an executive order to punish perpetrators of election interference, but its effect remains unclear. The efforts of the Department of Homeland Security (DHS), the FBI, and other agencies lack the necessary resources, focus, and coordination with private companies and state agencies on the front lines of this information war. To deter future foreign interference in U.S. politics, the United States should make countering and deterring foreign interference a top national security priority. This necessitates that the United States restructure its national security apparatus to identify and counter foreign interference in cyberspace, partner with democratic allies, and impose significant costs on those responsible for such attacks.
A Three-Pronged Approach
To get serious about protecting the political process, Washington needs to ensure both the technical integrity of the voting system and that voters are not subjected to foreign influence operations that violate U.S. campaign laws. A three-pronged approach would serve this aim.
First, the United States should adopt an unambiguous declaratory policy on election interference. The president should create a clear red line to deter other countries. This statement, going beyond President Barack Obama’s designation of elections as critical infrastructure, would make clear that a cyberattack on America would be met with a robust retaliatory response, including economic sanctions, diplomatic isolation, and counter cyberattacks.
Second, the United States should improve its defenses against election interference. It can achieve this goal by creating a new agency for cybersecurity to make safeguarding elections a top priority. DHS is currently responsible for protecting civilian infrastructure, including election systems, from cyberattacks. But as former CIA Director David Petraeus notes, DHS “has such a vast portfolio of responsibilities that it can’t possibly give cybersecurity the attention and resources it requires.” One option, advocated by Petraeus and former Defense Department officials Michele Flournoy and Michael Sulmeyer, is to create an entirely new agency “to give cybersecurity the attention and resources it requires.” The United Kingdom did just that in 2016 when it created the National Cybersecurity Center. An offshoot of the GCHQ (Britain’s version of the National Security Agency), the National Cybersecurity Center is tasked with keeping British citizens, companies, and government agencies safe from cyberattacks. The United States moved in a similar direction in November 2018 with the establishment within DHS of the Cybersecurity and Infrastructure Security Agency (CISA). But it remains unclear how the agency will address its missions and whether it can be effective within a DHS bureaucracy largely focused on other priorities. A better option would be to make CISA either a stand-alone agency or, at least, a more autonomous agency within DHS, like the FBI within the Department of Justice (DOJ), so that it could fully develop its own culture and capabilities.
In this new capacity, CISA should take on the critical role of fusing foreign and domestic intelligence and sharing it with partners across government and beyond. It should also work with states and local election boards to protect voting systems, including creating backup procedures if electronic voting systems are compromised. Congress has already appropriated $400 million for election security; this new agency could ensure such funds are spent effectively. At a minimum, Congress should mandate that all election boards keep a paper trail of online voting—which roughly a dozen states do not currently do. CISA should work with campaigns, given that private campaign emails have been stolen and leaked and are an obvious target for foreign hackers. Protecting campaign computer systems is critical to ensuring a fair democratic process and therefore should be recognized as a major concern for the U.S. government and a core mission of the new cybersecurity agency. In addition, the cybersecurity agency should have a branch office in Silicon Valley to coordinate intelligence sharing with major technology and social media companies. Because so much foreign election interference takes place on private platforms such as Facebook, Google, Twitter, and YouTube, enhancing coordination between the government and the tech community is critical. The government will need to be more willing to declassify information and grant security clearances to select technology executives.
CISA should also systematically notify the public of covert attempts to influence the political process. The German Marshall Fund of the United States, a private think tank, created the online tracking service Hamilton 68 to highlight the latest themes Russian-linked accounts are pushing on Twitter. The German Marshall Fund’s initiative is well intentioned but lacks the necessary resources. This service should be provided by the U.S. government, drawing on the capabilities of the intelligence community. It would complement the new Justice Department policy to notify those being targeted by influence campaigns. The cybersecurity agency would update the public regularly about foreign influence operations. Those who have interacted with suspected foreign operatives online should receive an alert, similar to the way Google notifies Gmail users when they have been hacked.
Because the manipulation of votes occurs on private social media platforms, Congress needs to develop regulation to combat the spread of disinformation and protect the data privacy of social media users. The question is no longer whether to regulate technology companies but how. Senator Mark Warner (D-VA) has outlined a series of thoughtful proposals, which should be developed into legislation. These include requiring platforms to identify inauthentic and automated accounts; holding platforms legally accountable for defamation if they fail to respond quickly to take down libelous content (just as is currently the case for copyright infringement); and mandating that platforms publicly disclose the source of funding for political advertising and prominently label the sponsor of any political advertisement—just as television, radio, and print media already do. The Federal Election Commission and CISA could be empowered to enforce compliance.
In addition, Washington should ramp up enforcement of the Foreign Agents Registration Act (FARA) and expand U.S. counterintelligence efforts against foreign influence, not just espionage. Paul Manafort and Rick Gates, Trump’s former campaign manager and deputy campaign manager, respectively, acted as emissaries of pro-Russian Ukrainian oligarchs, and through them for the Kremlin, without registering as foreign agents. And if they had not gotten embroiled in Special Counsel Robert Mueller’s investigation, they likely would never have been brought to justice. Under FARA, individuals working on behalf of foreign governments are supposed to register with the Department of Justice within ten days of agreeing to represent a foreign client, and they must file reports every six months on what they did and how much they were paid. But a 2016 audit by the DOJ inspector general found that FARA enforcement is lax and relies primarily on voluntary compliance. Congress should appropriate funds for the DOJ to enhance FARA enforcement and change its focus from encouraging compliance to punishing noncompliant parties.
Further, Washington should enhance international cooperation in fighting election interference. Such interference is not an issue for the United States alone. Russia has targeted the Baltic states, Britain, France, Italy, Montenegro, and other countries with its covert influence operations. The North Atlantic Treaty Organization (NATO) has already made clear that cyberattacks and election interference will be regarded as a violation of the Article 5 mutual defense provision. With U.S. assistance, NATO should devote greater resources to protecting member states from election interference and cyberattacks in general, beginning with setting up a new Cyberspace Operations Center as agreed to at the 2018 Brussels summit. The United States need not take the lead in this effort, but it makes sense to devote greater U.S. resources to this mutual defense initiative because attacks on NATO member states that influence their politics can destabilize the alliance and threaten U.S. security.
Third, the United States should impose costs on countries that meddle in democratic elections. Just as the fight against terrorism requires a mixture of offensive and defensive measures, election security also needs to include an offensive component. To begin, the United States should automatically sanction countries that interfere with elections. The Trump administration has failed to adequately implement sanctions, but two competing pieces of legislation would force its hand. The Defending Elections From Threats by Establishing Redlines Act of 2018, introduced by Senators Marco Rubio (R-FL) and Chris Van Hollen (D-MD), would impose automatic sanctions on any country found to be interfering in a U.S. election—without any possibility of a presidential waiver. If Russia were found to be interfering again, the act would require, within ten days, a wide variety of sanctions on the Russian oil industry, financial institutions, and individual political figures and oligarchs. A competing bill, written by Senators Bob Menendez (D-NJ) and Lindsey Graham (R-SC), would go even further. It would slap stringent sanctions on Russian sovereign debt sales, energy projects, and banks while also targeting the financial holdings of Russian leaders, including President Vladimir Putin. Whatever the exact form of the sanctions, it is imperative that the United States do more to impose a greater cost on Russia for election interference in order to deter Moscow and other actors in the future.
The United States should also significantly expand public diplomacy efforts abroad. Many authoritarian countries have closed down space for free and independent media, leaving state-controlled media as the only source of information. The United States should significantly expand support for broadcasters and online content providers such as Voice of America and Radio Free Europe/Radio Liberty and devote greater resources to penetrating foreign firewalls. After almost two years of inaction, the Trump administration has finally begun to spend $80 million allocated by Congress to the Global Engagement Center (GEC) to combat Russian propaganda. These efforts should be ramped up quickly.
In addition, the United States should develop tools to expose autocrats. The intelligence community should be tasked with exposing the corruption of autocrats, arguably their biggest vulnerability. The intelligence community is understandably reticent to publicly disclose sensitive information, but this hesitation often prevents the citizens of foreign countries from learning important information about their leaders. The United States would have to be particularly careful about using this tactic, but when faced with a country actively interfering in domestic politics, the United States should respond by exposing those leaders.
U.S. elections will never be entirely secure from foreign interference. The United States will always be a wide-open, unruly democracy in which competing factions and individuals make their voices heard. But there is little rationale for tolerating election interference. Implementing the recommendations outlined above would cost an estimated few billion dollars in additional spending—less than 0.1 percent of the Pentagon’s budget—yet they would be a significant step in protecting the U.S. election system and deterring foreign actors from interfering in the U.S. democratic process. Although there is widespread bipartisan support in Congress for stronger action, congressional leaders have not moved legislation forward, often seemingly at the behest of the White House. But Congress and the administration need to act now, to reduce foreign interference and increase the security of elections before an attack as bad as the one in 2016—or even worse—occurs in the future. The legitimacy of the U.S. government rests upon the sanctity of the political process. If foreign actors continue to manipulate U.S. politics to their benefit, they will do incalculable damage to American democracy. The very future of the United States as a sovereign nation will be placed in doubt if people lose faith in the electoral process.