OCTOBER 2019 | AROUND THE ABA

Experts weigh in on waking up to cyber threats to 2020 elections

The 2020 presidential election campaign is well underway, but the fallout from cyberattacks during the 2016 election continues to reverberate.

“It’s time to wake up,” said Ruth Hill Bro, a privacy and cybersecurity attorney who served as moderator for the webinar, “Hacking Elections: Cyber Threats, Vulnerabilities, and the Way Forward.” “Cybercrime is rapidly becoming the greatest threat facing all businesses, including government.”

Bro, co-chair of the ABA Cybersecurity Legal Task Force, was joined by a panel of experts who discussed cyber threats to elections, including foreign interference, the changing nature of threats, the thinking behind threats and election system reforms.

Cyberattack costs are escalating, the risks are multiplying and the targets are increasing, Bro said. “Everybody is becoming a target, but law firms especially,” she said. “They (hackers) are looking for the weakest link.”

As laws continue to change, elections and critical infrastructure become high stakes in cybercrimes. Bro noted that “things are changing so fast that people want to wait until things have settled, but you have to act now.” She advises lawyers to stay up to date with trends and issues around data protection and security.

“As lawyers, we have an obligation to know this,” Bro said. “It’s part of our professional responsibility … to understand this technology and the effects it could have on our clients.”  

Panelist Suzanne Spaulding, senior adviser for Homeland Security at the Center for Strategic and International Studies in Washington, D.C., focused her presentation on Russian cyberattacks on the United States.

 “We have been gathering evidence over the last year-and-a-half of propaganda and information operations targeting and eroding public confidence in the independence and impartiality and competence in our justice system,” she said.

The U.S. sees the targets, online, in media outlets and “in official statements from Putin and other senior Russian officials,” Spaulding added.

She has been working with the ABA Standing Committee on Law and National Security to “train judges and build resilience in these institutions, but most importantly, in the public against this pernicious messaging and disinformation that erodes trust and that is trying to get people to disengage.”

The attacks were prevalent during the run-up to the midterms, and Spaulding pointed to the use of the hashtag, #disengage.

Said Spaulding: “Putin would like nothing more than the American public to be where so much of his population is.… to shrug our shoulders at our inability to discern the truth at our institutions and to stop trying to hold them accountable to live up to our aspiration, but to give up on aspirations and to give up on democracy.”

She recommended a source for developing strategies to fend off cyberattacks: Harvard Kennedy School’s Defending Digital Democracy Project.

Panelist Lucy L. Thomson, a principal at Livingston PLLC in Washington, D.C., said that even though U.S. elections are conducted in a decentralized way (9,000 jurisdictions administering elections involving more than 175,000 precincts), election systems still are vulnerable to attacks.

These attacks could include embarrassing candidates with stolen confidential information, covertly created social media pages to spread disinformation and divisive messages as well as divisive narratives that would appeal to international media outlets.

Thomson and Spaulding said cyberattacks involve both propaganda and technology and that each may require a different type of reform.

Because the U.S. uses various voter equipment and databases instead of a single national vote counting and reporting system, it makes it harder for a hacker to hit them all, said David S. Turetsky, professor of Homeland Security and Cybersecurity at the University at Albany, SUNY.

However, if vulnerabilities in state and local jurisdictions exist, there is the potential for a wide impact if attackers are deliberate and seek the most vulnerable systems. 

Turetsky said that close elections, such as the 2000 presidential election, have “widespread” impacts and that the one thing that connects the entire system is “trust.”

In addition to loss of trust, other cascading effects of close elections Turetsky identified include chaos, delays and reduced participation.

Russia isn’t the only actor in election meddling. China and Iran are also potential threats, according to William A. Carter, deputy director and fellow, technology policy program at the Center for Strategic and International Studies.

Carter said he’s most worried about election night reporting. If results are called into question, it would become a “huge” operations issue and could “permanently undermine confidence” in the voting system.

“It’s hard to imagine how we would go forward and reconstitute confidence in our elections if it’s been demonstrated they can be breached and manipulated,” he said.

 “The way that we disseminate the result of the election, the way that we understand and engage with our candidates and officials – that is the key vulnerability that our key adversaries will continue to try to exploit in 2020,” Carter added.

He said that leveraging transparency is a strength; however, “as soon as we try to regulate, it’s a First Amendment issue.”

The panelists proposed the following steps to strengthen the election system:

In the short term:

  • Designate election systems as critical infrastructure
  • Increase resilience by using voter-verified paper ballots and conducting postelection audits
  • Replace outdated voting machines
  • Secure voter registration systems and e-pollbooks
  • Increase funding and training
  • Expand information sharing
  • Address propaganda by passing the Honest Ads Act

Top priorities for 2020:

  • Learn from coordinated information-sharing
  • Enhance cybersecurity protections and training
  • Address chronic underfunding of elections
  • Create norms; support law enforcement
  • Develop capacity to respond to major incidents
  • Address propaganda

The webinar, available to ABA members on demand, is sponsored by the ABA Cybersecurity Legal Task Force and ABA CLE.

Topic: