Concerns extend far beyond safeguarding insecure voting machines and questions about voting by mail.
A multifaceted, targeted approach is necessary to bolster election security and protect democratic institutions in the run up to the 2020 election in the U.S., researchers argue.
With just over two months before the 2020 election, intelligence officers in the U.S. have warned that Russia and other rivals are again attempting to undermine the nation’s democracy.
But these concerns over election security extend far beyond safeguarding insecure voting machines and questions about voting by mail in the United States.
Based on an analysis of election reforms in Australia and European Union nations, the researchers outline steps to address election infrastructure security—such as requiring paper ballots and risk-limiting audits—as well as deeper structural interventions to limit the spread of misinformation and combat digital repression.
“In the United States, despite post-2016 funding, still more than two-thirds of U.S. counties report insufficient funding to replace outdated, vulnerable paperless voting machines; further help is needed,” says Scott Shackelford, associate professor of business law and ethics in the Kelley School at Indiana University, executive director of the Ostrom Workshop, and chair of the Cybersecurity Program.
“No nation, however powerful, or tech firm, regardless of its ambitions, is able to safeguard democracies against the full range of threats they face in 2020 and beyond. Only a multifaceted, polycentric approach that makes necessary changes up and down the stack will be up to the task.”
For example, Australia—which has faced threats from China—has taken a distinct approach to protect its democratic institutions, including reclassifying its political parties as “critical infrastructure.” This is a step that the U.S. government has yet to take despite repeated breaches at both the Democratic and Republican national committees.
Aside from appropriating sufficient funds to replace outdated voting machines and tabulation systems, the researchers say that Congress should encourage states to refuse to fund voting machines with paperless ballots. The researchers also suggest requiring risk-limiting audits, which use statistical samples of paper ballots to verify official election results.
Other suggested steps include:
- Congress requiring the National Institute of Standards and Technology to update their voting machine standards, which state and county election officials rely on when deciding which machines to purchase. Australia undertook such a measure.
- Create a National Cybersecurity Safety Board to investigate cyberattacks on U.S. election infrastructure and issue post-elections reports to ensure that vulnerabilities are addressed.
- Work with universities to develop training for election officials nationwide to prepare them for an array of possible scenarios, and creating a cybersecurity guidebook for use by newly elected and appointed election officials.
“With regards to disinformation in particular, the US government could work with the EU to globalize the self-regulatory Code of Practice on Disinformation for social media firms and thus [avoid] thorny First Amendment concerns,” says Anjanette “Angie” Raymond, associate professor of business law and ethics.
“It could also work to create new forums for international information sharing and more effective rapid alert and joint sanctions regimes,” Raymond says.
“The international community has the tools to act and hold accountable those actors that would threaten democratic institutions,” says Abbey Stemler, assistant professor of business law and ethics, who also is a faculty associate at Harvard University’s Berkman Klein Center for Internet and Society.
“Failing the political will to act, pressure from consumer groups and civil society will continue to mount on tech firms, in particular Facebook, which may be sufficient for them to voluntarily expand their efforts in the EU globally, the same way that more firms are beginning to comply with its General Data Protection Regulation globally, as opposed to designing new information systems for each jurisdiction.”
The article has been accepted for publication in the Washington and Lee Law Review. Additional coauthors are from Penn State and Indiana University.