To Resist Cyber Interference in America’s Elections, Shore Up Voting Rights Julian Bava

The year is 2028 and two candidates just squared off on Election Day to determine who will be the next President of the United States. Facing the prospect of a narrow loss, the incumbent candidate decides to bring the full force of the executive power to bear. The incumbent declares a national emergency pursuant to the recently enacted “Federal Election Integrity Act of 2027” in response to unspecified reports of foreign tampering with state voting apparatuses, and the incumbent orders a nationwide audit to be completed under federal government supervision. After the audit and a corresponding recount, the incumbent declares victory. If that scenario sounds fantastical, so did the thought of an insurrection at the Capitol incited by the Commander- in-Chief. Admittedly, subtler erosion of our democracy’s vitality is far likelier than an outright coup, though both are preventable. As policymakers grapple with how to secure critical election infrastructure from cyberattack, they must reject the temptation to concentrate overly broad authority to do so within the federal government. Congress and state legislatures instead should improve electoral resilience to cyber interference by eliminating flaws in the democratic process that leave it vulnerable to exploitation.

Election Security and Voter Suppression

Even though the intelligence community reported no evidence of foreign tampering with voting infrastructure, the 2020 Presidential Election was a fiasco. To be sure, the COVID-19 pandemic created an unprecedented need for mail-in and provisional ballots. But even as the pandemic abates, there is no reason to believe that so too will the unfounded specter of voter fraud. We should ask ourselves what this means for election cybersecurity. For starters, although no foreign actor directly manipulated election results, states like Russia and Iran continued their disinformation campaigns aimed at exploiting and exacerbating the stark polarization that defines contemporary American politics. Those who seek to undermine U.S. democracy understand how to take advantage of its social and structural flaws. We must address these shortcomings—from ideological polarization to partisan gerrymandering to voter suppression—to thwart attempts to distort election results through cyber interference. The United States’ decentralized electoral system is one of its greatest defenses against foreign manipulation. Because dozens of governments tabulate ballots and register voters across thousands of jurisdictions, a successful cyberattack on any one piece of election infrastructure is unlikely to compromise an entire election’s integrity. However, hacking registration databases or vote aggregation equipment in a few highly polarized swing jurisdictions conceivably may alter the results of an election. If a not-so-sophisticated actor could delete a small amount of voter registration data in, say, Georgia, then increased restrictions on provisional ballots and get-out-the-vote efforts may swing the next election. While a national plan for countering cyber interference in American elections must include coordinating a federal response strategy and increasing funding to states for improving cybersecurity, that addresses only part of the problem. Federal and state governments must protect voting rights from disingenuous anti-fraud measures, some of which could be enacted in the name of cybersecurity.

Federal Power to Improve Election Integrity: A Double-Edged Sword

The Congress’s power to regulate the “Times, Places and Manner” elections for Senators and Representatives is immense; in conjunction with the power to “determine the Time of chusing the [Presidential] Electors,” that power becomes virtually plenary. That should be cause for healthy concern. Yes, an enthusiastic Congress could use this power to enact uniform cybersecurity measures across the fifty states, or even pass much-needed voting rights reform. Indeed, that is exactly what Congress did in the wake of the 2000 Presidential Election through the Help America Vote Act requiring states to, among other things, upgrade election infrastructure and expand provisional voting. But there is also nothing to prevent a future, gerrymandered congressional majority from employing its Elections Clause authority to preserve its hold on power. The Constitution’s Due Process and Equal Protection guarantees, as well as existing federal law, afford some defense against the most egregious abuses. It is nevertheless uncertain how far the Supreme Court is willing to go to prevent voter suppression. At the very least, missing USB drives are not cause enough for the Court to overturn an election. But what is? In addition to Congress’s unfettered Elections Clause authority, the Executive Branch enjoys broad emergency powers to protect national security. Would the Third Branch realistically intervene should the President curtail voting rights in the name of responding to a foreign cyberattack, real or imagined? Probably not. It is therefore incumbent upon Congress to address election infrastructure security by expanding voting rights before the question ever need be decided.

Election Reform as Sound Cybersecurity Policy

One measure that Congress could take right now to increase election infrastructure resilience to cyberattack would be to pass H.R. 1 (S. 1), the For the People Act. The bill contains a number of items directly related to cybersecurity. Most obviously, it would increase funding for upgrading voting systems, require auditable paper ballots, establish a rewards program for independent cybersecurity assessments of election infrastructure, and improve federal-local information sharing. But the bill’s voter protections would produce positive externalities in the cyber realm too. It would require automatic voter registration, curb voter roll purges, mandate access to provisional ballots, expand early voting and vote-by-mail, and require non-partisan redistricting, among myriad other provisions. Expanding the voter pool and reducing electoral distortions would go a long way to limiting the impact a cyberattack could have on the integrity of U.S. elections. Reforms that establish baseline voter protections are preferable to more heavy-handed calls for direct federal control over election cybersecurity. In fact, the Cybersecurity and Infrastructure Agency (CISA), situated under the Department of Homeland Security’s umbrella, makes clear that measures like same-day voter registration and allowing individuals to cast provisional ballots “likely” to reduce the impact of attacks on voter registration systems. There can be little doubt about the positive relationship between prophylactic voting rights measures and practical cybersecurity. These efforts would not only protect our elections against interference, but they would also preserve states’ role in the electoral process while simultaneously strengthening American democracy. In an era where democratic values have been under perennial assault, there is no better place for federal and state governments to act.