Shipping News and Reviews

Cyber ​​safety and US election infrastructure


Published: October 27, 2020

As voters take part in the 2020 election, the US faces persistent security threats such as disinformation campaigns, data breaches and election manipulation designed to undermine the integrity of the democratic process. Recent events of Russian and Iranian hackers stealing data in order to threaten and intimidate the voters of Russian actors who are actively targeting state, local and territorial networks show that elections rely on crucial technological tools to ensure process integrity, their disruption would have a debilitating impact on national security and society.

Critical Infrastructure (CI) provides essential services and is the backbone of the country's economy, security and health. From transportation that enables personal mobility and commerce, to electricity that powers our homes and businesses, to telecommunications networks that promote global connectivity – especially amid the pandemic – CI is the linchpin for functioning social, economic and political systems. While these systems have long been exposed to terrorism and natural disaster threats, cyberattacks are among the most destabilizing and underestimated risks. With the rapid digitization of all facets of society and the increasing dependence on information and communication technologies (ICT), attackers, who range from nation states to hacktivists to organized criminal groups, can identify vulnerabilities and apparently infiltrate different systems in order to disrupt services and the harming global society – all without a physical attack. As a designated CI subsector, electoral systems are vital to national and international security (see United States Non-Binding Consensus Report A / 70/174), and electoral security risks can threaten democracies worldwide.

Cyberattacks are increasing in both scope and complexity, placing private businesses and average citizens at the forefront of this national security challenge that we do not fully understand. For example, 99 percent of voting in the US is done on a computer system or machine, but despite the highly computerized nature of the electoral process, it does not get the attention it needs. The 2000 presidential election and controversial Florida recount sparked the first federal initiative under the Help America Vote Act (HAVA) to improve voting machines and set up the Election Assistance Commission (EAC) in 2002, but cybersecurity was not a focus. More than a decade later, the Presidential Election Administration Commission warned of the “impending crisis” of obsolete electoral technology, but as the risks increased, little was done. After several Russia-led cyberattacks aimed at filtering data from government information systems and attacks on the 2016 elections, the US finally realized the urgency to improve its outdated electoral infrastructure and ensure the integrity of all technological tools that enable a fair voting process. It wasn't until 2017 that the electoral infrastructure was designated as part of the federal government's CI sector, which allowed states and municipalities to leverage the government's cybersecurity expertise and access unclassified and classified information to improve resilience. However, the lack of coordination leading up to 2020 has not improved security significantly.

The rapidly evolving cyber landscape and continued use of obsolete technologies for CI make the US and other countries vulnerable and largely undefended targets. In light of the increasing competition for great powers and the challenges from Russia and China, the cyber arena is a geopolitical level for actors to use instruments to disrupt, destroy and undermine the US and advance the foreign policy goals of their opponents. As voters prepare to cast their vote in the 2020 elections, this FP insider report analyzes the underreported problem of voting machine infrastructure security, draws lessons from other countries' experiences with foreign interference, and shows what voters and officials can do to strengthen elections security day – and beyond.

Concerns about electoral interference are widespread on election day. 75 percent of Americans believe that Russia or other foreign governments will try to interfere in the elections. These fears are supported by the United States Intelligence Community (IC), which has identified Russia, China and Iran as the main threats to election security. Analysts agree that Russia is the most persistent threat, but the Trump administration has shifted its and the public's focus to China and Iran, and US Department of Homeland Security (DHS) officials have been ordered to "not conduct intelligence assessments of the threat." Russia surrender more (elections) interference. ”

According to DHS, adversaries are likely to target election-related infrastructures using various cyber tools such as: For example, the exploitation of bad cybersecurity practices in protected voting systems or networks, the compromising of the supply chains of voting systems, the implementation of denial-of-service attacks and much more. While key opponents, particularly Russia, China and Iran, have strategic geopolitical goals, other actors, including advanced threat persistent (ATP) groups and cybercriminals, also pose significant threats to the security of electoral infrastructure.


Russia strives for international recognition and international status and, according to foreign policy experts, tries to restrict and undermine the authority of the USA and to assert itself as a global player with global and regional influence, especially in regions in which there is no great power or in which there are several There are major powers (e.g. the Middle East, the Arctic). Given the US's economic, political and military strength and its participation in NATO, it is unlikely that Russia would initiate a direct conflict with the US, but instead counteract the US, where it could do so at an acceptable cost using non-traditional means such as cyber attacks.

These efforts deepen and become more targeted and refined. Between 2014 and 2017, the Russian government investigated the electoral process and related technology and equipment "that specifically guide activities against US electoral bodies at the state and local levels. This was not the first Russian attack on electoral infrastructure. In addition to the hack in the Democratic National Committee (DNC) in 2016, pro-Russian hackers infiltrated Ukraine's central voting computers in 2014, rendering the voting system inoperable. In the same year, the website of the Polish Electoral Commission was also hacked, and in 2017, suspected Russian hackers leaked emails from the En Mache party ahead of the French elections. Given the proven track record of entering US electoral infrastructure and other electoral systems, experts claim Russia is likely to continue its cyberattacks on voting machines in the 2020 election.


China recognizes economic interdependence with the US and the benefits of engagement with the global international system, and seeks to improve its relative stance worldwide through economic and technological means. China's growing control of the ICT and digital media environment internationally – particularly in 5G, creating the Strategic Support Force in the Chinese military that centralizes the PRC's space, cyber, electronic and psychological warfare capabilities and big data in their belts and Their Road Integrated Initiative (BRI) and the installation of fiber optic networks around the world suggest that China is investing in its cyber capabilities. China's goals are to gain global market share, export its technology and domestic surveillance model overseas. To blame content that is “politically sensitive” and damages the legitimacy of the communist party; Implementation of state-supported media campaigns and cyber espionage operations. For example, China used malware to target Tibetan individuals and organizations, and in 2019 the Chinese government allegedly launched disinformation campaigns during the Taiwanese election.

China prefers former Vice President Joe Biden to win the 2020 elections, according to the director of the National Intelligence Service, and researchers at the Harvard Belfer Center for Science and International Affairs claim China has a higher ability than Russia and Iran to cyber to use goals to achieve his policy. Reported cases of interference in the Chinese elections have mainly been disinformation campaigns, funding of preferred candidates and cyber espionage operations such as attempting to hack the 2020 US presidential campaigns. However, experts agree that China is unlikely to be as active as Russia or similar Russian tactics like direct hacking into US voting machines in this election cycle because of its diverse interests in preserving the PRC's role in cyberspace and strengthen.


Following Stuxnet, a 2010 malware attack against Iranian nuclear facilities, Iran invested more than $ 1 billion in its cyber capabilities to improve its cybersecurity. Iran uses its cyber capabilities in several strategic dimensions, including: monitoring and controlling its indigenous population and preventing another Arab Spring; Project its regional power by targeting the critical infrastructure and data of Israel, Saudi Arabia, Bahrain, and other Persian Gulf countries; and undermine and challenge global powers, particularly the US and UK.

While Iran poses a threat to the US electoral systems due to its cyber espionage activities and attempts to destroy destructive cyber attacks on critical infrastructures such as energy and financial institutions, Russia and China remain relatively more capable nation-state cyber actors – and therefore greater risks. Recent Iranian activity, particularly the use of voter registration data to send threatening and fake emails, suggests that while Iran has been blamed for carrying out multiple cyberattacks, Iranian cyber capabilities are still evolving and not large-scale, especially overseas can orchestrate. Multi-vector attack on voting machines. Iranian efforts instead focus primarily on online disinformation and propaganda, as well as cyber espionage operations, such as attempting to identify and attack a US presidential campaign, government officials and journalists, or targeting organizations critical to the democratic process, including non-governmental organizations (NGOs) and think tanks working with candidates and political parties.

In contrast to the use of traditional military force, the goal of cyber attacks is not destruction but disruption. According to the Estonian Foreign Intelligence Service, Russia's goal in the elections in the US and other Western countries is to achieve a more favorable outcome by favoring Russian-friendly candidates, to show that the West does not hold fair elections, and to support its rhetoric of Western double standards . In the US elections in 2016, Russia mainly used disinformation to undermine public confidence in the democratic process and to “sow” the division among US citizens. His efforts (like those of others) were successful. While American confidence in elections has worsened since 2012, it bottomed out in 2016 after Russia interfered in the elections. Today, 59 percent of voters say they don't trust the honesty of the country's elections.

However, Russian hacking has moved from the “cognitive level: propaganda, doxing, influencing operations” to a “tactical, technical level” targeting civil and military infrastructures, especially after Ukraine became the main test site of Russia. "Information troops" and APT groups are central components of the Russian toolkit for cyber information operations (IO). According to the report by the US Senate Intelligence Committee on Campaigns for Active Action in Russia, the most prominent Russian cyber efforts have targeted the US and its allies online and through social media to undermine trust in authorities, spread disinformation and data manipulate to influence elections. Technical indicators like RAM scrapers to bypass encryption, spear phishing campaigns with third parties hiding behind fake online personas, and other advanced malware toolkits and frameworks like the costly NotPetya attack suggest that the Russian government is invested significant resources in building large numbers of cyber espionage capabilities and unique operational security concepts that could be used to attack the 2020 US elections.

While no votes were changed in voting machines in 2016, Russian hackers were able to compromise votes and voter data in all 50 states. Russia's cyber prowess and Putin's support for the "patriotic hackers (who) do their part in the fight against those who speak ill of Russia" have encouraged hacktivists (a portmanteau of hack and activism) to continue cyberattacks without penalties and some at the same time Level of plausible denial to the Russian government.

While Russia's cyber capabilities are not comparable to the US, experts claim that their offensive capabilities will replace those of China and Iran and go ahead until election day, Russia is apparently using a variety of cyber techniques to influence the 2020 elections. It is only in the past three months that Russian military intelligence has tried not to hack into campaign workers, advisors, and think tank computers, and more recently Russia has been receiving and using voter registration data in addition to Iran to intimidate and influence voters. In mid-October, Microsoft and the US Cyber ​​Command launched a series of covert preemptive strikes against Russian hackers to prevent TrickBot, a vast network of infected computers also known as a botnet, from being used for voting infrastructure. If TrickBot is successfully deployed, even if no votes are changed or data is destroyed, the malware's disruption would be enough to add to pre-existing doubts about the integrity and validity of the election results. The preventive cyber operation on TrickBot shows that all actors in the public and private sector need to coordinate and identify the main risks in order to prevent nation-state actors like Russia from disrupting and undermining the democratic process.

The large electoral infrastructure includes everything from storage facilities to polling stations to centralized voting locations used in the electoral process. It also includes ICT for voter registration databases, voting machines, and other systems for managing the voting process, reporting and displaying results on behalf of states and local authorities. In particular, the infrastructure used by political campaigns is not taken into account. The DHS has no regulatory authority for federal elections, but takes the lead in coordinating federal support for election campaign and election security through the Agency for Cybersecurity and Infrastructure Security (CISA), a subdivision within the DHS that is responsible for securing critical infrastructures and federal networks is. Crucially, however, the agency has limited capacity to monitor or enforce cybersecurity protocols at the state or local level. States and municipalities are responsible for their own electoral security decisions and can accept the support of the federal government. In other words, the DHS recommends guidelines and best practices on election security, and the Election Assistance Commission (EAC) provides guidance on security issues that states and local counties do not need to follow.

To make matters worse, the US electoral system is highly decentralized and 8,000 jurisdictions nationwide are responsible for election administration. Combined with limited federal enforcement mechanisms, different security protocols, audits, purchasing and managing voting machines across the country increase the threat and the likelihood of attack. For example, in 2016, the DHS and IC found that malicious actors had scanned and investigated states' election-related systems through servers of a Russian company that state and local election officials were unaware of. U.S. Senator Ron Wyden also claims that the various state and local cybersecurity protocols and standards hamper the ability of the FBI, DHS, and IC to assess whether, or to what extent, U.S. electoral systems have been compromised and therefore appropriate Measures should be taken to improve the resilience of the electoral system. Conversely, analysts and experts claim that the decentralized nature of the US system is its most powerful asset. The multitude of technologies and protocols has a deterrent effect on potential cyberattacks as actors have to conduct multiple reconnaissance operations to learn each system, identify vulnerabilities, and coordinate multiple attack vectors to coordinate a large-scale cyber operation on each individual system.

Three privately held companies, Election Systems & Software ("ES & S"), Dominion Voting Systems ("Dominion"), and Hart InterCivic ("Hart"), manufacture and manage the vast majority of electronic voting machines in the United States. They control 84.08 percent of all eligible voters. ES&S is the largest provider, holding 37.97 percent of the market share and serving more than 90.31 million registered voters. Followed by Dominion, which controls 35.14 percent by district, and Hart with 10.97 percent by district.


The map only shows market shares at the district level and not at the sub-district level.
Click here for more details.

The 2020 market share reflects the standard equipment used in polling stations in the US on election day, and is mainly focused on ES&S, Dominion and Hart InterCivic. All three companies manufacture bespoke devices and own the IP for their manufactured technology and, in select cases, the IP of the technology they acquired, which is reflected in their respective names. For example, Premier Election Solutions (formerly Diebold Election Systems) was acquired by Dominion in 2010 and Dominion has owned the IP for both companies ever since.

The areas highlighted in gray include the smaller manufacturers of voting devices Clear Ballot, Danaher, Microvote, Smartmatic / Los Angeles County, PopulexSlate and Unisyn Voting Solution.

Less than 1 percent of registered voters live in jurisdictions where paper votes are counted by hand. Because of this, all counties that are hand-counted have been assigned to the manufacturer of the accessible equipment (as in most cases) or the standard equipment used in other parishes in the same county. Hand-counted paper votes or hand-counting are shown in Figure 3 as a method of voting.

Please also note that the data used include counties, cities, municipalities and districts. For the sake of simplicity, however, the map only shows market shares at district level and not at sub-district level. Depending on the county, other levels of government can decide which manufacturer to use regardless of what the county does. For example, Bloomington, Illinois (city) uses standard ES&S technology, but the county it is located in (McLean County, Illinois) uses standard Dominion technology. This is particularly true of Massachusetts and some Wisconsin counties where certain cities in the same county use different manufacturers. All of the counties in Massachusetts have been assigned to Dominion, but it's worth noting that 44 cities also use ES&S DS200, and each city uses ES&S AutoARK BMDs for accessibility.

Unlike other critical infrastructures such as defense, nuclear, and energy, electronic voting machine manufacturers are not subject to oversight. Beyond the certification of the EAC voting system, no laws stipulate that states must continuously implement cybersecurity standards in their systems and protocols. Manufacturers are not required to disclose violations or test and review voting systems with third parties, review employee backgrounds, fix security loopholes, report foreign ownership, disclose information about financial transactions or company property, and are not open to review by contractors and subcontractors in their supply chains to DHS or EAC.

In addition, the EAC's certification program does not have an enforcement mechanism and the commission is not responsible for nationwide oversight of election vendors. Machines are only tested if they are new, have never received certification, have been modified or if the manufacturer wants to be certified to a higher standard. Without adequate monitoring to ensure the integrity of voting machines, manufacturers are unlikely to implement the same security protocols in voting machines or to accurately report when security measures fail.

Global supply chain risks are significant

Not only is the US election infrastructure vulnerable to malicious attacks, but faulty or malicious operational parts can lead to system failure. Voting machines contain components manufactured abroad, with 59 percent of suppliers based in China and Russia. This harbors risks for the supply chain, as foreign business processes are not subject to federal supervision. Components may not have modern cybersecurity protections, outdated malware detection software may not be able to detect and remove threats, and replacement parts may not be available. Security gaps in supply chains can enable data theft and hardware exploitation that lead to a system or network failure. If the hardware has a vulnerability, hackers can always exploit it unless the devices are disassembled and parts are replaced.

In response to supply chain concerns raised by Congress and Interos, a global supply chain risk management company, voting machine manufacturers issued a joint industry statement in January 2020 highlighting best practices to ensure the sanctity of American voting, including Routine system reviews and review by all levels of government and establishing an appropriate level of security for supply chains in their terms and conditions. In particular, manufacturers note that Interos 'analysis relies on suppliers' corporate locations to determine whether components are made overseas rather than subsidiaries. Weak points in the supply chain are not really taken into account.

While voting machine manufacturers have made some efforts, the voluntary security measures they have taken (e.g. training seminars, two-factor authentication, encryption, etc.) are still insufficient. First, the existing cybersecurity standards of the electoral system derive from a traditional threat model that focuses on potential election fraud by election officials or election officials. Current standards do not take into account nation-state opponents who can perform advanced operations against the voting system supply chain and the devices themselves.

Second, the lack of transparency in supply chains and operational logs makes it unclear to what extent third parties organize and manage the technological tools for elections before voters cast their votes. During an election, a county or state may hire a third party to be responsible for providing the online tools, voting equipment, certification, census and monitoring of the election process. Often these third party companies own and maintain the voting devices and rent them out to customers if necessary. While some states and municipalities have voting machines, more research and monitoring needs to be done to better understand the role of third parties in the electoral process.

Third, local electoral officials lack the basic cybersecurity knowledge to identify and mitigate risks to the infrastructure and operation of electoral systems. For example, Maryland's voting system provider ByteGrid LLC was bought in 2015 by AltPoint Capital Partners, whose fund manager was tied to a Russian oligarch. Prior to the 2016 election, DHS noticed suspicious online activity in Maryland's electoral systems, but election officials were unaware of the purchase or the cyber activity until the FBI notified them in 2018. While there is no evidence to suggest that voting or data systems have been compromised, that does not mean that no wrongdoing has occurred.

Election officials are not required to attend cybersecurity training unless required by their state or local jurisdiction and they are largely unable to identify cyberattacks. Only 28 percent of elected officials have basic controls in place to prevent phishing, and some election officials (5 percent) use personal email or technology that is less secure than government email and devices. This makes them very susceptible to falling victim to malicious cyber campaigns, especially since 90 percent of all data loss is due to human error, usually through phishing or social engineering. Given the highly unregulated nature of the voting machine technology market and the poor cybersecurity practices of manufacturers and election officials, experts believe that foreign opponents will investigate the weaknesses in the supply chain in order to damage the US electoral infrastructure.

Market concentration to limit cyber and security-related innovations

The voting machine market also suffers from limited competition that hinders innovation. State and local electoral bodies primarily use direct recording electronic (DRE) voting machines, optical scanning ballot readers, and ballot marketing devices (BMDs) to conduct voting processes. Companies tend to sell products as a package with hardware, software, services and support that are offered together, leaving little room for others to enter the market. The barriers to entry for potential newcomers are also high. Manufacturers can take up to two years to register with the EAC, and companies must meet state and county certification and registration requirements, which can cost an average of $ 2 million per certification for each voting system.

State and local jurisdictions add to this market concentration by establishing routine purchasing procedures with a single vendor. Buyers are looking to companies that have already met state and local requirements and typically sign long-term contracts with a term of at least 10 years. The voting machines cannot work with other companies' systems, which makes it difficult to replace a part with another vendor without replacing the entire system. Aufgrund dieser Konzentration verlassen sich Staaten weiterhin auf denselben Hersteller, auch wenn eine Wahlmaschine nicht zuverlässig oder konstant arbeitet, da sie an langfristige Verträge gebunden sind, die sie dazu verpflichten, eine Reihe verwandter Geräte und Lieferungen von demselben Unternehmen zu kaufen . Angesichts der hohen Markteintrittskosten, des gesättigten Marktes und der begrenzten Marktchancen zieht der Markt für Wahlmaschinen keine wesentlichen Investitionen des Privatsektors an, und die erforderlichen Sicherheitsvorkehrungen werden nicht entwickelt und installiert.

Nach den Berichten des US-Senatsausschusses für Geheimdienste über die russischen Bemühungen, sich 2016 an Wahlen zu beteiligen, begannen Staaten und lokale Gerichtsbarkeiten, ihre Systeme zu verbessern und auf handmarkierte Papierstimmen umzusteigen. 71 Prozent der Staaten, die ihre Abstimmungssysteme ersetzen und aufrüsten wollten, konnten dies jedoch nicht, da sie nicht über die 200 bis 400 Millionen US-Dollar pro elektronischem Abstimmungsgerät verfügten. Noch heute haben neun Bundesstaaten papierlose DRE-Systeme, wobei New Jersey, Tennessee, Mississippi und Louisiana über papierlose Maschinen verfügen, die mehr als die Hälfte ihrer Wahllokalausrüstung ausmachen. Auf einer papierlosen Maschine kann die Manipulation spurlos erfolgen, da es keine Möglichkeit gibt, die Integrität der Wahlergebnisse zu überprüfen oder einen Papierstimmzettel oder eine Quittung vorzulegen.

Andere Gerichtsbarkeiten, die ihre Systeme aufrüsten konnten, entschieden sich für Stimmzettelgeräte (BMDs) als primäre Abstimmungsmethode für alle Wähler. Im Gegensatz zu handmarkierten Papierstimmen (die sicherste Abstimmungsmethode) sind BMDs langsam und häufig die Ursache für lange Warteschlangen bei Abstimmungen. Es druckt eine Wahlzusammenfassungskarte aus, die zwei separate Aufzeichnungen über die Absicht der Wähler enthält, eine als Aufzeichnung im Klartext und die andere als Barcode oder QR-Code. Wenn die Karte gescannt wird, liest der Scanner nur den Barcode, der vom Wähler oder Wahlhelfer nicht überprüft oder verstanden werden kann. Aus diesem Grund warnen Experten, dass ein gehackter, falsch programmierter oder falsch konfigurierter BMD Stimmen falsch aufzeichnen könnte. Wenn der Stimmzettel wie erwartet lautet, kann niemand den Fehler bemerken. Tatsächlich erkennen 93 Prozent der Wähler keine BMD-Fehler auf Ausdrucken, wenn sie auftreten, und einige Bezirke können BMDs so konfigurieren, dass sie automatisch gegossen werden, sodass die Wähler nicht einmal die Möglichkeit haben, den gedruckten Stimmzettel zu überprüfen.

Heute werden 17,48 Prozent oder mehr als 36,15 Millionen registrierte Wähler BMDs in 12 Bundesstaaten verwenden, wobei Arkansas, Georgia, South Carolina, Texas und West Virginia mehr als die Hälfte ihrer Bezirke bei allen Abstimmungen auf BMDs angewiesen sind. In Pennsylvania meldeten 40 Prozent der Wahllokale im Jahr 2019 Störungen bei den BMDs von ES & S, bei denen die Stimmen falsch erfasst wurden, und zwangen einen Landkreis, die Belege aus dem Sicherungspapier zu zählen, um die richtigen Gewinner zu ermitteln. Noch besorgniserregender ist, dass die Hersteller die Verwendung von BMDs für alle Wähler fördern, insbesondere für BMDs-Hybride, die mit einem Tabulator und / oder Scanner kombiniert werden. Die Forscher fanden heraus, dass Hybriden nach der Abgabe gefälschter Stimmen zum Stimmzettel hinzufügen könnten, sodass bei manuellen Prüfungen unzulässige Quittungen genehmigt würden.

Obwohl der Kongress 425 Millionen US-Dollar für Wahlverbesserungen für das Geschäftsjahr 2020 bereitstellte, reichte dies nicht aus. In den nächsten zwei bis fünf Jahren wird es 735 Millionen US-Dollar kosten, alle Geräte auf die aktuellen Cybersicherheitsstandards aufzurüsten, und 833 Millionen US-Dollar für zusätzliche Unterstützung bei der Cybersicherheit bei staatlichen und lokalen Wahlen. Staaten und Kommunen argumentieren, dass die Bundesregierung angesichts des internationalen Charakters potenzieller ausländischer Einmischung die Verantwortung hat, Mittel für den Ersatz von Wahlgeräten bereitzustellen. Der Kongress ist jedoch der Ansicht, dass die Regierung eine Praxis, die in staatlicher und lokaler Verantwortung liegt, nicht „föderalisieren“ sollte. Im Jahr 2019 stellten einige Staaten landesweit bis zu 150 Millionen US-Dollar für den Austausch von Wahlgeräten zur Verfügung. Der Prozess für den Austausch der Maschinen soll sich jedoch über die nächsten Jahre erstrecken. Andere Staaten haben den Entscheidungsprozess in die örtlichen Gerichtsbarkeiten verbannt, in denen über einige Jahre hinweg Mittel aufgebaut werden müssen, um größere Einkäufe zu tätigen.


Handmarkierte Papierstimmen, BMDs für Barrierefreiheit
Handmarkierte Papierstimmen, DREs für die Zugänglichkeit mit VVPAT
Handmarkierte Papierstimmen, DREs für die Zugänglichkeit ohne VVPAT
Stimmzettel für alle Wähler

DREs mit VVPAT für alle Wähler
DREs ohne VVPAT für alle Wähler

Daten zur Abstimmungstechnologie für 2020 in acht Bundesstaaten mit DRE-Abstimmungsgeräten, die keinen Voter Verified Paper Audit Trail (VVPAT) bieten


Obwohl Infrastrukturverbesserungen erforderlich sind, ist kein Computer hackersicher, selbst wenn Hardware- und Softwarekomponenten aktualisiert werden. Voting machines can be remotely hacked within 24 hours, but it can take a year or more and on average $8.64 million to identify a data breach, remove it, and contain damages. Simply segmenting a system from the ICT environment is not enough to stop malicious actors. Although a network layer can be “air-gapped,” that layer is the only one protected from potential compromise, and malicious actors can find alternative pathways. For instance, servers operate on other connected systems such as those connected to buildings, and unless all systems and technological components are equally air-gapped, advanced hackers can find vulnerabilities and bypass encryption to enter a system. The most notable example of such a hack is Target’s data breach in 2013. Despite the cybersecurity measures Target had invested in, 40 million credit and debit card numbers, along with 70 million phone numbers, addresses, and other personal information were stolen through a third-party HVAC provider who was remotely connected to Target’s internal network. Because of these risks, select states have resorted to paper ballots to administer elections. But most states that use paper ballots do not require audits to paper records and lack security protections, making them extremely unsafe to use, especially in close elections.

Only 34 states and D.C. require traditional post-election audits to provide high levels of confidence in the accuracy of the final vote tally and Colorado, Rhode Island, Virginia, and Nevada (which pilots statewide in 2020, all counties in 2022) are the only states with laws requiring “risk limiting audits” in their security protocol. Poor cybersecurity policies and practices are likely because of limited resources, lack of expertise and resources available to elected officials understand and identify cyberattacks, and a reluctance to adopt stricter security protocols because added computations slow down systems or make them harder to use.

DS-200 optical scanners used to count the votes of Fairfax County primary voters are seen in Centreville, Virginia, on March 1, 2016, during Super Tuesday primary voting.
PAUL J. RICHARDS/AFP via Getty Images

Despite security concerns and funding constraints, states have invested in enabling remote internet voting in place of paper-based systems to increase voter turnout and serve as an alternative to in-person voting amid COVID-19. Although internet voting may appeal to voters, no internet voting system is secure or reliable enough to use in elections. West Virginia, Denver, and Utah County offer online app-based voting using blockchain technology called Voatz for military and civilians overseas. However, Voatz’s blockchain technology offers no security, relying on HTTPS connection to transfer votes to the server. Assessments of the technology have found that hackers can access voters’ personal identification information and IP address, and change vote tallies. Compounding the risks, hackers could learn rough troop movements from military service personnel who use it.

Other states have connected machines to the internet to ease ballot counting and share results faster. Michigan, for instance, invested $82 million to install wireless modems in their machines. While enabling speed, internet connection also makes machines susceptible to remote malicious attacks, particularly “denial-of-service” (DoS) attacks. Hart, ES&S, and Dominion all have modems in some of their tabulators and scanners, which enable the devices to connect to cellphone networks and the internet. Currently, ES&S’s DS200 voting machine with optional wireless modems connected by AT&T, Sprint, and Verizon, face potential consequences from the EAC for inaccurately presenting its wirelessly technology as EAC certified. Manufacturers claim firewalls protect systems and the machines are not connected to the “public internet,” but no network is completely segregated. A completely isolated system would exclude software and certification updates and restrict file uploads.

To meet the highest standards of election integrity, either a system—at a minimum—must not be connected to the internet or the system must have end-to-end verifiability (e2e-v). This latter security measure is unlikely to be implemented by many localities because it will raise the cost of each machine and will stretch already limited resources. Today, Estonia is the only known nationwide internet-based voting system being used by a democratic country.

Despite recent headlines, foreign interference in elections is not a new phenomenon. From spreading online disinformation campaigns to infiltrating political organizations to channeling political money to support preferred candidates, for decades countries have been battling foreign actors who seek to politically influence governments to their favor. The Russian meddling in the 2016 U.S. elections simply brought to the American public’s attention the significance and magnitude to which adversaries could operate beyond their borders. Lessons can be learned from past foreign election interference and help inform a more coherent and robust U.S. cyberstrategy going forward.

In 2014, before the presidential election, CyberBerkut—a group of Russian state-sponsored hackers that support Russia’s military operations—infiltrated Ukraine’s central election computers and deleted files to render vote-tallying systems inoperable. The group later posted that they “completely destroyed the network and computer infrastructure of the Central Election Commission (CEC)” and shared emails and documents as proof. While government officials were able to repair the system, before election results were revealed, experts discovered malicious software that would have shown a false announcement that pro-Russian candidate Dmytro Yarosh as the winner (who in fact only received 1 percent of the vote) and Petro Poroshenko as the loser (who received the majority at 54.7 percent). The Organization for Security and Co-operation in Europe’s Office for Democratic Institutions and Human Rights (OSCE/ODIHR) found the hackers disrupted election material receipt and processing, preventing District Election Commissions (DECs) from sharing results with the CEC.

Russia considers Ukraine to be part of its territory and a strategic asset against the West. Apart from Russian claims to cultural ties, Ukraine is strategically and commercially vital to Russia given that Ukraine is the main conduit of Russian natural gas, with almost two-fifths of all gas that services western and eastern Europe travels through Ukrainian pipes. Ukraine’s warm-water ports are also home to Russia’s Black Sea fleet.

The Ukrainian presidential election followed the 2014 Ukrainian Revolution that ousted the Russia-backed president, Viktor Yanukovych, and prompted Russia’s annexation of Crimea. The main candidates at the time made their opposition to Russia a core part of their platform and conducting a successful and legitimate election was critical for Ukraine to demonstrate its potential to integrate into the EU and NATO. According to a range of regional experts, election interference was key to Russia’s strategy to undermining these candidates, and their objectives.

Although Yarosh was not elected president, Russia’s cyberattacks on Ukrainian election ICT infrastructure helped contribute to the public’s lack of confidence in the integrity of the electoral process (26 percent). In response, the CEC implemented operational upgrades and policies to secure the 2019 presidential election, including:

Modernized information security systems.
Segmented office network and critical networks.
Upgraded critical network and information security equipment (such as firewalls, proxy, and SIEM).
Replaced systems’ major hardware and software components.

In 2016, the Ukrainian government issued a national cybersecurity strategy to “create conditions for the safe functioning of cyberspace, application of cyberspace, to benefit of individuals, society, and (Ukraine).” After repeated cyber intrusions to industrial and information systems, Ukraine also passed several laws on cybersecurity; specifically, it upgraded its Law on the Protection of Information in Information and Telecommunication Systems (1994) with the most recent amendment in 2020 requiring all “state information resources” to be processed in a “comprehensive system of information protection” (CSIP).

Key Lessons Learned:

No silver bullet can preserve election integrity, but decision-makers must identify what attackers are likely seeking in their systems and have a uniformed approach by all stakeholders to secure systems.

Increasing funding and upgrading operational systems are not enough. Protecting the democratic process is not only a technical issue; it relies on the confidence of the voters that their ballots process correctly and that the elections are open, free, and fair based on a secret ballot. Legislation and budget appropriation must reflect these values while also having practical and enforceable measures such as mandating basic cyber hygiene behavior to mitigate human error.

Vigilant network monitoring can help administrators detect and respond to malicious attacks. The Ukrainian case study highlights the urgent need for elected officials and poll workers to undergo basic cybersecurity training to identify suspicious activity from the time polling places open to when results are verified and revealed.

Digital systems are an integral part of Estonian society and its economy and have been for some time. Ninety-nine percent of public services, including elections, are available online, with marriages, divorces, and real estate transactions as the only services unavailable digitally. In 2005, Estonia was the first country in the world to use internet voting (i-Voting) as an alternative to in-person voting for its national elections and was the first in 2007 to use i-Voting for its parliamentary elections. Recognized for its sophisticated cyber defenses, particularly against politically motivated hacking and disinformation by Russian malicious actors, the Estonian i-Voting model is often thought as a protype for successful online voting.

In the March 2019 parliamentary elections, 44 percent, or 247,232, of total votes were cast online. Using an ID-card or Mobile-ID, voters logged into the i-Voting system via computer to cast their ballot during a designated voting period. Individuals could change their vote any time during this voting period. Once a vote was made, the name was removed from the ballot and sent to the National Election Commission for counting. Digital signatures authorized votes, encryption secured voting, and blockchain enabled data integrity for non-repudiation.

While exceptionally advanced, the Estonia i-Voting model, as with any technology, is not completely secure. Key vulnerabilities include inadequate procedural controls, use of unsecure HTTP connection when setting up the platform, lack of security personnel to monitor site and hardware, poor cyber hygiene by operators (e.g. using personal devices to backup data), and no audit trails. Although no known instances of foreign hacking into Estonia’s online voting platform were reported, experts warn that online elections are largely “an academic research project,” that still poses significant security risks. I-Voting proponents, however, contest that internet voting mitigates risks because just one software needs managing, while voting machines require multiple pieces of software that no single entity can carefully oversee.

Key Lessons Learned:

It’s a myth that election infrastructure can be completely secure. Policies must balance accessibility and security, with ongoing training and monitoring necessary to target breaches early and manage outcomes. The inherent tension between elections and cybersecurity presents a number of challenges. Elections are principled on being open, free, and fair, and based on a secret ballot, whereas cybersecurity necessitates protecting data and information from unauthorized parties, ensuring the data is reliable and accurate, and only authorizing users to systems and resources they need.

This tension results in an inability to verify votes because once a ballot is cast, the identity of the voter is removed, thereby leaving no way for election officials to trace the ballot back to a legitimate voter. In Estonia’s case, to increase transparency in the i-Voting process, Estonia published the server software code for public reference, use, and recommendations on how to improve security. But allowing public access to this code provides bad actors with the tools and information they need to identify loopholes and weaknesses. Stakeholders must recognize that during the election process, there is a trade-off between security and accessibility, and as the 2016 elections have shown us with Russian probing in voting machines, not disclosing the weaknesses in our security posture doesn’t make systems more secure. The US election system lacks transparency during the formulation and execution of the security process, and it’s leaving CI more vulnerable because of it. Known vulnerabilities must be shared with the public and appropriately managed. As the Ukrainian case study demonstrated, stakeholders must identify likely targets and input security protocols protecting processes and information to mitigate the risks.

Education is critical to building public trust in the security of ubiquitous technology. At the time online voting was introduced to Estonia, only 2 percent of the population cast their vote through the system. Over the past 15 years, consistent security testing, monitoring, scrutiny, and improvements to the system as well as ongoing educational campaigns to inform the public about the technology has increased public trust in the system. The key lesson for the U.S. and other countries is that modernizing and digitizing the election process cannot happen overnight and requires long-term commitment both in terms of ongoing technological development and effective educational campaigns.

Cybersecurity relies on individual responsibility and behavior. While it is important for citizens to know the security measures that are in place to protect the election process, it is equally as important for voters to understand the failures of cybersecurity protocols so that they are empowered to make informed decisions while also remaining vigilant for untoward activity.

A fundamental link exists between the trust in election infrastructure and confidence in a fair democratic process. Russia will likely continue to target U.S. voting machines given Russia’s recent cyberattacks as well as political motivation to weaken U.S. institutions and erode public trust. A more secure and resilient electoral process is vital to safeguarding U.S. national interests against Russia, or any bad actor—foreign or domestic.

While there has been some progress in securing voting systems in the U.S., the approach has not been uniformed or evenly applied across all 50 states. Many local jurisdictions procure their own election technology and are responsible for inventorying, securing, and training staff on those technologies. Resources vary across the country with some precincts relying on IT personnel, technology providers, or external agencies to secure their election infrastructure. Lawmakers and election officials have yet to understand the technical requirements to implement and maintain a secure voting machine. Although the federal government provides some guidance, cybersecurity protocols such as user digital hygiene, use of malware detection software, and cybersecurity certifications are not a mandated national practice and need both greater attention and coordinated investment.

There is also a lack of political will to develop and implement a coordinated response. Before the 2016 elections, President Obama was reportedly aware of Russian efforts to interfere in the U.S. election and warned President Putin that the law for armed conflict applies to actions in cyberspace, particularly election interference. However, Russia continued to infiltrate U.S. election infrastructure, and no known actions were taken by the U.S. The current administration demonstrates further unwillingness to respond to Russian election meddling. President Trump has accepted Putin’s denial regarding interference in the 2016 elections and has consistently dismissed Congress’ and the intelligence community’s findings related to Russian election interference. While U.S. sanctions may harm specific Russians hackers, they have not deterred Russia from continuing its cyber operations as recent efforts have demonstrated with its intention to continuously interfere in the presidential race in its final days or immediately after the Nov. 3 elections.

Looking beyond 2020, a number of measures could materially strengthen election integrity and critical infrastructure security more broadly. Adherence to all DHS election infrastructure recommendations and adoption of cybersecurity best practices by election officials and employees, including post-election audits to ensure voting integrity, would help harmonize protocols and minimize risks associated with the decentralized voting system. Expansion of the Help America Vote Act (HAVA) to include base level cybersecurity standards for all state voting sites would also help to harmonize approaches and close existing security gaps. DHS and the EAC can continue to provide the technical expertise and facilitate private-public sector partnerships to ensure that security is built into the system at the component level. The creation of incentives for vendors to incorporate robust security systems in future machine designs could also reduce the use of patches and ad hoc, reactive security measures. Moreover, decision-makers must also remain proactive and design legislation and policies to rapidly address ever-evolving cyber threats. The recently updated Defending the Integrity of the Voting Systems Act that now designates foreign and domestic hacking a federal crime is a step in the right direction, but more work must be done to develop a comprehensive robust cybersecurity policy response.

The EAC should also routinely test all machines and issue a cybersecurity certification that the machines are up to date with the latest security protections. Cybersecurity certifications are not new and have been used by the U.S. Department of Defense (DOD) for defense acquisition and sustainment. These initiatives could be funded through a reallocation of the U.S. federal discretionary budget, specifically the DOD’s current budget—because it is the largest cybersecurity budget among federal agencies—and increase DHS’ funding from its current $1.7 billion allowance.

Finally, further research not only in election infrastructure but other sectors is needed to closely examine supply chains and identify what risks could be exploited by adversaries in U.S. critical infrastructure. From food and agriculture to transportation, impacts to critical infrastructure by way of cyberattacks can have a debilitating effect on physical and economic security as well as public health and safety. Having a comprehensive understanding of all the risks to our systems will strengthen U.S. and other nations’ resiliency and mitigate risks to critical networks.

While such investments won’t occur before this election, voters can take key actions to help preserve election integrity:

Before going to cast your vote, contact your election boards or your local election board websites and learn about what types of voting machines you’ll be using, what cybersecurity protocols are in place, and who is administering the election process in your locality.

If you are able to get a receipt of your vote do two things:

Read to make sure your vote was cast correctly (60% of voters don’t check their ballots after they cast them)

Keep your receipt; this is a verifiable paper trail to prove your vote was cast and keep it for your personal records.

Volunteer as a pollster. Because of COVID-19, the U.S. has a shortage of pollsters and volunteers. If you’re willing and able, do your part in ensuring the integrity of elections by helping process votes and educating voters on what they should know.

Be informed:

Check the credibility of the sources you are reading.

Read more than one source.

If an article cites a government document, take time to read it yourself. Get an unfiltered understanding of the document and issues at hand.

Take follow-up steps:

Write down what the voting experience was like. What did you like about it? What didn’t you like about it? Contact your local election boards, state, and federal representatives, and share this with them.

If your state does not have hand ballots or receipts, call or write to your representatives recommending concrete changes in how votes are cast in your area, which could include:

Increasing funding for voting machine upgrades;

Removing technology with access to internet;

Requesting better cybersecurity training courses.

In general, practice cyber hygiene: Voting machines are one part of the larger cyber ecosystem that can affect our elections. Seemingly disparate internet sources (such as social media and email) can allow hackers to abuse your data and access critical networks and information.

Don’t use the same password for everything.

Change your password routinely.

Use alphanumerical passwords with symbols.

Elections are fundamental to democracy and more work needs to be done to strengthen election integrity and security. As the world becomes more digitally interconnected and technology continues to rapidly evolve, all levels of government, the private sector, and the general public must be vigilant and proactive in protecting this and other critical infrastructure underpinning society.

Written by Helen You. Edited by Allison Carlson. Copyedited by Bernadette Kinlaw. Development by Catherine Snow. Art direction by Lori Kelley. Local voting data provided by Verified Voting.


A Democratic Staff Report Prepared for the use of the Committee on Foreign Relations United States Senate China and Digital Authoritarianism the New Big Brother. (2020).
A plan to reduce Europe’s dependence on Russian gas looks shaky. (2019, January 5). The Economist; The Economist.
Allen-Ebrahimian, B. (2020, January 10). China is meddling in Taiwan’s presidential election. Axios; Axios.
Appel, A. (2018, October 16). Design flaw in Dominion ImageCast Evolution voting machine.; Freedom to Tinker. (2020). Phishing Election Administrators. Americans for Cybersecurity.
Arkin, W. M., Dilanian, K., & McFadden, C. (2016, December 19). What Obama said to Putin on the Red Phone about the election hacks. NBC News; NBC News.
Baram, G. B., & Lim, K. (2020, June 5). Israel and Iran Just Showed Us the Future of Cyberwar with Their Unusual Attacks. Foreign Policy; Foreign Policy.
Barnes, J. E., Perlroth, N., & Sanger, D. E. (2020, October 22). Russia Poses Greater Election Threat Than Iran, Many U.S. Officials Say. The New York Times.
Barnes, J. E., Sanger, D. E., Bergman, R., & Jakes, L. (2020, September 21). As U.S. Increases Pressure, Iran Adheres to Toned-Down Approach. The New York Times.
Benaloh, J., Rivest, R., Ryan, P. Y. A., Stark, P., Teague, V., & Vora, P. (2016). End-to-end verifiability.
Bennett, C. (2014, November 2). States ditch electronic voting machines. TheHill; TheHill.
Bernhard, M., McDonald, A., Meng, H., Hwa, J., Bajaj, N., & Chang, K. (2020). Can Voters Detect Malicious Manipulation of Ballot Marking Devices? University of Michigan.
Bertrand, N. (2020, September 1). Trump blows past the intelligence to accuse China of backing Biden. POLITICO.
Bikus, Z. (2019, March 21). World-Low 9% of Ukrainians Confident in Government.; Gallup.
Bing, C. (2017, May 4). FBI director: If left unchecked, Russian hackers will change vote tallies in a future U.S. election. Cyberscoop.
Blaze, M. (2020). Matt Blaze Testimony Before the US House of Representatives Committee on House Administration Hearing on “2020 Election Security -Perspectives from Voting System Vendors and Experts.” U.S. House of Representatives,
Blaze, M., Braun, J., Hursti, H., Hall, J. L., MacAlpine, M., & Moss, J. (2017). DEFCON 25 Voting Machine Hacking Village Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure. In DEFCON. DEFCON.
Bloomberg Law. (2020, January 3). America Won’t Give Up Its Hackable Wireless Voting Machines.; Bloomberg Law.
Brandon, J. (2018, November 6). Voting machines can be hacked in two minutes, expert warns. Fox News; Fox News.
Burgess, M. (2020, October 7). Iran’s total internet shutdown is a blueprint for breaking the web. Wired UK.
Burt, T. (2019a, July 17). New cyberthreats require new ways to protect democracy. Microsoft.
Burt, T. (2019b, October 4). Recent cyberattacks require us all to be vigilant. Microsoft on the Issues.
Calamur, K. (2017, June 1). Putin Says, “Patriotic Hackers” May Have Targeted U.S. Election. The Atlantic; The Atlantic.
Cerulus, L. (2019, February 14). How Ukraine became a test bed for cyberweaponry. POLITICO; POLITICO.
Chalfant, M. (2017, February 22). Russia adds “information warfare” troops. TheHill; TheHill.
Chinese and Russian Influence in the Middle East. (2019, May 9). U.S. House of Representatives Committee on Foreign Affairs.
CISA. (2020a). Election Security Checklists Guides | CISA.; CISA.
CISA. (2020b, February 21). Election Infrastructure Security | CISA.
Clark, D., Berson, T., & Lin, H. (2014). At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. In The National Academies.
Clayton, M. (2014, June 17). Ukraine election narrowly avoided “wanton destruction” from hackers. The Christian Science Monitor; The Christian Science Monitor.
Cohen, I., & Ben Bassat, O. (2019, September 24). Mapping the connections inside Russia’s APT Ecosystem. Check Point Research; Check Point Research.
Collier, K. (2019, December 16). Congress to approve $425 million for election security upgrades. CNN; CNN.
Cordesman, A. H. (2019). USA und China: Die Wahl zwischen Konflikt und Kooperation. SIRIUS – Zeitschrift Für Strategische Analysen, 3(1), 80–83.
Costello, J., & Mcreynolds, J. (2018). China’s Strategic Support Force: A Force for a New Era CHINA STRATEGIC PERSPECTIVES 13.
Cyber Security Strategy Of Ukraine 1 General Provisions. (2016).
CyberBerkut announced the destruction of the electronic system of the CEC of Ukraine. (2014, May 24). Военное Обозрение; Military Review.
Defense Intelligence Agency. (2017). Russia Military Power: Building A Military to Support Great Power Aspirations. Committee to Excellence in Defense of the Nation; Defense Intelligence Agency.
Department of Homeland Security. (2020a). Homeland Threat Assessment.
Department of Homeland Security Office of the Inspector General. (2020b, September 8). Whistleblower Reprisal Complaint. United States House Permanent Select Committee on Intelligence.
Doffman, Z. (2019, August 8). Iranian Hackers Suspected Of Cyberattacks On Bahrain—A Warning Beyond The Gulf: Report. Forbes; Forbes.
EECS: Computer Science and Engineering. (2020, January 8). Not enough voters detecting ballot errors and potential hacks, study finds. Michigan Engineering; University of Michigan.
Election Systems & Software. (2020, January 9). Tom Burt – Hearing on “2020 Election Security – Perspectives from Voting System Vendors and Experts.” Election Systems & Software.
Elektroonilise hääletamise statistika. (2017, August 29). Valimised Eestis; Valimised Eestis.
Estonian Foreign Intelligence Service. (2020). International Security and Estonia 2020.
EU Project Countering Election-Related Cyber Threats and Disinformation Campaigns in Ukraine. (2020). Post-Election Assessment of the Cybersecurity Infrastructure and Interagency Cooperation in Ukraine with Related Recommendations. Estonian Center of Eastern Partnership; Estonian Center of Eastern Partnership.
Faith in Elections in Relatively Short Supply in U.S. (2020, February 13). Gallup.Com;
Favorito, G. (2019). Unresolved Security Threats for Ballot Marking Devices A general guide to BMD verifiability, auditability, privacy and preparation security threats. VoterGA.
Federal Bureau of Investigation. (2016). Targeting Activity Against State Board of Election Systems.
Florida Department of State. (2015). ES&S -EVS Release, Version 4(Revision 1) ~EVS Release, Version 4-Test Report Addendum~. Florida Department of State.
FocusEconomics. (2019). The World’s Largest Economies (2019-2023). FocusEconomics.
FP Analytics. (2020c, July 20). 5G Explained – The Competitive Landscape. Foreign Policy; Foreign Policy.
Galloway, L.-A. (2019, July 25). Forever Day: The Threat that Never Ends. Infosecurity Magazine.
Garrett, S., Eckman, S., & Shanton, K. (2020). Campaign and Election Security Policy: Overview and Recent Developments for Congress. Congressional Research Service.
Geers, K., & Kostyuk, N. (2018, November 5). Hackers are using malware to find vulnerabilities in U.S. swing states. Expect cyberattacks. The Washington Post.
Geller, E., Jin, B., Hermani, J., & Farrell, M. (2019, August 2). The scramble to secure America’s voting machines. POLITICO.
Giles, K. (2011, June 1). “Information Troops” – A Russian Cyber Command? IEEE Xplore; IEEE Xplore.
Giles, K. (2020). The Next Phase of Russian Information Warfare (by Keir Giles) | StratCom. Www.Stratcomcoe.Org; NATO Strategic Communications Centre of Excellence.
Gold, J. (2019, August 21). Estonia as an international cybersecurity leader. E-Estonia; e-estonia briefing centre.
Greenburg, A. (2017a, May 9). The NSA Confirms It: Russia Hacked French Election ‘Infrastructure.’ WIRED; WIRED.
Greenburg, A. (2017b, June 9). How Russia Hacks Elections in the US and Around the World. Wired; Wired.
Greenburg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. WIRED; WIRED.
Harte, J. (2020, June 1). Exclusive: Philadelphia’s new voting machines under scrutiny in Tuesday’s elections. Reuters.
Hartig, H. (2020, August 18). 75% of Americans say it’s likely that Russia or other governments will try to influence 2020 election. Pew Research Center; Pew Research Center.
Help America Vote Act | U.S. Election Assistance Commission. (2020). Www.Eac.Gov.
Huntley, S. (2020, October 16). How we’re tackling evolving online threats. Google; Google.
Huseman, J. (2019, October 28). The Market for Voting Machines Is Broken. This Company Has Thrived in It. propublica; ProPublica.
IBM. (2019). Cost of a Data Breach Study. Ibm.Com; IBM.
If You See Something, Say Something. Report suspicious activity to local law enforcement or call 911. National Terrorism Advisory System Bulletin BE PREPARED. (2020). U.S. Department of Homeland Security.
Information Warfare Monitor Investigating a Cyber Espionage Network. (2009). Information Warfare Monitor.
Internet voting in Estonia. (2017, August 28). Elections in Estonia; Valimised.
Interos. (2019, December 16). Study of Widely Used Voting Machine Finds 1 In 5 Components from China-based Companies. GlobeNewswire Newsroom; Interos.
Iran-Based Threat Actor Exploits VPN Vulnerabilities. (2020, September 5).; CISA.
i-Voting — e-Estonia. (2017). E-Estonia; e-estonia briefing centre.
jkeroes. (2006). Security Analysis of the Diebold AccuVote-TS Voting Machine (YouTube Video). In YouTube.
Joint Industry Statement on Election Technology Supply Chain Security | Hart InterCivic. (2020). hart intercivic.
Kamarck, E. (2019, August 28). Trump’s hostility to election security preparedness. Brookings Institute; Brookings Institute.
Kirby, J. (2020, September 15). Are China and Iran meddling in US elections? It’s complicated. Vox; Vox.
Kolasky, R. (2019). Public-Private Initiatives to Secure the Supply Chain BEFORE THE UNITED STATES HOUSE OF REPRESENTATIVES COMMITTEE ON HOMELAND SECURITY. U.S. House of Representatives.
Kotliarov, A.-Y., & Tsyba, S. (2020, June 12). Deregulative changes in information security in Ukraine | Lexology.; Lexology.
Lee, N. (2020, September 23). Here’s why most Americans are not able to vote online in 2020. CNBC; CNBC.
Lewis, J. A. (2019, June 19). Iran and Cyber Power. Csis.Org; Center for Strategic and International Studies.
Lopez, C. T. (2020, January 31). DOD to Require Cybersecurity Certification in Some Contract Bids. U.S. Department of Defense; U.S. Department of Defense.
Lynch, D. (2019, June). Checking the Election: Risk-Limiting Audits. National Conference of State Legislatures; National Conference of State Legislatures.
MacMillan, H. (2018). Shifting Left: Secure Systems Engineering. United States Cybersecurity Magazine; United States Cybersecurity Magazine.
Mankoff, J. (2009, March). Russian Foreign Policy. Council on Foreign Relations.
Mathis, J. (2020). Julie Mathis, Statement before the U.S. Committee on House Administration for a hearing on “2020 Election Security: Perspectives from Voting System Vendors and Experts". U.S. House of Representatives.

McCadney, A. C., Norden, L., & Howard, E. (2019, September 13). Voting Machine Security: Where We Stand Six Months Before the New Hampshire Primary. Brennan Center for Justice.
McCarthy, N. (2014, July 13). The Average Cost Of A Data Breach Is Highest In The U.S. (Infographic). Forbes; Forbes.
McManus, D., Hogan, P., Cogan, M., Funn, M., Howells, K., Administrator, L., & Charlson, N. (2018). Maryland State Board of Elections.
Michel, C. (2019, October 26). Russia’s Long and Mostly Unsuccessful History of Election Interference. POLITICO Magazine; POLITICO.
Munoz, M. (2015, September 21). Cyber Security Case Study: Target Data Breach.; Cupertino Electric Inc.
National Conference of State Legislatures. (2019, October 25). Post-Election Audits. National Conference of State Legislatures; National Conference of State Legislatures.
National Conference of State Legislatures. (2020, February 28). Funding Elections Technology. National Conference of State Legislatures; National Conference of State Legislatures.
National Counterintelligence and Security Center. (n.d.). Foreign Threats to U.S. Elections Election Security Information Needs.
National Cybersecurity Center. (2019). The Denver Mobile Voting Pilot: A Report. National Cybersecurity Center.
NIS Cooperation Group. (2018). Compendium on Cyber Security of Election Technology CG Publication 03/2018 NIS Cooperation Group. NIS Cooperation Group.
Norden, L., & Cortes, E. (2019, August 15). What Does Election Security Cost? Brennan Center for Justice; Brennan Center for Justice.
Norden, L., Ramachandran, G., & Deluzio, C. (2019, December 11). A Framework for Election Vendor Oversight. Brennan Center for Justice; Brennan Center for Justice.
O’brien, C. (2018, July 18). FBI director: Russia ‘continues to engage in malign influence operations’ against U.S. POLITICO; POLITICO.
O’Connor, T. (2019, December 17). How the top powers U.S., Russia, China compare with other militaries during the past decade. Newsweek.
On the Protection of Information Stored in Information and Telecommunication Systems | Centre for Democracy and Rule of Law. (2005, June 12). Centre for Democracy and Rule of Law.
OSCE. (2014). Office for Democratic Institutions and Human Rights UKRAINE EARLY PRESIDENTIAL ELECTION OSCE/ODIHR Election Observation Mission Final Report. OSCE.
Otto, G. (2019, April 24). Are election tech vendors making the right cybersecurity moves? cyberscoop; CyberScoop.
Parks, M. (1 C.E. 2018). 5 Ways Election Interference Could (And Probably Will) Worsen In 2018 And Beyond.; NPR.
Parks, M. (2020, April 28). States Expand Internet Voting Experiments Amid Pandemic, Raising Security Fears.; NPR.
Parks, M. (2019, September 4). Cyber Experts Warn of Vulnerabilities Facing 2020 Election Machines.; NPR.
Perlroth, N., & Krauss, C. (2018, March 15). A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try. The New York Times.
Person, R. (2019, May 2). Russian Grand Strategy in the 21st Century | NSI. Nsiteam.Com.
Petersen, M. (2019, January 9). The Naval Power Shift in the Black Sea. War on the Rocks; War on the Rocks.
Polish Election Commission Website Hacked. (2014, November 19). Www.Worldpoliticsreview.Com.
Porche, I. (2019, June 24). Fighting and Winning the Undeclared Cyber War. Www.Rand.Org.
Presidential Commission on Election Administration Presents Recommendations to President Obama | U.S. Election Assistance Commission. (2014, January 22). Www.Eac.Gov.
Riley, M., Robertson, J., & Kocieniewski, D. (2016, September 29). The Computer Voting Revolution Is Already Crappy, Buggy, and Obsolete.
Rumer, E. (2017, June 14). Russia and the West in a New Standoff. Carnegie Endowment for International Peace.
Russian Strategic Intentions A Strategic Multilayer Assessment (SMA) White Paper. (2019).
S. Boyko. (2016). UN Groups of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. International Affairs, 62(005), 242–254.
Sanger, D. E. (2020, February 26). Why Russia Is Rooting for Both Trump and Sanders. The New York Times.
Sanger, D. E., & Perlroth, N. (2020, October 12). Microsoft Takes Down a Risk to the Election, and Finds the U.S. Doing the Same. The New York Times.
Sanger, D., & Edmondson, C. (2019, July 25). Russia Targeted Election Systems in All 50 States Report Finds. The New York Times.
Seawright, A. (2020, May 8). Countering China’s Influence Operations: Lessons from Australia. Www.Csis.Org.
Shahbaz, A. (2018). The Rise of Digital Authoritarianism. Freedom House; Freedom House.
Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace. (2020, October 19). Www.Justice.Gov.
Sozan, M. (2017, October 26). On HAVA’s 15th Anniversary, Congress Needs to Make U.S. Elections More Secure. Center for American Progress; Center for American Progress.
Specter, M., Koppel, J., Daniel, M., & Mit, W. (2020). The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections *. Massachusetts Institute of Technology.
Springall, D., Finkenauer, T., Durumeric, Z., Kitcat, J., Hursti, H., MacAlpine, M., & Halderman, J. A. (2014). Security Analysis of the Estonian Internet Voting System. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security – CCS ’14.
Stark, P. (2019). There is no Reliable Way to Detect Hacked Ballot-Marking Devices. University of California, Berkeley.
Statement by NCSC Director William Evanina: Election Threat Update for the American Public. (2020, August 7). Www.Dni.Gov.
Statement by Secretary Johnson on the Designation of Election Infrastructure as a Critical Infrastructure Subsector. (2017, January 6). Department of Homeland Security.
Stevens, T. (2020, February 14). Mobile voting app used in Utah County could be hacked, experts say. The Salt Lake Tribune; The Salt Lake Tribune.
Stewart, K., & Taylor, J. (2018, March 23). Online Voting: The Solution to Declining Political Engagement?; RAND.
Temple-Raston, D. (2019, December 26). The ruthless Russian hacking unit that tried to crash Ukraine. The Washington Post; The Washington Post.
The National Academics of Sciences, Engineering and Medicine. (2018). Securing the Vote. National Academies Press.
Timberg, C. (2019, November 19). Russian hackers who stole DNC emails failed at social media. WikiLeaks helped. Washington Post.
Two Alleged Hackers Charged with Defacing Websites Following Killing of Qasem Soleimani. (2020, September 15). Www.Justice.Gov; U.S. Department of Justice.
Ukraine Warned Of Russian Cyberattacks Aimed At Presidential Vote. (2019, March 28). RadioFreeEurope/RadioLiberty; RadioFreeEurope/RadioLiberty.
Ukrainian Election Task Force. (2019, May). Foreign Interference in Ukraine’s Democracy. Ukrainian Election Task Force.
University of Pennsylvania. (2016). The Business of Voting: Market Structure and Innovation in Election Technology Industry | electionline. Electionline.Org; University of Pennsylvania.
Uria, D. (2018, June 18). Dozens of states tighten election security — by going back to paper. UPI; UPI.
U.S. Congress. (2020, October 20). S.1321 – 116th Congress (2019-2020): Defending the Integrity of Voting Systems Act. Www.Congress.Gov; U.S. 116th Congress.
U.S. Department of Homeland Security. (2016). GRIZZLY STEPPE -Russian Malicious Cyber Activity.
U.S. Department of Homeland Security. (2018a, March 27). Election Security. Department of Homeland Security.
U.S. Department of Homeland Security. (2018b, September 21). Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security. Department of Homeland Security; Department of Homeland Security.
U.S. Election Assistance Commission. (2015). United States Election Assistance Commission Testing & Certification Program Manual. U.S. Election Assistance Commission.
U.S. Election Assistance Commission. (2020). Registered Manufacturers | U.S. Election Assistance Commission.
U.S. House of Representative. (2012, April 26). – IRANIAN CYBER THREAT TO THE U.S. HOMELAND.
U.S. Senate Select Intelligence Committee. (2019). Select Committee of Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 Election Volume 2: Russia’s Use of Social Media with Additional Views,
U.S. Senate Select Intelligence Committee. (2020). Select Committee of Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 Election Volume 5: Counterintelligence Threats and Vulnerabilities,
U.S. Vote Foundation. (2019). The Future of Voting | Executive Summary.; U.S. Vote Foundation.
Vavra, S. (2017, August 13). The world’s top cyber powers. Axios; Axios.
Vavra, S. (2019, July 10). Why Cyber Command’s latest warning is a win for the government’s information sharing efforts. CyberScoop; CyberScoop.
Verizon. (2018). 2018 Data Breach Digest. Verizon.
Voo, J., Hemani, I., Jones, S., Desombre, W., & Cassidy, D. (2020). National Cyber Power Index 2020 Methodology and Analytical Considerations. Harvard Kennedy School Belfer Center for Science and International Affairs.
Voting technology | MIT Election Lab. (2016).; Massachusetts Institute of Technology.
vvk-ehk/evalimine – Estonia e-voting code. (2020). github; GitHub.
Watkins, A. (2017, August 14). Obama team was warned in 2014 about Russian interference. POLITICO; POLITICO.
Welch, C. (2014, May 13). Estonia’s online voting system could easily be rigged by hackers. The Verge; The Verge.
White House. (2018). NATIONAL CYBER STRATEGY. The White House.
Working Together to Build a Better World. (2017, December 30). Ie.China-Embassy.Org.
World’s most hi-tech voting system raises cyber defenses. (2017, July 20). e-estonia; e-estonia briefing centre.
Wuesst, C. (2014). SECURITY RESPONSE Targeted Attacks Against the Energy Sector Candid Wueest. In Symantec. Symantec.
WV’s Secure Mobile Voting Application. (2012).; West Virginia Secretary of State.
Xinbo, W. (2020). The China Challenge: Competitor or Order Transformer? The Washington Quarterly, 43(3), 99–114.
Yadron, D. (2015, December 21). Iranian Hackers Infiltrated New York Dam in 2013. Wall Street Journal.
Zetter, K. (2014, November 3). An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. WIRED; WIRED.
Zetter, K. (2019, March 15). Experts: Elections commission downplaying unseen risks to 2020 vote. POLITICO; POLITICO.
Zetter, K. (2020, August 13). Election commission orders top voting machine vendor to correct misleading claims. POLITICO; POLITICO.
Украина. Президентские выборы 2014 | Электоральная география 2.0. (2014). Electoral Geography; Electoral Geography.

Leave A Reply