This article was originally published on Just Security.
The past week featured stark reminders of the importance of election security as the 2020 presidential election swiftly approaches. First, former Special Counsel Robert Mueller testified to the House Intelligence Committee that the Russian government was interfering with American democracy “as we sit here.” Next, the Senate Intelligence Committee released a detailed report on election security, reciting the extensive malign cyber activity conducted by Moscow in the lead-up to America’s 2016 presidential election and concluding that “little has been done to prevent it from happening all over again.”
Press coverage of both of these warnings has emphasized—understandably—the need to harden U.S. defenses against various forms of cyber interference that Russia—and now Iran, too—appear intent on carrying out in the 2020 election. While it’s true that 2020 election security is critical, it’s important to emphasize that protecting our elections can’t wait until 2020 is upon us.
That’s because, if our foreign adversaries’ goal is (as the Senate Intelligence Committee report confirmed) to undermine American confidence in our own democracy, the opportunities to do so are already unfolding. Long before Election Day arrives, the release of internal campaign emails, the distortion of public polling data, the laundering to campaigns of money that originates from impermissible sources—all of this can contribute to advancing the objectives of Russia and other hostile foreign actors intent on undermining public confidence in American elections and, ultimately, our democracy.
In a notable example, for decades the Iowa Caucuses have represented a famously important and influential bellwether for the trajectory of the primary season that unfolds thereafter. That’s why Democratic primary contenders already have been spending lots of time campaigning in Iowa, with an even heavier saturation to come as the actual Caucuses approach on February 3, 2020.
For the upcoming presidential election, there is a proposal by the Iowa Democratic Party to change how its Caucuses unfold. There will be six “virtual caucuses” that determine the candidate preferences of certain delegates who, in turn, participate directly in convention activities to generate Iowa’s votes for a Democratic primary candidate in 2020.
Iowa’s Democrats are going digital with some of their caucuses for the same basic reasons that government, the private sector, nonprofits, and others tend to go digital: to increase participation and engagement. In the case of the Iowa Caucuses, the stated goal is “increasing caucus participation.” That’s a worthy goal to be sure, just as it is in other contexts where important political and government actors are going digital—for example, the nationwide decennial census is also going digital in 2020.
But, as with the census, the tremendous potential of increasing participation by going digital must be matched with appropriate cybersecurity preparations. In the case of the Caucuses, it can be hard to tell, from the outside, whether those are, in fact, being put into place by the Iowa Democratic Party. That raises particular concerns given the expanding literature expressing concern with governments’ ability to secure online voting, in particular.
For example, I’ve found no indication yet in public statements by the Iowa Democracy Party or media reporting on its proposal of how exactly signing up for participation in the virtual caucuses will occur and, in particular, how that process will be made secure, all with sufficient time to conduct appropriate information assurance activities. Building a secure portal can be expensive and can take time, and it’s unclear if that work—presumably requiring a reputable outside firm—has begun. What’s more, balancing the security needs of such a portal with the importance of ensuring that the interface is user-friendly can take iteration and testing, all of which requires considerable time. Indeed, most Americans will surely remember the troubled online rollout of “Obamacare” in 2013 as a notable demonstration of the importance of sufficiently testing a digital interface before launching it.
Maybe there are extensive cybersecurity preparations occurring out of the public eye, and if so—good. They should include the key elements noted above, such as having in place plans for disruptive attacks and ensuring auditability. If not, it’s critical that those preparations happen—and fast—if the proposal for virtual caucuses is accepted by the Democratic National Committee.
Americans live in an era in which actors like the Russian and Iranian governments aren’t waiting for Election Day to attempt to undermine confidence in our elections and our broader democracy. They’re carrying out a sustained campaign not only of election interference specifically, but also of democracy interference more persistently. With Russian actors online seizing on virtually every issue that might divide and polarize Americans—from fracking and the Dakota Access pipeline, to the skin color of actresses appearing in Star Wars and The Little Mermaid— we must treat a wider range of events as potential targets for cyber-enabled intrusions.
That’s particularly true for events closely tied to the 2020 election itself, such as the Iowa Caucuses. It’s time to ensure that cybersecurity plans are part of all plans, as Mueller and the Senate Intelligence Committee so vividly reminded us last week.