A Checklist for Protecting Our Elections from Foreign Meddling

It’s Bigger Than Mueller, It’s Bigger Than Collusion, and It’s Urgent

Vice President and General Counsel for Facebook Colin Stretch, General Counsel for Twitter Sean Edgett, and Senior Vice President and General Counsel for Google Kent Walker at a hearing on “Social Media Influence in the 2016 U.S. Elections” before the Senate Intelligence Committee on  Nov. 1, 2017. (Alex Wong/Getty Images)

Every passing day seems to bring a new story on Special Counsel Robert Mueller’s investigation into whether the Trump campaign colluded with foreign actors to influence the 2016 presidential election.  This continued focus makes sense, as understanding the scope of any collusion (and indeed what is meant by “collusion”) is critical.  The results of the investigation may affect how we the people view our recent election, our current leadership, and our future electoral choices.

Despite the understandable focus on the Mueller investigation, however, it’s important to remember that any collusion – and, indeed, the 2016 election itself – is not the entire story.  The Intelligence Community has concluded that Russia’s senior leadership undertook a deliberate campaign to influence the results of our last election through sophisticated information campaigns, an escalatory step after years of such efforts elsewhere, according to a new report from Democrats on the House Foreign Relations Committee.  And the Russians – or other actors seeking to harm the United States – will almost certainly try again.  Thus, regardless of whether any U.S. actors colluded with a foreign adversary, the problem is here; it is real; and it will persist.  No special counsel can save us from that.  And we’re now under a year away from midterm elections that provide a highly vulnerable target for foreign meddling that may prove more effective than what we saw in 2016.

That’s why it’s imperative for us to use the time before those elections to prepare ourselves as best we can.  To be sure, our institutions have taken some initial steps to address the threat.  Congress has passed the Countering America’s Adversaries Through Sanctions Act (CAATSA), which codifies the sanctions imposed on Russia following its annexation of Crimea and intervention into eastern Ukraine, and has included provisions in the current versions of the National Defense and Intelligence Authorization Acts that would, if enacted, require the Executive Branch to, among other things, produce a variety of strategies for countering Russian influence operations and threats to U.S. elections.  The Department of Homeland Security has also designated election systems as critical infrastructure and (finally) shared information with state officials on Russia’s hacking efforts.  And leading technology companies, urged by Congress, have released some information to the public about the scope of Russia’s influence efforts and have taken steps to improve the transparency and accountability of their political advertising.

These initial steps, however, hardly constitute a comprehensive response.  There’s hope that, in a bipartisan way, at least one of the multiple congressional committees that continue to investigate Russia’s efforts will outline in detail the nature and scope of the threats we face and a series of concrete steps we can take to mitigate them.  But we cannot rely solely on Congress to address this issue.  A multifaceted response is required, and it’s needed soon: with the 2018 midterm elections right around the corner, any reforms are best undertaken as far as possible outside election season, when partisan politics tend to transform conversations on these sorts of issues into contests for advantage between Democrats and Republicans.  Thus, while it’s impossible to cover completely this complicated issue in a short(ish) essay, here I’ve taken an initial pass at laying out some of the key questions that different institutional actors should be answering with respect to the persistent national security threat election interference now clearly represents.

Understand the Risks

Addressing the threat of election meddling first requires understanding it.  This means knowing the precise risks we face.  The threat environment is dynamic, and our adversaries are, of course, going to try to dream up schemes that continue to surprise us.  It’s thus impossible to catalogue exhaustively the precise sorts of election meddling we might face in the future, or who exactly the targets will be – though, to be sure, they can be Republicans just as easily as Democrats, as Russia already demonstrated with its pro-Trump efforts during the Republican primary campaign.  Thus far, however, two broad categories of such risks have emerged.

The first involves the possibility of direct hacking of voter rolls, election machines, voter tallies, and the like by a malicious actor.  While a detailed discussion of these risks is beyond the scope of this short piece – indeed, they merit extended exploration on their own, as others have begun to offer – it is worth noting that they are, in many ways, the most acute.  Hacking electoral infrastructure directly attacks our democracy by potentially altering or, at the very least, casting great doubt on actual vote counts – and who the actual winners of elections are.  And such actions need not affect the actual outcome to breed public distrust in the democratic system and in the validity of leaders chosen by the electorate.  To date, there is no sign that this sort of election meddling has succeeded, perhaps because adversaries are wary of the response such hacking would presumably prompt, if discovered.  But understanding our vulnerabilities on this front is an urgent priority.

The second family of risks are the ones that have already manifested themselves: the risk that a foreign adversary will engage in information operations to influence U.S. elections.

As much precision as possible is critical here to understanding the scope of the threat.  Foreign governments and other actors attempt to influence U.S. politics in a wide variety of ways.  Foreign governments own and operate media organizations, take public positions on hot-button political issues, advertise online, and hire lobbyists.  Foreign-owned corporations engage in similar activities.  When such activities comply with all applicable U.S. domestic laws, such as the Foreign Agents Registration Act (FARA), many, if not most, of these activities may not be clearly problematic – assuming those laws are being properly and punctually enforced, which the recent and likely belated requirement that Russian station RT register under FARA suggests may itself be a problem.  Robust, open debate and an informed citizenry are hallmarks of U.S. elections, and, while being vigilant, we also must be careful not to have our response to what troubles us sweep too broadly.

That said, there were actions taken during the 2016 election that are cause for serious concern.  The first involves infiltrating private computer systems. Stealing, and then weaponizing, directly or through an intermediary, the private communications of campaign officials seems the sort of election interference that everyone should denounce.  It’s worth noting that, in the future, a foreign government may also simply send such confidential information to a competing candidate for him or her to deploy even more skillfully than the foreign government could.  The second involves the manipulation of social media.  Russia appears to have distributed propaganda – real and fake – through social media platforms and to have used networks of social media “bots” surreptitiously to influence and distort U.S. domestic electoral discourse.  While it’s likely unknowable exactly how large an effect such actions had on our election – and one hopes that our democracy can ultimately survive the distribution of foreign-funded junk ads, even through advanced means – our adversaries plainly think their actions are important; and, for that reason alone, it’s necessary for us to understand what they are doing and what they might do in the future.  In those respects, we can also learn from Russia’s investment in similar methods to interference in other democratic countries’ elections.  And it bears remembering that it’s hard to know exactly what qualifies as “political ads” versus more generally socially divisive ones, as well as to measure how many echoing posts Russian-linked material generated, thus amplifying the impact at the time and extending its repercussions long past Election Day in the polarization produced.

Identify the Protections Already in Place

Once a detailed risk assessment is completed, the next step is to focus on identifying what protections we already have in place that can mitigate these risks.

Focusing again solely on information operations, it’s not the case that the cupboard is totally bare.  (There are, of course, already existing protections and other laws in place with respect to direct electoral hacking, though the sufficiency of those laws demands its own fulsome assessment.)  This is particularly true with respect to stealing and weaponizing information.  Although the risk of cyber theft is real and likely can never be reduced to zero, there is increasing awareness about the sorts of common-sense protections one should have in place to guard against it – for example, consider the cybersecurity playbook recently jointly issued by the managers of the Clinton and Romney campaigns.  What’s more, the federal Computer Fraud and Abuse Act (CFAA) prohibits knowingly accessing or exceeding authorized access to a protected computer to obtain information.  Many states also have laws that criminalize computer hacking or the invasion of privacy.  Thus, while enforcement against foreign actors is certainly a problem (to be discussed below), it is almost certainly the case that information theft is already a crime in this context.

Although political speech obviously implicates First Amendment considerations, there are also campaign finance laws that address foreign electoral activities.  Most importantly, 50 U.S.C. § 30121(a) reads as follows:

It shall be unlawful for-

(1) a foreign national, directly or indirectly, to make-

(A) a contribution or donation of money or other thing of value, or to make an express or implied promise to make a contribution or donation, in connection with a Federal, State, or local election;

(B) a contribution or donation to a committee of a political party; or

(C) an expenditure, independent expenditure, or disbursement for an electioneering communication (within the meaning of section 30104(f)(3) of this title); or (2) a person to solicit, accept, or receive a contribution or donation described in subparagraph (A) or (B) of paragraph (1) from a foreign national.

A federal court in Washington D.C. recently upheld this provision, noting that foreign nationals may “spea[k] out about issues or spen[d] money to advocate their views about issues.  [The provision] restrains them only from a certain form of expressive activity closely tied to the voting process—providing money for a candidate or political party or spending money in order to expressly advocate for or against the election of a candidate.”

Consider the Gaps and How to Fill Them

The final step would be to consider the risks in light of our existing protections to identify any gaps that need filling.  Given the significance of the risks discussed earlier, and in light of the vulnerabilities revealed by the 2016 election experience, more clearly needs to be done.  So, what are some of the key gaps, and how might different institutional actors in the United States go about constructively filling those voids?

As a threshold matter, it is important to note that there are a number of steps that should be taken with respect to the direct hacking of voter rolls, election machines, voter tallies, and the like.  But, just as I indicated above that the risks associated with this important issue are beyond the scope of this piece and merit extended exploration on their own, so too shall I now simply emphasize the importance of identifying gaps related to this issue and analyzing ways to fill them.  Others have begun doing important work in this area, and it’s critical to extend such work and indeed to accelerate it.

My focus here, however, remains on information operations targeting U.S. elections.  To mitigate the threat they pose, there are at least four sets of questions various institutional actors should be addressing.

First, the Congress.  As noted above, foreign governments involve themselves in politics in a variety of ways, and it’s important that we do not overreact with overly broad regulation of content important to our deliberative democracy.  That said, based on an assessment of the risks posed by foreign government information operations, Congress will need to consider whether augmentations to the basic landscape of relevant criminal and civil laws are necessary.  What’s more, Congress must accept that even existing laws face grave enforcement shortcomings.  While enforcement of existing law is (always) partly a challenge for the Executive Branch to address, its urgency here makes it Congress’s problem too.  And there may be ways in which Congress can help by providing the Executive with, for example, more investigatory resources. Going bigger still, Congress appears already to be considering clearly criminalizing assisting or accepting assistance from a foreign government for purposes of election interference.  And Congress might consider even more measures, such as by clearly criminalizing the distribution of information stolen in violation of the CFAA and the crossing of state lines to violate privacy with the purpose of election interference.

Congress might also consider tools other than the criminal law to address this issue.  For example, Congress might demand greater disclosures regarding funding for online paid advertising relating to key political issues, thus generating greater opportunities for identifying the involvement of foreign money.  More dramatically, Congress might also consider providing a statutory framework for a regulatory scheme in which more would be asked of the “middlemen” – the social media companies and file-upload sites – roughly akin, at least conceptually, to the reporting requirements imposed on financial institutions in an effort to address money laundering and terrorist financing.  (Think “know your poster” instead of “know your customer.”)  Congress might also consider a legally mandated notification scheme, in which social media companies would have an obligation to inform users when they have been directly exposed to propaganda linked to a foreign government.  To be sure, the stakes are high here, and there are passionate arguments on both sides as to whether these sorts of regulations make sense; but, given the seriousness of the issues, Congress would be remiss in not at least considering whether good faith efforts to address already-identified stolen (hacked) information and misinformation (that is, “fake news”) should be required of technology companies.

There are certainly various types of regulatory schemes that could be considered, with different benefits and costs.  For example, Congress could require all or some of the following: enhanced financial transparency with respect to paid advertising on those companies’ platforms; greater transparency into how the companies treat political campaigns as clients; increased transparency regarding how much politically charged material the companies remove for violating their terms of service; and public reporting on how unusual the level of foreign-financed advertising appears to be during campaign seasons.  And, for any changes along these lines, Congress’s optimal role would seem to involve providing a basic statutory framework to be implemented by more detailed regulation, so as to allow for flexibility and adaptation in light of evolving technologies and as malicious actors engage in new types of information operations – and to avoid fifty different state legal regimes from cropping up in this area.

Second, the Executive Branch.  The first set of questions the Executive Branch has to answer relates to detection: is foreign meddling in our elections being treated as a top priority for U.S. intelligence collection efforts?  This is an issue on which elaborate signals intelligence or human intelligence may not, at least in certain respects, be as useful as simply ensuring that an elite team of open-source analysts is tracking the issue closely.  But, whatever the sourcing, this needs to become a key focus for U.S. intelligence collection long before the 2018 midterm elections to ensure that worrisome trends are spotted, analyzed, and—as appropriate—shared with companies and the public.

And that points to another set of questions for the Executive Branch: Are the right channels of communication open and flowing, in both directions, between the government and technology companies?  Such companies are not, of course, arms of the U.S. Government, and they should not become them—or be perceived as such.  But appropriate sharing of information between the government and the private sector is a staple of improved collaboration on fast-moving, technologically sophisticated challenges such as cybersecurity and critical infrastructure.  And, within proper bounds, developing such a relationship would seem critical to dealing with the challenges associated with information operations designed to distort U.S. elections.  This week’s reports that an FBI task force charged with alerting social media companies and the public to foreign government efforts to manipulate social media are a welcome if overdue sign that serious attention is beginning to be paid to this issue within the Executive Branch.

Then there is the enforcement problem noted above.  To be sure, it is difficult to bring foreign actors operating abroad in hostile regimes to justice, but law enforcement should be engaged with this important issue.  That’s what makes the Attorney General’s admission to Congress that he doesn’t know what’s being done to prevent the next go-around so disturbing.  And enforcement doesn’t necessarily mean law enforcement: the Executive Branch has a variety of other tools for imposing costs on foreign actors for malicious activities, such as financial sanctions.  Being clear about what sort of behavior we find problematic and what steps we would take in response to it could help deter such activity in the future.

Third, beyond the Hill and the Executive Branch, are the technology companies whose platforms have become the virtual battlegrounds for the information operations in question.  While the Hill has focused largely on punishing Russia specifically and on taking to task the companies for their handling of the 2016 election, the tech companies have begun exploring what to do in light of the undeniable role that their platforms have played in shaping political discourse and thus political activities in this country.  For example, there have been reports of what actually happened during the 2016 campaign season; announcements of partnerships with fact-checking websites like Snopes.com; and increased collaboration to identify fake news stories before they get widespread traction.  Still, it’s not clear whether these efforts, laudable as they are, would make a significant dent in the next generation of information operations likely to be directed at future U.S. elections.  At least in the eyes of the U.S. Congress, they’re insufficient.  And, given the stakes, it seems appropriate for the companies, just like the government, to ask what more they can do.

For a start, sharing relevant information across companies would seem ripe for enhancement.  Just as key companies have announced the sharing of digital signatures associated with terrorism-related content, so too could companies share digital signatures associated with misinformation seemingly intended to distort political dialogue.  And, just as the same key companies then took another step for terrorism-related content by announcing that they would jointly enhance the tools they use to identify such content in the first place, so too could companies work together to improve their ability to ferret out information associated with election meddling.

Additional questions also merit exploration by the companies.  Should algorithms derived from machine learning be used to attempt to identify new fake news based on its similarity to earlier stories removed as such, with the new misinformation requiring rapid human review before being allowed to be posted and shared?  This would, of course, have the distinct upside of eliminating content before it can go viral, while still allowing appropriate material—such as counter-speech and media coverage of efforts to combat fake news—to emerge promptly.  At the same time, flipping the default to one involving human review to allow sharing would represent something of a paradigm shift for technology companies outside the area of child exploitation imagery.  It is, for all of these reasons, precisely the type of issue with which technology companies should be grappling—quickly.

Finally, mainstream media should be asking itself tough questions about these issues in advance of the 2018 midterm elections—namely, how should mainstream media cover the misinformation sure to be produced in future information operations?  Should the media seek to identify and call attention to trending bogus stories so as to debunk them?  Or does that simply accelerate and expand their reach, without undercutting them for the many Americans who have, sadly, concluded that mainstream media is itself fake news?  How should the media talk about tech companies’ own efforts—extensively, so as to raise awareness, or minimally, so as not to aggravate the very problem that such efforts are intended to mitigate?

These are, of course, just examples of the types of questions that key institutions should be asking themselves and each other as all of us grapple with this new threat to American democracy.  The key point is this: The problem of information operations in the digital age that take aim at our elections has now been exposed, and it’s a serious challenge certain to persist regardless of the collusion question on which Robert Mueller and indeed many Americans are focused.  The Special Counsel’s work is critical; but so is the work of the other institutions that have a stake in protecting and defending the sanctity of America’s elections.  They’d better get moving fast. 

About the Author(s)

Joshua Geltzer

Founding Executive Director of the Institute for Constitutional Advocacy and Protection, Visiting Professor of Law at Georgetown University Law Center, Fellow in New America’s International Security Program, Former Senior Director for Counterterrorism at the National Security Council, Former Deputy Legal Advisor to the National Security Council, Former Counsel to the Assistant Attorney General for National Security at the Department of Justice