This article was originally published in Volume XX of the Kennedy School Review Print Journal.
On March 19, 2016, John received a work email with the subject line “Someone has your password.” It read:
“Hi John,
Someone just used your password to try to sign into your Google Account. Google stopped this sign-in attempt. You should change your password immediately.”
Change password: [Link]
Just to be sure this email was authorized, John forwarded the message to an aide for review. The aide scanned it and sent back the go-ahead message, writing, “This is a legitimate email.” Reassured, John clicked the link and changed his password.
Only the aide had mistyped. He meant to say, “This is an illegitimate email,” but instead sent the message “This is a legitimate email” by accident. With a single click, Russian hackers gained access to thousands of staff emails and eventually accessed Democratic National Committee (DNC) servers.
Unfortunately, this is how Russian hackers weaponized stolen information after targeting and successfully phishing John Podesta, the chairman of Hillary Clinton’s 2016 presidential campaign. All it took was two letters mistyped (or autocorrected) out of one word to change the course of history.
###
This article focuses on one way to avoid a story like the one above — a stranger-than-fiction tale of a human campaign staffer using technology to make an honest mistake that opened the door to foreign interference. We begin with a review of the U.S. intelligence community’s conclusion that foreign actors interfered in America’s electoral process. Next, we introduce one model for heading off misinformation and disinformation campaigns: the Tabletop Exercise, built and implemented by the Defending Digital Democracy Project (D3P), an initiative at Harvard’s Belfer Center for Science and International Affairs. We close with an assessment of the state of election interference in the 2020 race for president.
Though several things went wrong in 2016, many were due to human error. As primaries are already underway and another general election inches closer, U.S. election security efforts have focused on technological investment, while human investment has fallen by the wayside.[i] National priorities should include combating mis/disinformation campaigns and preventing U.S. officials and political operatives from themselves becoming vulnerabilities in the face of attacks[1].
Lessons from the 2016 Presidential Election
In October 2018, the U.S. Senate released Volume II of its report on Russian interference.[ii] Titled “Russian Active Measures Campaigns and Interference in the 2016 Election”, the 85-page report is heavily redacted but nonetheless clearly outlines numerous ways that Russian assets ran a sophisticated disinformation campaign to “influence the 2016 US presidential election by harming Hillary Clinton’s chances of success and supporting Donald Trump at the direction of the Kremlin.”[iii]
The Russian government reportedly sent two operatives to the United States in 2014 to gather intelligence that they then used to target, phish, and influence, all with the goal of highlighting Hillary Clinton’s unpopularity and sowing discord in American society. Issues of immigration, Second Amendment rights, and race were weaponized and turned back on citizens “in an attempt to pit Americans against one another and against their government.”[iv] Russian operatives used Facebook, Twitter, and other social media accounts to generate fake news stories like Pope Francis endorsing Donald Trump and Wikileaks “confirming” that Hillary Clinton sold weapons to a terrorist organization. The two fake stories respectively received 960,000 and 789,000 comments, reactions, and shares.[v]
The most striking revelation from the Senate’s report is the ease with which mistakes can be exploited and low-cost methods used to turn an advantage. If we have learned anything from 2016, it is that election security does not begin and end at the ballot box. No single party, news network, state election apparatus, federal agency, or individual citizen is equipped to handle efforts to spread mis/disinformation among the American electorate.
The American Response
Technology took the brunt of the blame for America’s electoral failings in 2016. It’s easy to imagine a Russian hacker hunched over a computer, manually changing vote totals, surrounded by lines of code while bypassing all U.S. safeguards. Hacking, as many believe, involves forces beyond government control that can only be repelled with stronger firewalls and smarter technology. While some hacks absolutely do exploit software and hardware vulnerabilities, missing in this illustration is the fact that foreign interference in 2016 primarily came down to exploiting social vulnerabilities, not technological systems.
A private consulting firm, Cambridge Analytica, along with Russian bots and other social media-based influence streams, sought to influence voters long before they arrived at polling locations. Even the DNC hack, which did involve technical interference, was the result of spear-phishing — a common email manipulation tool that tricks humans into clicking links — rather than exhaustively searching for ways to penetrate servers.
This is not to disregard widespread attempts by foreign actors to electronically break into U.S. election systems. Russian actors successfully accessed voter rolls in 39 states to extract data on voters and did attempt to delete some of them from the rolls. Still, these efforts were unsuccessful and would have been mitigated given the organization of U.S. election commissions at the county level. Russian actors were not sophisticated enough to get beyond public-facing databases in these hacks, much less alter the vote totals themselves.[vi]
Other attacks, executed by Russia’s foreign intelligence arm, attempted to spear-phish into county commissions and election software companies by directly sending malware to officials’ emails. These phishing attacks underscore the importance of preventing humans from unintentionally opening gateways into sensitive systems.[vii]
As the 2020 election nears, state election commissions are scrambling to save face with multi-million dollar voting machine overhauls to make voters feel more secure about casting their ballots. From Georgia[viii] to Pennsylvania[ix], states are racing to acquire new technology. Yet these big-ticket purchases do nothing to combat human error like forgetting to check your ballot, mistakenly activating phishing emails, or unknowingly spreading false messages on social media.[x]
The Value in Training Humans
Russian President Vladimir Putin said during a 2017 interview with NBC’s Megyn Kelly when denying Russian election meddling, “IP addresses can be invented — a child can do that! Your underage daughter could do that. That is not proof.”[xi] A boldfaced denial of election meddling, it is the exact language Americans have come to expect from the leader of Russia, but there is a kernel of truth in Putin’s deflection: influencing an election does not require sophisticated computer programs or hacking capabilities. Manipulating election results means manipulating people, not just the systems people use.
The bad news is that it is easy to set up and implement a mis/disinformation campaign. All it takes is a nuanced understanding of a country’s hot-button issues, access to an internet connection to make fake social media accounts and news stories, and the will and ability to spread a message. It is not even necessary to run ads online. The Senate Intelligence Committee found that Russians spent just $100,000 on online advertisements in the run-up to 2016.
While election machine purchases are headline items for policymakers, this approach is costly and fails to fully address the primary issues behind election interference. The actors interfering in US elections are both socially aware and technologically sophisticated, and the weakest chink in the election system armor cannot be replaced by new technology alone. The aide who answered John Podesta’s question about the validity of the email he received did not intend to give nefarious actors access to DNC servers. However, had he been better trained, or at least more careful, the 2016 primary landscape would not have included thousands of hacked emails.
The Tabletop Exercise (TTX)
Eight American intelligence groups concluded that Russia interfered in the 2016 election.[xii] Every election official, campaign manager, or state party leader worth their salt should be kicking and screaming for an effective way to train staff to detect and respond to attempts at mis/disinformation and foreign interference. The ultimate goal should be an election apparatus — including those who run, compete in, and report on elections — that is engaged, educated, and prepared to detect and deter mis/disinformation from foreign and domestic actors. The good news is that there is a low-cost, low-tech way to do it that doesn’t require so much as an internet connection: Tabletop Exercises (TTXs).
A TTX describes any type of formal or informal activity meant to simulate how a particular event will go. It is essentially a dress rehearsal or prelude to the show. The military uses TTXs before consequential missions, often by collecting sand, sticks, rocks, and dirt to build a terrain model of the geography where a future operation will take place. Scenarios are then gamed out on the board with input from the individuals who will be on the ground making decisions.
TTXs are effective because of the real-time nature of the challenges. In the same way that servicemembers gather around a terrain model to rehearse, election officials, party leaders, and campaign staff gather to run through how an election season might look with the addition of full-scope mis/disinformation on the part of both foreign actors and other campaigns. Over the course of the exercise, TTX facilitators send players “injects” (short for “injections”) of sensitive scenarios. These scenarios are notional and meant to elicit player thought, response, and follow-through. An inject could be something as simple as a campaign tweeting that a primary is rigged against their candidate or an election official noticing strange activity on the network at a caucus or polling site. The injects are delivered in the most accurate way possible, and facilitators observe how teams decide to respond to — or instead disregard — the action. Players can choose to respond by sending information up their organizational ladder, issuing an official statement, contacting cybersecurity vendors, holding a press conference, or any other action they see fit.
The TTX election security model is valuable because it trains both individuals and teams on best election security practices. The players debrief the exercise and facilitators provide feedback and assess organizational strengths and weaknesses in the face of mis/disinformation. TTXs force participants to think about their role within the election apparatus and reckon with how they might detect and respond to attempts by malign actors to gain a foothold. If human error represents the greatest potential for foreign groups to gain access to our elections, then humans also offer the best hope for securing elections and maintaining the sanctity of America’s electoral process.
Because they are effective, low-cost, and require few resources, the federal government would be wise to allocate grants to states to use for election training. This would incentivize senior state election officials to implement TTX trainings and get experience identifying and responding to injects in real-time. It’s a simple and effective way of both evaluating and training teams, and it could be deployed in time for the general election in November 2020.
Conclusion
As William Shakespeare said, “What’s past is prologue.” Policymakers ought to keep this in mind as they debate how to prevent Russia from influencing the 2020 election. Moreover, the list of countries and non-state actors taking a hard look at interfering in American democracy has grown beyond Russia.[xiii] It would be naive to think that other countries and non-state actors are not formulating low-risk, high-yield ways to influence the 2020 elections.[xiv] Special Counsel Robert S. Mueller said as much in a July testimony to the House Permanent Select Committee on Intelligence: “It wasn’t a single attempt. They’re doing it as we sit here. And they expect to do it during the next campaign.”[xv] The National Security Agency has reported the Russians are using stealthier methods to try and sow chaos in the 2020 election.[xvi] In October 2019, Facebook reported that it shut down four disinformation campaigns that Iran and Russia were running through the social networking site.[xvii]
TTXs are useful for challenges to electoral integrity originating inside the United States, too. The 2019 governor’s race in Kentucky was impacted by a case of disinformation. Twitter user, @Overlordkraken1, tweeted on Election Day that he ripped up mail-in ballots cast in favor of Republicans shortly after the Republican incumbent fell behind in the vote tally. Online bots retweeted the message, and the incumbent refused to concede until the votes were recanvassed.[xviii] Election officials were forced to respond to the incident. Then there was the 2020 Iowa Caucus, where irregularities affected delegate tallies after the Iowa Democratic Party attempted to collect statewide totals from precinct chairs using a new app that was meant to streamline reporting. Instead, errors with the app led to days of uncertainty over who would emerge the winner in the first-in-the-nation contest.[xix]
All roads are leading to a bumpy finish to the 2020 campaign, but a TTX model can be an effective stabilizer. It provides a flexible, low-cost tool for those in the free and fair election business to address the mis/disinformation and human error-related issues already rearing their heads. TTXs do not solve all facets of the challenge America faces in holding elections free of malign influence. City, state, and federal governments must also invest in modernizing and securing voting systems. But that is not the whole story. In some cases, all it might take is one group of committed, well-trained election officials to ensure that a potential attack on American democracy is thwarted. Planning TTXs around real-world, up-to-date threats is a powerful way to do this. Making sure your autocorrect is off might help too.
[1] Here, we use “mis/disinformation” as a stand in for both misinformation, which is the unknowing spread of false information, and disinformation, meaning the purposeful spread of false information.
[i] “Chaos is the Point: Russian Hackers and Trolls Grow Stealthier in 2020” https://www.nytimes.com/2020/01/10/us/politics/russia-hacking-disinformation-election.html
[ii] Zachary Basu “Senate Intel releases 2nd volume of report on 2016 Russian interference,” Axios last modified 8 October 2018 accessed 2 February 2020 https://www.axios.com/senate-intelligence-committee-russian-interference-report-425274e8-1780-44c3-963a-cd839ef1cbe5.html
[iii] “Russian Active Measures Campaigns and Interference in the 2016 Election”. Senate Intelligence Committee Report. Pg 4. https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume2.pdf
[iv] Senate Intelligence Committee Report. Pg. 6.
[v] Senate Intelligence Committee Report. Pg. 9.
[vi] “Russia Hacked Voting Systems in 39 States Before the Presidential Election,” Vox.com last modified June 13 2017, accessed 10 January 2020, https://www.vox.com/world/2017/6/13/15791744/russia-election-39-states-hack-putin-trump-sessions
[vii] “Mueller Report” Russia Hacked State Databases and Voting Machine Companies,” Rollcall.com last modified 22 April 2019, accessed 10 January 2020, https://www.rollcall.com/news/whitehouse/barrs-conclusion-no-obstruction-gets-new-scrutiny
[viii] “Georgie Hurries to Deliver New Voting Machines in Time for Election,” Atlanta Journal Constitution last modified 16 January 2020, accessed 17 January 2020 https://www.ajc.com/news/state–regional-govt–politics/georgia-hurries-deliver-new-voting-machines-time-for-election/sjrPB5ZPbaBoO3ONBGqKgK/
[ix] “Political Upgrade: Erie County’s New Voting Machines,” GoErie.com, last modified 14 January 2020, accessed 17 January 2020 https://www.goerie.com/news/20200114/political-upgrade-erie-countys-new-voting-machines
[x] “New “Secure” Voting Machines are Still Vulnerable – Because of Voters,” MIT Technology Review, last modified 8 January 2020 last accessed 17 January 2020 https://www.technologyreview.com/s/615019/new-secure-voting-machines-are-still-vulnerablebecause-of-voters/
[xi] “Vladimir Putin to Megyn Kelly: Even Children Could Hack an Election,” NBC News, last modified 2 June 2017 last accessed 8 February 2020 https://www.nbcnews.com/news/world/vladimir-putin-faces-questions-megyn-kelly-st-petersburg-n767481
[xii] Karen Yourish and Troy Griggs. “8 U.S. Intelligence Groups Blame Russia for Meddling, but Trump Keeps Clouding the Picture,” New York Times, last modified 2 August 2018, last accessed 8 February 2020 https://www.nytimes.com/interactive/2018/07/16/us/elections/russian-interference-statements-comments.html
[xiii] Alex Hearn “How the UN unearthed a possible Saudi Arabian link to Jeff Bezos hack,” The Guardian., last modified 22 January 2020, accessed 3 February 2020 https://www.theguardian.com/technology/2020/jan/22/how-the-un-unearthed-a-possible-saudi-arabian-link-to-jeff-bezos-hack
[xiv] Rebecca Falconer “2020 election interference threat from Russia, China, Iran, U.S. says,” Axios, last modified 5 November 2019 accessed 18 January 2020 https://www.axios.com/security-agencies-russia-china-iran-2020-election-7a404769-e952-449b-9588-3c464adcd4a9.html
[xv] Grace Panetta “Mueller warns that Russia is already meddling in the 2020 election and other countries may try it,” Business Insider last modified 24 July 24 2019 accessed 17 January 2020 https://www.businessinsider.com/mueller-warns-russia-other-countries-will-interfere-in-2020-election-2019-7
[xvi] Matthew Rosenberg, Nicole Perlroth, and David E. Sanger. “Chaos is the Point: Russian Hackers and Trolls Grow Stealthier in 2020,” New York Times last modified 10 January 2020, accessed 16 January 2020 https://www.nytimes.com/2020/01/10/us/politics/russia-hacking-disinformation-election.html
[xvii] Mike Isaac “Facebook Finds New Disinformation Campaigns and Braces for 2020 Torrent”. New York Times last modified 21 October 2019 accessed 16 January 2020 https://www.nytimes.com/2019/10/21/technology/facebook-disinformation-russia-iran.html
[xviii] Matthew Rosenberg and Nick Corasaniti “Close Election in Kentucky was Ripe for Twitter, and an Omen for 2020,” New York Times last modified 10 November 2019 accessed 8 January 2020 https://www.nytimes.com/2019/11/10/us/politics/kentucky-election-disinformation-twitter.html
[xix] Keith Collins, Denise Lu, Charlie Smart “We Checked the Iowa Caucus Math. Here’s Where it Didn’t Add Up,” New York Times accessed 15 February 2020. https://www.nytimes.com/interactive/2020/02/14/us/politics/iowa-caucus-results-mistakes.html
Alina Clough is a master’s in public policy student at the Harvard Kennedy School. Prior to beginning her master’s degree, she worked as a web developer, both for state and local political campaigns and at an election commission. At Harvard she focuses on technology and digital government, including at the Defending Digital Democracy Project (D3P) at Harvard’s Belfer Center for Science and International Affairs.
Alexander de Avila is a Marine and master’s in public policy student at the Harvard Kennedy School of Government. His research focuses on international affairs and public service innovation, and he works for the Defending Digital Democracy Project (D3P) at Harvard’s Belfer Center for Science and International Affairs.
Photo by: Element5 Digital