How Australia can help the US make democracy harder to hack
Scott Shackelford, Indiana University and Matthew Sussex, Crawford School of Public Policy, Australian National University
In the drumbeat of reports about Russian attempts to undermine U.S. democratic institutions with trolls, Twitter bots and cyberattacks on congressional candidates, it is easy to forget that the problem of election security is not isolated to the United States, and extends far beyond safeguarding insecure voting machines.
Consider Australia, which has been grappling with repeated Chinese attempts to interfere with its political system. One 2018 report, for example, found that the Chinese have infiltrated “every layer of Australian Government, right down to local councils.” That’s why a group of academics and policymakers from Indiana University and the Australian National University recently met to discuss how we might make democracy harder to hack. We found that we had far more to work on together than we had anticipated.
Protecting a diverse, widespread system
In the wake of the 2016 U.S. elections, scholars, government officials and concerned citizens are debating how to mitigate the risk of foreign groups targeting the election machinery upon which democratic societies are built.
Vulnerabilities are widespread across the thousands of largely locally managed systems that together comprise U.S. election infrastructure. These vulnerabilities include voting machines that in some cases still have no paper trails and are often running “severely outdated operating systems like Windows XP,” which has not been patched since 2014.
But that is just a taste of the parade of horribles against which people must inoculate the election system. Other risks include hacked tabulation systems, which was a major concern in the 2017 Dutch elections, as well as compromised media outlets, as in Ukraine.
What’s been done so far?
Since 2016, the U.S. government has made progress in protecting democratic institutions. In January 2017, for example, the U.S. Department of Homeland Security reclassified elections as critical infrastructure, which has helped to focus attention on the issue. Congress has also appropriated US$380 million to help speed the purchase of new, more secure voting machines.
In addition, local and state election officials have a new way to get up-to-date cyber threat information from the federal government. But further progress has stalled, including the Secure Elections Act, which would, among other things, ensure that every vote cast in the U.S. is on a verifiable paper ballot.
What more should Americans be doing, and what can Australia teach us?
Protecting democracy down under
Threats to Australia’s democracy differ in several key respects from those facing the U.S. To begin with, voting is mandatory in Australia, so there aren’t thorny political battles over who is allowed to vote. The major parties also agree on electoral boundaries so as to prevent gerrymandering.
Voting itself is different, too. When Australian voters enter a booth, they use paper forms, which are tallied by hand. And the election process is overseen by a central federally mandated body, the Australian Electoral Commission. This contrasts significantly to the U.S., where voting processes and infrastructure are heavily privatized, using antiquated technologies, though various constituencies have experimented with different forms of electronic voting.
With centralized operations, the Australian government has more control over the voting process and less need to worry about local variations that might threaten its integrity. At the same, such centralization makes for a tempting target.
Lessons from afar
Both countries do have reasons to worry, though. Their shared concerns include manipulation of public opinion via social media; alleged foreign influence over politicians; diminished public confidence around trust, privacy and data; and overseas ownership of news outlets. Fixing these depends much more on addressing human shortcomings than vulnerabilities in digital systems or formal institutions.
Australia also recognizes that political parties are potential targets – as the U.S. found out when the Democratic National Committee’s emails were hacked in 2016 – as well as the lesser-known hack of Republican National Committee emails.
Australia is also working to reduce foreign influence in other aspects of its political and business activities. Like the U.S., Australia has passed tough new foreign agent registration laws with bipartisan support. It has also blocked attempts by Chinese firms to buy controlling stakes in resource companies or large amounts of agricultural and urban land. And it recently excluded the Chinese tech giant Huawei from bidding to provide an Australian 5G mobile data network, citing a potential threat to national security.
And Australia has decided to invest early to guard against future information warfare, such as micro-targeting audiences with tailor-made messaging and machine learning-enhanced deepfake videos. The country has assigned top government officials to focus on cyber threats and begun an effort to ask all citizens to improve their cybersecurity.
Protecting political parties and citizens?
The U.S. has not yet followed Australia’s lead in providing government cyberdefense for political parties. Other aspects of civil society are also left undefended. Hackers have stolen public servants’ data, making them vulnerable to blackmail or fraud. Think tanks and research centers, as well as businesses, have data and other documents that are tempting targets.
The U.S. could do more, perhaps even designating citizens themselves as critical to society and in need of government support and protection against hacking and other online threats. That would acknowledge the many efforts underway to influence voters with false and misleading information.
By taking a lead from Australia – and by learning from successes and failures there, and in other countries – the U.S. could find ways to protect democracy at home and abroad.
Scott Shackelford, Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana University and Matthew Sussex, Academic Director, National Security College, Crawford School of Public Policy, Australian National University
This article is republished from The Conversation under a Creative Commons license. Read the original article.