By Daniel Dobrygowski
The Iowa Democratic caucus, the first election of the 2020 cycle in the U.S., seems to have played into experts’ most dire concerns about election integrity. Rather than a harbinger of disaster to come, we need to recognize this as a warning that it’s all hands on deck to ensure election security. It’s well past time to activate everyone who has a stake in trustworthy elections — not only campaigns, government officials, and voters, but also private companies as well. To borrow a meme, the best time to work together on securing the vote was 2010, the second-best time is right now.
Much of the conversation around election security to date has focused on hacking, and it remains a serious concern. In 2016, Russian hackers targeted election infrastructure in more than two dozen U.S. states and compromised the email servers of Hillary Clinton’s presidential campaign. Adversaries have already begun targeting the 2020 presidential campaigns. Personal information about voters has also leaked from campaigns and political parties who store and analyze it online.
But as the recent Iowa debacle showed us, election security is about much more than cybersecurity. Decisions about how and when to use technology are made at every step of the voting process: election officials increasingly look to digital mechanisms to tally votes; campaigns use a variety of apps to raise funds and get out the vote; and individual voters rely on their smartphone or social media to learn when, how, or who to vote for. Each of these decision points brings a significant risk of failure, so each needs to be backed by a trustworthy process that is resilient in the face of both attacks by external actors and mistakes by internal administrators.
This is where private companies can play a bigger role. If civic responsibility isn’t enough of a reason, economic incentives also demand that companies act as proactive democratic citizens. Democracy is good for economic growth. More directly, supporting elections in a non-partisan way (like encouraging people to vote or securing polling stations) can also help a company’s bottom line — “being pro-democracy and pro-voter” has been shown to be good for companies.
There are two broad areas where companies can help: They can offer technology, and they can share knowledge.
We’re already seeing examples of technological assistance from the private sector. The most high-profile effort, Microsoft’s Defending Democracy Program, has offered an array of solutions for security and combating disinformation. Google just announced a partnership with the nonpartisan, nonprofit Defending Digital Campaigns to consult on digital security and help campaigns protect their email accounts. Smaller companies and organizations are also offering security help, from Cloudflare’s Project Galileo, which protects civil rights and democratic institutions’ websites, to Security Scorecard’s Project Escher, which helps such organizations monitor their own security. The Department of Homeland Security maintains a library of resources aimed at safeguarding electoral systems. More companies can step up and offer such resources for free or at low cost — and work on developing more offerings for election infrastructure, not just for campaigns.
But there’s an even greater need for expertise and guidance on how, when, or even whether to use new technologies in campaigns and elections. For decades, every industry has been dealing with “digital transformation.” Right now, elections are undergoing their own digital transformation, and this is an area where virtually every company can offer knowledge and support.
If we recognize that democracy is a system like any other, with inputs (voters), processes (elections), and outputs (policies), businesses can apply what they’ve learned from other systems. For example, companies across the country are identifying best practices around challenges from access control (ensuring that only authorized users have access to key systems) to data protection (preventing information leaks) to “bring-your-own-device” practices (determining how/when to allow employees to access business information on personal computers or phones). Election officials face these same challenges.
Businesses should be forthcoming and offer to share their experiences. All this requires is openness and taking the initiative to work together. If this kind of dialogue had happened between business leaders and the Iowa Democratic Party, maybe they would have realized that an app isn’t a solution to all problems, technology doesn’t replace knowledge or strategy, or that you shouldn’t apply an untested technology to a core function. Many companies have learned these lessons the hard way, and probably have other hard-earned lessons to share in order to help prevent the next avoidable failure. Even then, these lessons may not be shared quickly enough for the next caucus state, Nevada. Even though it may have ditched the faulty app used in Iowa, the process through which it adopted a new app may leave it open to similar faults.
Business can do a lot of good by sharing their most helpful insights from the digital transformations they’ve undergone over the past several years. Companies can also survey their strategic, risk, and IT executives and staff on what they’ve learned and what lessons might be generally applicable for the cause of civic security. Even developing a list of good practices and red flags that can be publicly shared could drastically improve the knowledge base of election administrators.
No matter their role, companies who choose to get involved in election security have a special obligation: to avoid doing harm to democracy. No one should profit off of democratic failure. These firms must ensure the security and functionality of their products or advice. Right now, there is no regulatory incentive to do so, so companies have to hold themselves to this high standard. “Move fast and break things,” which has proven to be problematic in the tech industry, is downright disastrous when the “thing” you’re breaking happens to be the backbone of democracy.
So far, the Federal Election Commission has issued a series of rulings recognizing that campaigns need the assistance of private companies in order to ensure their networks are secure and trustworthy. This is a good start. Now business leaders and companies have to wake up to their civic responsibility.
State and local election officials can also do more to facilitate the learning that needs to happen. Federal officials from the FBI and DHS already meet with the nation’s biggest tech companies to set strategy for combating foreign interference in elections. State election administrators and secretaries of state can use a similar approach on the broader issue of election technology. By convening companies, both big and small, in order to transparently and proactively share plans for how to integrate technology into the electoral process, officials can welcome critical evaluations based on the expertise of people who have already led companies through similar transformations.
Linus’s Law, the motto of open source software, is that “given enough eyeballs, all bugs are shallow.” It should be obvious by now that there is an unacceptable quantity of bugs in our electoral systems. The only way to make them shallow enough to avoid widespread failure is for companies to lend their set of eyes to the digital transformation of elections.
Note: The views expressed in this article are those of the author alone.