In the wake of assessments about foreign interference in the 2016 presidential election, concerns have been mounting about the security of the 2018 midterm elections. Security efforts are complicated by the complex, multidimensional election life cycle, with each dimension involving a broad array of components. The main dimensions can be thought of as election administration, campaign activities, and media coverage. Traditionally, concerns about election security have focused largely on election administration. In the wake of the 2016 election, the Department of Homeland Security designated election-administration infrastructure as a critical infrastructure (CI) subsector. That made the state and local offices and private-sector entities involved in running elections eligible for enhanced federal technical assistance and information sharing on both physical- and cyber-security. The CI designation expressly applies only to the election-administration dimension. However, malicious actors are unlikely to respect such limitations. The increasing use of internet connectivity in all three dimensions is creating a convergence of security risks not only within the dimensions but across them
- Attacks on election infrastructure might involve registration databases, voting systems, reporting of results, or other components or processes. The goal might be to exfiltrate (surreptitiously obtain) information such as voter files, to disrupt the election process, or even to change vote counts and results.
- Attacks on political parties and campaigns might involve exfiltration of candidate information or communications, disruption of events, or other goals. For example, data from the information networks of a political party could offer a foreign adversary insights into the prospective operations, priorities, and vulnerabilities of an incoming government, should the party prevail at the polls.
- Exploits involving media coverage, especially social media, might include, for example, spreading false or misleading information to voters with the aim of affecting their votes or eroding confidence in the election outcome. Voter information obtained through attacks on political party or government entities, or by other means, could be used to target voters considered susceptible to such misinformation. For example, Cambridge Analytica reportedly acquired and used data on more than 50 million Facebook users to influence voters in the 2016 U.S. presidential election and Brexit referendum. Although Facebook maintains that the case did not constitute a data breach, the legality of how such information was and is obtained, as well as its potential impacts, remains controversial. Both House and Senate committees have held hearings on the topic…”