In response to findings that President Donald Trump’s 2016 presidential campaign received election assistance from foreign entities, the Federal Election Commission (FEC) has proposed new rules to limit foreign election contributions.  [More from NPR] . Earlier this year, two entities—Sai, Fiat Fiendum, Inc. and Make Your Laws PAC, Inc.—petitioned the FEC to amend the definition of “valuable information” under 11 CFR part 100. 

Specifically, the proposed changes would narrow the commission’s legal definition of a contribution by defining “valuable information” as information that:

1. Is not freely available to the public;
2. Is provided to a person regulated by the Federal Elections Campaign Act . . . at a cost less than the market rate or by a person not hired by the recipient to generate such information;
3. Would cost a non-trivial amount for the recipient to obtain at their own expense; and
4. Is information that would likely have the effect of influencing any election for federal office or that parties or candidate committees have traditionally expended money to obtain.

If accepted, the following definition will be codified at 11 CFR 100.57.

The proposed regulation outlines two types of “valuable information”: “foreign information” and “compromising information.”

• “Foreign information” would include any information that comes from a source that is prohibited from making contributions under the Federal Elections Campaign Act.
• “Compromising information” would include information that could be used to blackmail or otherwise compromise any candidate for Federal office (including indirect coercion, such as of a candidate’s family), regardless of the source.

If any campaign official was offered or received either of types of information, the regulation mandates that they report this contact to the FEC within three days. Upon learning of a campaign receiving such information, the regulation requires the FEC to initiate investigations, provide a report to the FBI, and, in the case of “compromising information,” provide a report to every reasonably identifiable person against whom such information could be used. Once the FEC has learned of this information, the regulation requires the agency to provide a report to any other law enforcement entity with likely jurisdiction over the matter. Fourteen days later, the FEC must also publish a report on the matter.

Ellen L. Weintraub, the chair of the FEC, signed a notice about the potential new restrictions, further emphasizing the importance of curbing foreign interference in elections. Previously, on June 13, 2019, Weintraub published a statement regarding illegal contributions from foreign governments. “It is illegal for any person to solicit, accept, or receive anything of value from a foreign national in connection with a U.S. election,” she reiterated. “Any political campaign that receives an offer of a prohibited donation from a foreign source should report that offer to the Federal Bureau of Investigation.”

Currently, the FEC is seeking public comment on this proposed rule. This comment period ends on September 30, 2019. After this phase, the rule will be voted on by the FEC commissioners. In accordance with FEC agency policy, four votes are needed for any official action to proceed. Considering the agency currently has four confirmed commissioners out of six possible, this rule would need a unanimous vote in order to become law.

This administrative action echoes similar efforts in the House and Senate to pass increased election security protections in response to Russia’s interference in the 2016 presidential election.

On July 25, the Senate Select Committee on Intelligence published Volume I of a report on Russian Active Measures Campaigns and Interference.  The report stems from the committee’s bipartisan investigation into a wide range of Russian activities relating to the 2016 U.S. presidential election. Volume I reaffirmed the Intelligence Community Assessment (ICA)  that  Russian intelligence accessed elements of multiple state or local electoral boards prior to the 2016 presidential election. According to the Report, DHS concluded that the Russian government likely researched the electoral system in place in all 50 states. In fact, by September 2017, DHS concluded that 21 states were explicitly targeted by Russian government cyber actors.

The Committee determined that “scanning” of election-related state infrastructure was the most widespread activity conducted by the Russian government prior to the election. Scanning is a form of reconnaissance where an adversary searches for weaknesses, access points, and vulnerabilities. Dr. Samuel Liles, Acting Director of Cyber Division for the Office of Intelligence and Analysis, characterized these activities as “analogous to somebody walking down the street and looking to see if you are home. A small number of systems were unsuccessfully exploited, as though somebody had rattled the doorknob but was unable to get in . . . [however] a small number of the networks were successfully exploited. They made it through the door."

It should be noted that the Report provides no evidence that votes were changed, vote tallying systems were manipulated, or that any voter registration data was altered or deleted during the 2016 election cycle. Despite this, there is reason to believe that Russia will continue to escalate its interference in future elections. When testifying before the Committee, Michael Daniel, former Assistant and Cybersecurity Coordinator for President Obama, warned that mapping is done “so that [Russia] could actually understand the network [and] establish a presence so [they] could come back later and actually execute an operation.” Moreover, in an addendum providing the additional views of Senators Harris (D-CA), Bennet (D-CO), and Heinrich (D-NM), the Report states that “Russian operatives undoubtedly gained familiarity with our election systems and voter registration infrastructure—valuable intelligence that it may seek to exploit in the future.”

At the end of the Report, the Committee provided a comprehensive list of recommendations aimed at preventing Russia from interfering in future elections.

1.  Reinforce States' Primacy in Running Elections

The Committee recommends reinforcing the role of each state in administering elections while the federal government should ensure they receive the necessary resources and information. This recommendation received pushback from Senator Wyden (D-OR) who calls for mandatory, nation-wide cybersecurity requirements. Wyden argues that Congress's constitutional role in regulating federal elections is well-established and that the Russian attacks are too complex and too serious to be left solely to state and local officials. Wyden went so far as to say that “[w]e would not ask a local sheriff to go to war against the missiles, planes and tanks of the Russian Army. We shouldn't ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia's cyber army.”

2.  Create Effective Deterrence

The Committee recommends that the U.S. establish an international cyber doctrine to limit certain cyber activity. This doctrine would be similar to the existing international norms and treaties about the use of technologies and weapons systems. The government should treat a violation of this doctrine would be viewed as a hostile act and will be responded to appropriately. The Committee made it clear that the U.S. “should not limit its response to cyber activity; rather, it should create a menu of potential responses that will send a clear message and create significant costs for the perpetrator.”

3.  Improve Information Gathering and Sharing on Threats

The Committee recommends that the federal government, state governments, and local governments should establish clear channels of communication between one another. While this may seem rather rudimentary on its face, one of the key components of information sharing about elections is security clearances for appropriate officials at the state and local level. Since the 2016 election, DHS has compiled a list of officials to contact in every state if there is a threat. In addition, DHS is seeking to obtain security clearances for up to three election officials per state. Lastly, federal officials are working to declassify information in order to provide the greatest possible warning to state and local officials without compromising our own national intelligence.

4.  Secure Election-Related Cyber Systems

Despite the expense, the Committee recommends that cybersecurity needs to become a higher priority for election-related infrastructure. To do this, election officials should work with DHS to evaluate the security of their election systems, voter registration systems, state records, and other pre-election activities. The Report stated that in 2016, “cybersecurity for electoral infrastructure at the state and local level was sorely lacking.” The Committee additionally recommends that DHS creates an advisory panel to give expert-level advice on how states and localities run elections. Using this advice, DHS should develop procedures and processes to evaluate and routinely provide guidance on relevant vulnerabilities associated with voting systems.

5.  Take Steps to Secure the Vote Itself

The Committee recommends that states act with urgency to replace outdated and vulnerable voting systems. At a minimum, any machine purchased going forward should have a voter-verified paper trail and remove (or render inert) any wireless networking capability. This is because paper ballots and optical scanners are the least vulnerable to cyber-attack. However, in order for paper ballots to be a legitimate means of tallying votes, there must be a secure chain of custody for those ballots. For this reason, the Committee recommends that states reexamine their safeguards against insertion of fraudulent paper ballots at the local level. Lastly, the Committee recommended that vendors of election equipment be briefed about the vulnerabilities in both the machines and the supply chains for the components of their machines.

6.  Assistance for the States

Finally, the Committee outlined its assessment of how the federal government can assist state and local governments in ensuring free and fair elections. State officials told the Committee the main obstacle to improving cybersecurity and purchasing more secure voting machines is cost. In March 2018, Congress appropriated $280 million in grants aimed at improving election security. Among other things, these funds will go toward replacing voting machines, hiring additional IT staff, updating software, and contracting with vendors to provide cybersecurity services. The Committee recommends that the Election Assistance Commission—the entity responsible for administering the grants—regularly report to Congress on how the states are using those funds, whether more funds are needed, and whether states have both replaced outdated voting equipment and improved cybersecurity.

Above all, this Report serves as a reminder that since 2014, Russia has been exploiting weaknesses in the American electoral system in order to sow discord and distrust among the American public. As former Deputy Director of the FBI, Andrew McCabe, told the Committee, the Russians “might not be effective the first time or the fifth time, but they are going to keep at it until they can come back and do it in an effective way." The committee plans to release several more installments of its report in the fall, focusing on the "Intelligence Community Assessment (ICA) of Russian interference, the Obama Administration’s response to Russian interference, the role of social media disinformation campaigns, and remaining counterintelligence questions."

Sample direct recording electronic (DRE) voting machine

Following the infamous hanging-chad fiasco in Florida during the 2000 U.S. presidential election, the federal Help America Vote Act of 2002 aimed to modernize election systems in the United States, in part by encouraging states to transition from paper ballots to electronic voting systems. That 2000 reform, however, may have led to the unintended consequence of making U.S. elections more vulnerable to hacking. Amid reports of cyberattacks against voting systems in Florida, Georgia, and other states in the recent 2018 election, officials are questioning the efficacy of machine-based or electronic voting that lacks a paper trail. Many experts have called for a return to paper ballots or at least paper-records that can be used to audit machine-voting tallies.  As election security expert and Georgetown Law Center Professor Matt Blaze said, "'It's ironic that the famous picture of an election official examining a paper ballot during the Florida recount' was used to illustrate the primitivism of punch-card voting machines, but now is used to demonstrate the robustness of paper ballots." 

Paperless voting systems continue to be popular, however.  During the 2018 election cycle, most states relied on Direct Recording Electronic (DRE) voting systems, which store votes directly into a computer’s memory. The National Conference of State Legislatures notes that DRE systems can be equipped to provide a “voter-verifiable paper audit trail” (VVPAT) that serves two functions. First, VVPAT capabilities allow voters to verify that their ballots are recorded correctly. Second, VVPAT systems provide a paper trail for election officials should an audit become necessary. Nonetheless, ABC reported that 5 states (Louisiana, Georgia, South Carolina, New Jersey, and Delaware) used versions of Direct Recording Electronic (DRE) systems that leave no paper record of individual votes. Additionally, ABC notes that 8 states, including Pennsylvania, use DRE systems without a paper trail in at least one, but not all, counties.

Experts are increasingly critical of paperless DRE systems. A 2018 report "Securing the Vote: Protecting American Democracy" by the National Academy of Science calls for such systems to be “removed from service as soon as possible.” The Brennan Center argues that $380 million in federal funding recently authorized for election modernization is nowhere near enough to address the potential scope of interference in the 2020 election. Specifically, experts warn that paperless DRE systems tend to be older systems, most vulnerable to hacking. A New Yorker piece illustrates the grave risk, recounting a 2018 hacking conference in which hackers were able to infiltrate each of 24 voting machines on display, “some within minutes." Nonetheless, some state officials insist that paperless DRE systems are safe. For example, Delaware Election Commissioner Elaine Manlove told ABC news that DRE machines are not connected to the internet and are not connected to other machines. Thus, hackers would have to penetrate each individual machine to change vote tallies.

State responses have been mixed. The Brennan Center surveyed election officials in jurisdictions that use paperless DRE systems and received a wide variety of responses. Six states have taken direct action to replace all paperless machines with DRE systems equipped with VVPAT systems. These include the 5 states entirely reliant on paperless DRE systems and Pennsylvania. Other jurisdictions have taken a more measured response. Kentucky election officials, for example, have called for the replacement of paperless DRE systems but have yet to secure the funding to do so. Kansas has prohibited counties from purchasing new paperless DRE systems, but has not banned the use of existing paperless machines. Still other jurisdictions have taken no apparent action to replace paperless machines, including Indiana, Mississippi, Tennessee, and Texas. In fact, one municipal election official in Texas reported to the Brennan Center that he hoped to replace existing paperless machines with a new set of paperless machines.

Jurisdictions that are taking action to replace paperless DRE systems are turning to a number of different alternatives. The Brennan Center report estimates that 55% of counties that intend to replace paperless DRE systems hope to purchase optical scanning machines, which rely on computers to scan and tally paper ballots. While optical scanning systems are still vulnerable to hacking of final tallies, they allow officials to retain paper ballots for auditing purposes. An additional 13% of counties intend to purchase DRE systems that are equipped with VVPAT technology, allowing officials to collect a paper trail of each individual vote. 6% of counties report plans to purchase ballot marking devices, which require voters to input their choices on a computer that in turn marks a paper ballot rather than storing votes to internal memory. The remaining 26% of counties have not specified an alternative voting system they intend to purchase.

The decentralized nature of American elections is often touted as an asset. Because elections are typically administered at the county level, hackers have to effectively infiltrate thousands of individual election systems rather than one centralized system. Given both the vulnerability of dated DRE systems and the demonstrated commitment of foreign actors to influence American elections, many believe that a federal mandate to collect paper records of individual votes could help strengthen the American electoral system.

Protecting American Votes and Elections Act of 2019 (PAVE Act)

Washington, D.C. Sen. Ron Wyden, D-Ore., and 14 Senate co-sponsors introduced the PAVE Act requiring paper ballots and statistically rigorous “risk-limiting” audits for all federal elections.  In introducing the bill, Wyden said, “The PAVE Act scraps insecure voting machines that are juicy targets for hackers and replaces them with reliable, secure hand-marked paper ballots. It gives states the funding they need to defend their election systems and puts the Department of Homeland Security in charge of setting strong security standards for every federal election.” This bill updates aging election infrastructure.” Senator Gillibrand “Congress has a responsibility to secure the integrity of our elections, and I am proud to join with Senator Wyden to introduce this bill that strengthens our country’s election infrastructure.” 

The press release described the key provisions of the PAVE Act: 

• "The new PAVE Act bans internet, WiFi and cellular connections for voting machines, and gives the Department of Homeland Security the authority to set, for the first time, minimum cybersecurity standards for voting machines, voter registration databases, electronic poll books used to 'check in' voters at polling places and election night reporting websites."
• "The bill also provides state and local governments with $500 million dollars to buy new, secure ballot scanning machines, and $250 million to buy new ballot marking devices to be used by voters with disabilities. It also permits the federal government to reimburse states the cost of conducting post-elections audits, as well as the cost of designing and printing ballots."

Bots Research Act (H.R. 2860)

On May 22, 2019, Congressman Mark DeSaulnier (CA-11) announced the Bots Research Act (H.R. 2860).  According to the press release, this bill would "establish a task force of experts at the Federal Trade Commission (FTC) to determine the impact of automated social media accounts" on elections and public disclosure and to figure out "how to most effectively combat any use of automated accounts that negatively effects social media, public discourse, and elections while continuing to promote the protection of the First Amendment on the internet."  DeSaulnier said, “We now know that bot accounts were actively used by foreign agents as part of what the Mueller Report characterized as ‘sweeping and systematic’ interference in the 2016 presidential election. The accounts spread false information and manipulate public opinion and threaten free elections and the democratic process."