Managing Electoral Cyber Risk (a.k.a. "Hacking Democracy")

35 Pages Posted: 20 Sep 2017 Last revised: 22 Aug 2018

See all articles by David Thaw

David Thaw

University of Pittsburgh - School of Law; University of Pittsburgh - School of Information Sciences; Yale University - Information Society Project; University of Pittsburgh - Graduate School of Public & International Affairs

Date Written: May 8, 2018


Election “hacking” has become a topic of intense national conversation in the United States following allegations of foreign interference in the 2016 federal elections. Even assuming for a generous amount of partisan political rhetoric, the nature of political, scholarly, and scientific discourse following that election cycle suggests widespread concern regarding the integrity of U.S. electoral processes among most (if not all) segments of the polity. Put simply – Americans are losing faith in their election systems. An overwhelming volume of discourse responsive to this problem focuses on “securing” election systems or “preventing [foreign] hacking.” This Article answers both challenges, claiming that the “answer” to both is that in fact the questions are wrong. A frightening percentage of public discourse, and even some scholarly and scientific literature, fundamentally misunderstands the technological or legal systems currently in place, the threats to those systems, the protections they do (and could) provide, and what actually are the nature and means by which a foreign actor could influence an election result. This Article seeks to bring clarity to this discussion – one fundamental to the U.S. representative democracy – by providing a framework for understanding the means by which elections can be unlawfully influenced, the legal and technological systems in place to prevent such unlawful influence, and the limitations of those systems. It argues that current discussions are likely to continue two (failing) approaches found in other areas of cybersecurity: (1) a desire for a technological “silver bullet” solution; and (2) the creation of checklists to implement such solutions and “prevent” or “solve” the problem. Such approaches have repeatedly failed, as anyone who has received notification that their personal information was compromised is aware (well over one-in-three Americans). Drawing upon previous literature and empirical evidence, this Article attempts to reframe the question by answering that we should instead be asking how to manage such risk, and examine how the integration of multiple legal and technological tools into a risk management plan can achieve an acceptable level of confidence in our electoral systems, buttressed by “failsafe” procedures in the event an election result falls outside an acceptable margin of risk.

Keywords: cybersecurity, elections, hacking, risk management

Suggested Citation

Thaw, David, Managing Electoral Cyber Risk (a.k.a. "Hacking Democracy") (May 8, 2018). Available at SSRN: or

David Thaw (Contact Author)

University of Pittsburgh - School of Law ( email )

3900 Forbes Ave.
Pittsburgh, PA 15260
United States


University of Pittsburgh - School of Information Sciences ( email )

Pittsburgh, PA 15260
United States

Yale University - Information Society Project ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

University of Pittsburgh - Graduate School of Public & International Affairs ( email )

Pittsburgh, PA 15260-0001
United States

Register to save articles to
your library


Paper statistics

Abstract Views
PlumX Metrics