Foreign interference is a very old problem, but most Americans didn't used to worry much about it and the security of elections.
Now, lessons learned about the Russian attack on the 2016 presidential election have brought the most intense focus ever on the U.S. information environment, elections practices, voter databases and other parts of the infrastructure of democracy.
With seven days to run until the end of voting in this year's election, here's what you need to know.
Is the election under attack?
Yes — but it's important to understand exactly what that means: Foreign nations probably cannot affect the casting and counting of ballots, U.S. officials say, meaning that voters can feel confident about submitting their choices and the practices involved with tallying them.
What foreign nations, especially Russia and Iran, are trying to do is chip away at Americans' confidence about that process. They're also trying to create an environment in which citizens don't feel they can believe what they see or accept that the results of the race are legitimate.
Complicating matters is the help given to those efforts — knowingly or not — by real Americans who say publicly that the race is "rigged" or likely to be plagued by "fraud."
How are foreign nations trying to interfere?
There are two big strategies: changing votes and changing minds.
Actually affecting ballots is difficult, and U.S. officials say it's unlikely that any foreign nation could tamper with, for example, a state's correct tally of ballots.
Changing minds is simpler, and that is where much of the energy is focused by governments hostile to the United States. There are two big sub-themes within this category: sowing doubt about the conduct of the election and spreading false or misleading information to influence voters.
Sowing doubt and confusion
U.S. national security officials have issued a series of bulletins warning about the prospect that foreign influence-mongers could try to attack systems adjacent to ballot infrastructure to cause doubts, even if the collection and counting of votes was proceeding honestly.
A cyberattack might try to shut down or deface a county website that showed vote tallies, for example, without actually affecting the true result.
Other strategies include making it appear that information about voters has been stolen and is being used to reveal for whom they voted or make more claims about deeper security compromises.
Iranian hackers, for example, sent a number of emails to voters in Alaska and Florida and said, in so many words: We know you're a registered Democrat but you better vote for President Trump "or else." The messages purported to come from the white supremacist Proud Boys.
Americans may get more messages like that before the election is over, national security officials acknowledge, and according to one cybersecurity report, many domains remain vulnerable to being spoofed in this way — including permitting attackers to pretend they're sending a message from an organization the sender knows.
Security firm Cloudflare has built a public dashboard that shows some cyberattack activity targeting political and elections Web domains. CEO Matthew Prince said the intensity of attacks has been lower so far than in 2016 — "but that doesn't mean we can let our guard down."
Social media misinformation and agitation
The other big sub-strategy involved with changing minds is using the vast, popular and largely unregulated world of social media to try to make Americans believe things that aren't true, amplify disagreement and, in some cases, persuade people not to vote.
This was a big part of Russia's attack on the 2016 election and has never stopped, although researchers say the accounts involved have become somewhat more difficult to detect and other aspects of this work also have evolved since then.
One way is that foreign governments have moved some once-clandestine messaging into the open, making their statements with accounts linked to official spokesmen or state-controlled operations.
Another way is that foreign governments have moved the core of some information attacks off social media. In one scheme, for example, Facebook was being used only to recruit contributors who then posted on other websites controlled by the attacking nation.
National security officials say they're taking new approaches too, including knocking down these schemes as quickly as they can to deny time during which they might gain credibility. U.S. officials also are talking more openly than ever before about their work safeguarding the election.
What about freedom of speech?
The Big Tech platforms, especially Facebook, Google and Twitter, have struggled to strike a balance between permitting Americans to use their services within the bounds of Western values about expression — and identifying bad actors seeking to exploit those same freedoms.
Normal users and some American political operatives also are borrowing from the "active measures" playbook. The chain reaction of misleading or false information on social media now has ample fuel from domestic users and appears self-sustaining on its own even without foreign government efforts.
What about "deepfakes"?
Security-watchers fretted in an earlier stage of this election cycle about the prospect that Americans could be fooled by high-quality fake videos that depict political figures doing things or saying things that never really happened.
There are also less sophisticated "cheapfakes" in which videos are edited with cruder tools to make someone appear to be slurring her words, for example — as though the target were suffering from some kind of health affliction.
Many technology experts, however, think that the heightened awareness about this fake media means they couldn't convince as many unsuspecting people as once contemplated in the nightmare scenarios. And specialists have said they're confident the techniques for detecting fakes have moved faster than the software used to create them, suggesting that authorities could catch them before they fooled too many Americans and caused major disruptions.
How are we supposed to tell what's real and what's not?
Voters are the last line of defense, argues Chris Krebs, director of the Cybersecurity and Infrastructure Security Administration.
This is what we mean by not falling for sensational and unverified claims. The last line of defense in election security is you - the American voter. So be prepared, be a smart consumer and sharer of information. Vote with confidence. #Protect2020
— Chris Krebs #Protect2020 (@CISAKrebs) October 21, 2020
If you see something outrageous on Facebook or a story that doesn't seem right, be skeptical. Read more here about how to assess whether something you've seen might not be legit.
This is important when it comes to news or news-like items that spread on social media, and it's especially true about stories involving the actual operations of voting. If you have questions about your ability to find a polling place or cast a ballot, check with your local officials such as a secretary of state's office or a county elections official.
Krebs' agency also has set up a dedicated national homepage: Rumor Control.
Even before this era of "active measures," chicanery often intensified in the final few days before the end of voting. Be cautious about messages that say, for example, "Democrats' day to vote is Nov. 3; Republicans' turn will be on Nov. 4" — that's not true and never has been.
Election Day for everyone is Nov. 3, though early and mail-in voting options vary by state.
What about after the election?
This year may feature the most turnout ever, according to some projections, and combined with an expected surge in mailed ballots could mean that Americans don't get a definitive result on election night.
That in and of itself doesn't mean there was an attack or "fraud" or a problem.
However, the more uncertainty and controversy associated with the results following the morning of Nov. 4, the more appealing for foreign adversaries, as Laura Rosenberger, director of the Alliance for Securing Democracy, warned ahead of Election Day.
That includes deception about deception, as Cloudflare's Prince observed.
"I continue to worry that the day after the election, Vladimir Putin shows up on TV and says, 'Well that worked out the way we hoped,' with a wry wink — even if there was no actual hacking," Prince said. "That's a really tough thing to overcome."
The task — and the challenge — for Americans is both to remain engaged and confident in their system as national security officials say is appropriate, while also preserving some skepticism, common sense and patience.
Copyright 2021 NPR. To see more, visit https://www.npr.org.