Elections and Cyber Defence
Safeguarding Democracy in the Digital Age
By: Kgotlaetsogile Tiro (Chief Executive Officer, Dv8 Technology Group)
Introduction
Elections, the cornerstone of democratic societies, are under a new and unprecedented threat in the digital age. Cyber threats, including hacking, disinformation campaigns, and sophisticated attacks on voting infrastructure, have become significant concerns. The security of elections is not just a matter of public trust but a crucial element in upholding the legitimacy of democratic systems. This article delves into the intersection of elections and cyber defence, exploring the nature of these threats, strategies for protecting electoral systems, and the broader implications for democracy.
Some countries, such as Estonia, Georgia, and Ukraine, have experienced cybersecurity threats to their electoral processes for over a decade. However, the cyber-related incidents that allegedly influenced the 2016 US presidential elections brought broader awareness and attention to this topic. Within months, worldwide discussions on countering cyberattacks on elections and democracy emerged, uniting both young and established democracies in a common cause.
Elections rely on a combination of manual and technology-based procedures. Since neither truly unhackable technology nor entirely tamper-proof manual processes exist, election administration involves managing and mitigating manipulation risks through integrity, audit, and control measures. While countries have long-standing best practices for paper-based and manual processes, recent events have highlighted the need to address risks from the increasing use of technology in elections.
A common misconception is that only countries with electronic voting or other high-profile election technologies are at risk of cyberattacks. However, all elections depend on information and communication technology (ICT) tools, from voter registration to an electoral management body's (EMB) website. Therefore, the type of cyber risks, adversaries, and attack vectors vary between countries. EMBs, high-level officeholders, security agencies, and democracy assistance providers now agree on the need to invest more in understanding, preventing, and mitigating the risks that new technologies bring to democratic processes and elections.?
It's a common misconception that an Electoral Management Body (EMB) is the primary or sole agency responsible for cybersecurity in elections. In reality, cyber threats against elections and democracy manifest in various forms that fall under the jurisdiction of many different actors, including:
Addressing cyber threats often necessitates more than just technical mitigation measures by the EMB or any single entity. Enhanced interagency collaboration is essential to pool resources and expertise, develop a clear understanding of areas of responsibility, and create comprehensive defences against both domestic and international cyberattacks on elections and democracy.
This article presents emerging models of interagency collaboration derived from various research related to election cybersecurity. It addresses key questions raised during a broad needs assessment exercise:
Insights are derived from an in-depth analysis of case studies involving Electoral Management Bodies (EMBs) and associated government agencies. Countries including Austria, Australia, Belgium, Bulgaria, Canada, Denmark, Estonia, Finland, Georgia, Latvia, Lithuania, Mexico, Moldova, the Netherlands, Norway, Romania, South Africa, Sweden, Ukraine, the United Kingdom, and the United States contributed their unique experiences and perspectives to this comprehensive examination.
Cyberthreats Throughout the Electoral Cycle
Cyber threats can undermine electoral integrity by exploiting technical vulnerabilities or creating the perception that such vulnerabilities exist. Cyberthreats fall into two broad categories: attacks targeting election-related technologies and disinformation campaigns targeting the perceived integrity of the electoral process.
Attacks Targeting Election-Related Technologies?
The main targets of hacking attacks against election-related technology include voter registration, voting, and vote-counting technologies, result transmission and aggregation technologies, websites for result publication, institutional and private email accounts, communication systems, and broader national infrastructure such as e-government systems, power grids, and communication links.
Hacking attacks against the electoral process can be generic or election-specific. Electoral stakeholders may become either random victims or intentional targets of attacks. Generic attacks, including Denial of Service (DoS) attacks, website breaches, malware, and ransomware attacks, often require little sophistication and limited resources.
DoS attacks involve flooding online resources with so many requests that the service becomes very slow or completely unavailable. Such attacks do not penetrate the systems but cause damage by making them unavailable, which has reputational implications for the attacked institution. DoS attacks can target websites to make them inaccessible or communication systems to make communication difficult or impossible. Distributed Denial of Service (DDoS) attacks are more challenging to defend against, as they come from many different sources and require significant computing resources and cooperation with technology partners and Internet providers.
Website breaches involve defacing websites or manipulating their content. Changing the visual appearance is usually obvious and aims to cause reputational damage. At the same time, content manipulation can be more subtle and create confusion. Such breaches often do not impact internal IT systems but cause uncertainty and undermine the institution's credibility.
Malware and ransomware attacks can adversely impact elections by making essential systems and data inaccessible. These attacks may not be politically motivated; electoral stakeholders can become random targets of criminally or financially motivated hacking.
More advanced attacks explicitly aim to access internal systems, private data, and information. Such attacks often result from severe ICT security shortcomings or advanced persistent threats conducted by well-resourced adversaries, frequently nation-states. These attacks are well-planned and multi-phased and can cause widespread and severe damage. Advanced persistent threats are executed over long periods and can target systems not connected to the Internet, such as through infected USB sticks.
Social engineering exploits human psychology to gain access to systems and data, eliciting passwords and other credentials from users. This can be done through direct personal contacts or, more commonly, through phone calls and phishing emails that lure recipients into revealing confidential information.
Insider attacks involve intentional data and system breaches by users with access to election-related information systems. Such attacks can manipulate result transfer and aggregation systems and election-related online services.
Disinformation Campaigns
Disinformation involves spreading false, misleading, or inaccurate information with the intent to harm by influencing public opinion. Domestic or international actors can spread disinformation in elections. They may include false claims about polling stations, elections being delayed, or votes being cast online where this is not the case. Disinformation can undermine trust in electoral processes, institutions, and technologies by spreading rumours of manipulation and malfeasance.
Disinformation activities are often outside the authority of election administration, as they pertain to political campaigns and require a careful balance between preventing disinformation and protecting freedom of speech. However, EMBs must counter disinformation campaigns that are specifically concerned with the electoral process and its administration.
Disinformation can also target election technologies, spreading unfounded rumours that they are insecure or exaggerating minor technical weaknesses. Creating perceived cybersecurity risks can be as disruptive as actual cyber interference.
Strategies for Protecting Electoral Systems
Enhancing Cybersecurity Measures
Implementing robust cybersecurity measures is essential to protect electoral systems from cyber threats. This includes securing voter registration databases, voting machines, and vote-tallying systems against unauthorised access and attacks. Multi-factor authentication (MFA) can enhance security by requiring multiple forms of identification before access. Encryption can protect data both in transit and at rest, ensuring that unauthorised parties cannot read intercepted data.
Conducting Regular Security Audits
Regular security audits and vulnerability assessments are crucial for identifying and addressing weaknesses in electoral systems. These audits should include penetration testing, where ethical hackers attempt to breach systems to identify vulnerabilities before malicious actors exploit them.
Implementing Secure Voting Technologies
Adopting secure voting technologies can mitigate the risk of cyber attacks. This includes using paper ballots or paper-based audit trails, which provide a verifiable record of votes that can detect and correct discrepancies. Returning to paper ballots or implementing systems that produce a paper record ensures a reliable way to verify vote counts in the event of a cyberattack.
Enhancing Voter Education and Awareness?
Educating voters about the risks of disinformation and how to identify credible sources is crucial for protecting the integrity of elections. Public awareness campaigns can help voters recognise and reject false information, reducing the impact of disinformation campaigns. The European Union and organisations like the African Centre for Media & Information Literacy (AFRICMIL) are working to educate the public about media literacy and the dangers of disinformation.
International Cooperation and Information Sharing
Cyber threats to elections are a global issue requiring international cooperation and information sharing. Through organisations like the Global Forum on Cyber Expertise (GFCE), countries can share best practices, intelligence on emerging threats, and strategies for defending against cyber-attacks.
The Role of Global Cybersecurity Companies?
Global cybersecurity companies play a pivotal role in protecting electoral systems from cyber threats. Companies like Cisco, Symantec, and FireEye provide advanced security solutions and services to safeguard electoral infrastructure.
Cisco: Cisco offers a range of products and services designed to protect critical infrastructure, including electoral systems. Cisco's Advanced Malware Protection (AMP) and threat intelligence services help detect and mitigate potential cyber threats. The company also provides network security solutions to ensure the integrity and confidentiality of data transmitted during the election process.
领英推荐
Symantec: Symantec offers comprehensive security solutions tailored to protect electoral systems. Their endpoint protection and threat intelligence services provide real-time detection and response to cyber threats. Symantec's focus on securing data and communication channels ensures that electoral information remains confidential and tamper-proof.
FireEye: FireEye specialises in advanced threat detection and response, protecting electoral systems from sophisticated cyber-attacks. Their managed security services provide continuous monitoring and incident response, ensuring that potential breaches are swiftly addressed.
Broader Implications for Democracy
Trust in Democratic Institutions
The security of elections is fundamental to maintaining trust in democratic institutions. When citizens believe their votes are accurately counted and the electoral process is fair, they are more likely to accept the results, even if their preferred candidate does not win. Conversely, perceptions of electoral fraud or manipulation can lead to a loss of confidence in the democratic system and increased political polarisation.
The Role of Technology in Democracy
The increasing use of technology in elections has the potential to enhance the democratic process by making voting more accessible and efficient. However, it also introduces new risks that must be managed. Online voting systems, for instance, could make it easier for citizens to participate in elections but must be designed with strong security measures to prevent hacking and ensure the integrity of the vote.
The Evolving Threat Landscape
The threat landscape for cyber-attacks on elections is constantly evolving, requiring a dynamic and adaptive approach to cyber defence. Continuous monitoring, threat intelligence, and updates to security measures are necessary. Governments and election authorities must stay ahead of these threats by investing in cybersecurity research and development, training personnel, and collaborating with private sector experts.
Case Studies of Cybersecurity in African Elections
Kenya
Kenya's 2017 presidential election faced significant cybersecurity challenges. The Independent Electoral and Boundaries Commission (IEBC) reported multiple hacking attempts during the vote-tallying process. Despite these attempts, the election results were upheld. In response, the IEBC has enhanced its cybersecurity measures by partnering with international experts, securing voter registration databases, improving electronic voting systems, and training staff on cybersecurity best practices.
Nigeria
Nigeria's 2019 general elections faced cybersecurity challenges, particularly related to disinformation. Social media platforms were rife with false reports about candidates and the electoral process. The Nigerian government and civil society organisations launched public awareness campaigns to educate voters about disinformation. The Independent National Electoral Commission (INEC) collaborated with cybersecurity firms to enhance the security of its electronic systems.
South Africa
South Africa's 2019 national elections highlighted the importance of cybersecurity in maintaining electoral integrity. The Electoral Commission of South Africa (IEC) reported several attempts to breach its systems, although none were successful in compromising the election results. The IEC has since adopted advanced threat detection technologies, conducted regular security audits, and enhanced training for election officials on cybersecurity protocols.
The Role of International Organisations
African Union
The African Union (AU) has recognised the importance of cybersecurity in safeguarding elections and has taken steps to support member states. The AU's Convention on Cyber Security and Personal Data Protection provides a framework for member states to develop and implement cybersecurity measures, including protecting electoral systems.
International Telecommunication Union
The International Telecommunication Union (ITU) promotes cybersecurity globally, including in Africa. The ITU's Global Cybersecurity Agenda provides a framework for countries to develop and implement national cybersecurity strategies. The ITU offers technical assistance and capacity-building programmes to help countries enhance their cybersecurity capabilities.
Conclusions and Recommendations
Electoral cybersecurity as a long-term commitment:
Comprehensive electoral cybersecurity requires continuous commitment and resources throughout the entire electoral cycle. The technologies used in elections change with each cycle, as do adversaries and their tools. Therefore, a continuous investment in understanding, preventing, and mitigating these risks is essential.
Addressing cyber-risks in all electoral processes:
Even countries that use limited technology in elections face cyber risks that require serious consideration. All electoral processes, including voter registration, party and candidate registration, result processing, and publication, involve technology and can become targets unless properly assessed and secured.?
Importance of interagency collaboration:
Effective interagency collaboration is crucial for improving cyber-resilience in elections. Cybersecurity threats transcend institutional mandates, necessitating resources, information, situational awareness, and expertise from multiple agencies. EMBs and other election authorities should consider various models of interagency collaboration to improve cybersecurity.?
Managing public perceptions of cyber threats:
Public trust and support are conditional on electoral integrity. Managing public perceptions of cyber threats is as important as defending against actual threats. Coordinated external communication is integral to countering disinformation about the electoral process and preparing the public for potential cyber-related incidents.
Transparency and clear definition in interagency collaboration:
To safeguard the EMB's perceived independence, interagency collaboration should be transparent and clearly defined. Public explanations should clarify the involvement of non-traditional agencies, such as security services, and legal regulations should stipulate the scope and boundaries of collaboration.
Need for international collaboration:
Cybersecurity in elections is complex and fast-changing, requiring efforts beyond the national level. Countries should invest in bilateral and international knowledge and information exchange, both regionally and between regions/continents. This cross-fertilisation of experiences is crucial for developing effective cybersecurity measures.
Beyond government agencies:
Interagency collaboration should include the private sector, political parties, academia, civil society, and the media. Engaging a broad range of non-governmental stakeholders is essential for improving electoral cybersecurity and its public perception. Providing channels for stakeholders to convey their concerns can prevent additional reputational challenges.
Awareness for political parties:
Political parties and candidates, especially smaller and less-resourced ones, are often the weakest link in electoral cybersecurity. State agencies should provide basic cybersecurity support and advice, informing parties of their responsibility to protect their infrastructure and the limited ability of government agencies to mitigate cyberattack consequences.
Formalising interagency collaboration:
Where spontaneous interagency collaboration is absent, policymakers should consider vertical approaches like critical infrastructure designation. This formal approach can overcome institutional, cultural, or administrative barriers, ensure funding, and create transparency.
Assessment by election observers:
Observing cybersecurity in elections should include assessing the level and effectiveness of interagency collaboration. This involves evaluating the roles and responsibilities of involved actors and measures taken to protect the independence of the election administration.
By integrating these key themes and recommendations, election authorities and stakeholders can better safeguard the integrity of electoral processes, maintain public trust, and adapt to the evolving landscape of cyber threats. This holistic approach ensures that democracy is resilient against both actual and perceived cyber-related threats.