Disclaimer: Views expressed in this commentary are those of the staff member. This commentary is independent of specific national or political interests. Views expressed do not necessarily represent the institutional position of International IDEA, its Board of Advisers or its Council of Member States.
In the immediate future, Europe should expect an increase in hacking of elections and countries would do well to step up their cyber protection.
Many pundits believe Europe is coming out of its elections ‘red zone’, however four more critical elections will take place in Europe’s heartland, all within a one month. Between 24 September and 21 October, Germany, Austria, and the Czech Republic will choose their parliaments. Slovenia tops it off by electing its, mostly ceremonial, President on 22 October.
All four are historical frontline states between West and East, running from the Baltic Sea, all the way down to the Mediterranean. Today, they are countries at the heart of the EU. Although no political about-turn is expected in any of these solidly democratic EU-countries, the elections in the historical fault line of Europe will nevertheless be important to watch, not least to see how outsiders interested in weakening European integration will try to influence the elections. Cyberattacks will be the likely weapon of choice.
Hacking in elections is no longer a hypothetical problem or mere suspicion. High profile cases over the past few years include attacks on the UK’s voter registration site in 2016, the hacking of the US’s Democratic Party’s computer system in 2016, and attempts in France to obtain data from Emmanuel Macron’s 2016 presidential campaign. Russia is often mentioned as suspect, either directly or through its support to third party hackers. Hard evidence is, however, difficult to find and the country is also not the only suspect.
The abovementioned fault line countries of Europe have not been spared either. In 2015, a hackers’ collective called Pawn Storm tried to steal information from the computer systems of Germany’s ruling CDU. Earlier this year, the Austrian Parliament was hit by a DDoS attack that blocked its websites for a short while. Also this year, the Czech Republic’s Ministry of Foreign Affairs was hacked and lost a year's worth of correspondence. With critical elections upcoming, these countries therefore have all the reasons to be concerned.
Importantly, countries affected are not just those that vote electronically. Elections rely on ICT for other core tasks such as voter registration, ballot counting and for their everyday communication with citizens. And like anyone else, politicians and electoral officials rely on email to share sensitive information. Moreover, the aim of adversaries may not be to pick a preferred candidate, but to destabilise societies, especially by undermining trust in the functioning of democracy. Once even the perception of outsider influence in elections arises, citizens may come to question the credibility of the outcome and the legitimacy of their elected leaders.
In June, International IDEA discussed the theme of cybersecurity in elections at a roundtable for electoral commissions and cybersecurity agencies from twelve, mostly European, countries. They confirmed that hacking in elections should be expected to increase in years to come. Attacks will not be limited to what an election administration can secure, but they will also affect political parties, candidates, and may even target other infrastructure that is required election day, such as power and telecommunication links. Even where electoral commissions are well-secured, rumours about vulnerabilities can be even more difficult to counter.
Some countries therefore now treat elections as ‘critical infrastructure’, a term used to refer to sectors that, when damaged, directly affect the security of a country. This status brings with it resources for protecting the electoral process, and access to high political decision-making. Participants at International IDEA’s roundtable also recognised that electoral commissions cannot tackle cyberthreats alone and that a broader multi-agency approach is needed. At least as important are effective communication strategies that inform the public about what is done to mitigate cyber risks and which can react quickly to any misinformation that adversaries may spread. Lastly, further research on this topic is needed. Only after understanding their true nature and magnitude, will electoral commissions, cybersecurity agencies and political parties be able to respond to cyberthreats.
Given their geostrategic importance, it is not unlikely that the upcoming elections in Europe will produce more such cases of election hacking. Therefore, even though no surprise winners are expected in the German, Austrian, Czech and Slovenian elections, cybersecurity will be the show to watch.