Cybersecurity and Elections : An International IDEA Round-table summary
Until recently, the danger or elections being hacked either by domestic actors or foreign nation states has been mostly discussed amongst computer security experts and in a few countries with highly advanced technologies used in the electoral process.
This has changed dramatically over recent years, with high profile cases of elections-related hacking. In Europe, worries about cyberthreats have influenced electoral debates in such diverse countries as France, Germany, The Netherlands, Estonia, Bulgaria and Ukraine. All of these incidents are inherently difficult to trace back to their source, but it becomes increasingly apparent that they may be part of a campaign to undermine the perceived integrity of electoral processes and institutions.
On 13-14 June 2017, International IDEA organized a two-day round table on the topic of cybersecurity in elections. The event was attended by electoral management bodies from across Europe and the United States, as well as cybersecurity agencies, academics, and independent experts. The main findings can be found in the proceeding summary.
Until recently, the danger of elections being hacked either by domestic actors or foreign individuals or nation states has been mostly discussed amongst information technology security experts and in a few countries using highly advanced technologies in the electoral process.
This risk has changed dramatically over recent years, with several high-profile cases of election-related hacking exposed. In Europe, worries about cyberthreats have triggered a ripple of new decisions. The Netherlands decided to return to a manual vote tally, as the software in use for the past decade was no longer deemed secure enough. Although this decision was later reversed, the public discussion has made cyberthreats more palpable.
In France, where an entire TV station was taken over by hackers in 2014, President Hollande in March 2017 asked the government to take measures against hacking attacks before the elections, while some parties warned that they had already been targeted. Moreover, the country still uses the same type of voting machines that were discontinued in the Netherlands in 2008 due to several weaknesses. In Germany, the computers of parliamentarians were hacked in 2015 and the country uses a very similar tabulation system to the one that was abandoned in the Netherlands this year.
Meanwhile, Central and Eastern European countries have already reported hacking around their elections for many years. Large-scale attacks on the Estonian e-Government infrastructure brought down much of the country’s online infrastructure in 2007. Georgia claimed that elections in both 2008 and 2012 were hacked. In Ukraine, only days before the 2014 parliamentary elections, hackers launched a multi-pronged attack on the country’s Central Election Commission website, not only making the site unavailable but also attempting to publish fake election results. In Bulgaria, the country's Central Election Commission was hacked during the referendum and local elections in 2015.
All of these incidents are inherently difficult to trace back to their source, but it becomes increasingly apparent that they may be part of a campaign to undermine the integrity of electoral processes and institutions.
A two-day roundtable discussion that took place in The Hague on 13-14 June 2017 convened 25 participants, including members of electoral management bodies (EMBs) and cybersecurity agencies, as well as academics and independent experts. For two days, the participants shared their experiences, insights and their perception of the severity, exposure, impact and possible counter-measures against the newly emerging cyberthreats.
Given the potential sensitivity of this topic, the roundtable was held under the Chatham House Rule to create a level of openness and trust between participants. This summary report presents the general trends and findings from the round table, without referring to individual cases.
Summary of the debate
From the roundtable discussions it became clear that, in many countries, cyberthreats are more than hype or part of a political campaign. For those countries, there is a real concern based on evidence, available intelligence information and a recognition that this is a previously underestimated threat that is now to be taken much more seriously. Many EMBs referred to the increased attention paid to their work on cybersecurity from high-level political decision makers.
Individuals or nation states trying to overtly influence elections will likely become a new reality and what is seen now may well be the beginning, not the end, of elections as a target for cyberwarfare. As a consequence, the confidence in democratic processes is bound to decrease when elections are not deemed secure by the public. In that respect, perceived threats are considered as big a risk to public confidence as actual threats.
For some discussants, information and communications technology (ICT) security has always been an important consideration. For them, the positive side effect of the current debate is that the issue now receives the high level of attention it deserves and that governments are forced to invest more in this field, to maintain trust and confidence in elections.
Some discussants were surprised that the overall outlook on election technology is more positive than the bleak picture media may suggest. While challenges do exist, counter measures are possible and there is a sense that EMBs will be able to safeguard their technology.
Dual concern: actual threats and public perception
Cyberthreats are only partially related to actual technical vulnerabilities that may be exploited to compromise an election. Perceived threats, including rumors about vulnerabilities, are as dangerous and possibly even more difficult to counter. Such rumors can be enough to undermine public perception and trust in the integrity of the electoral process.
Beyond directly manipulating or influencing the outcome of an election, the aim of hacking attacks may also be to damage the credibility of the electoral process. Cyberattacks and the spreading of misleading information about the electoral process are, therefore, equally important to counter.
A variety of responses
Some countries have officially or unofficially recognised elections as a ‘critical infrastructure’, a term used to refer to sectors that, when damaged, directly affect the security of a country. With this recognition, additional funding and resources for protecting the electoral process are being made available. They also increasingly recognise that EMBs cannot tackle cyberthreats alone and that a broader multi-agency approach is needed. Inter-agency cooperation and information-sharing among EMBs and other relevant security and expert bodies on cybersecurity issues has, in some cases, already been established.
A number of countries have experienced cyberattacks for several years. In response, they have strengthened their security measures and feel less at risk now. After an initial increase in incidents, they have even seen a decline in attacks in recent years.
For another group of countries, cyberthreats are still a very new issue across their government agencies. In such cases, EMBs may be forced to take a leading role when it comes to organising inter-agency responses and cooperation.
Impact on election technology planning
For now, the debate around cybersecurity and elections is having seemingly little impact on the participating countries’ technology plans:
Where there has previously been less extensive use of technology in elections, this “low-tech” approach is now seen as a risk-limiting advantage. It poses less chance of digital interference. At the same time, countries that have already planned to increase the application of election technologies over the coming years seem not to be letting cybersecurity risks avert these plans. Where existing election technology was already under increased public scrutiny and debate before, this debate is further fueled in the current context of increasing cyberthreats.
Potential targets of attacks
Where attacks are most likely to happen was part of the discussion. High-profile technology, such as electronic voting or registration systems, must be considered targets for cyberattacks. However, participants mentioned that hackers tend to go where breaches are made most easily. As security measures for such systems are increased, attackers will be attracted to other, less protected targets.
Weaker targets may be smaller, less experienced nations that have less resources and, therefore, may find it more difficult to protect themselves.
Within a country, attacks also may be directed at what is beyond those areas an election administration can control and secure. These areas may include political parties, candidates, and other infrastructure needed on Election Day such as power and telecommunication links.
Spreading misinformation about registration or voting processes, aimed at disenfranchising voters or sabotaging Election Day procedures, may be another threat.
The role of IT security experts
A certain disconnect between election administrators and IT security experts emerged from the debate.
As outlined above, a prime concern for EMBs is to uphold public perception and trust in the election technologies they use. IT experts publicly demonstrating weaknesses of these technologies is often viewed as counterproductive by EMBs.
At the same time, IT security experts who tried to convey their findings more discretely expressed their frustration about a tendency by EMBs and vendors to ignore such advice as long as it is provided without publicity.
Another concern of IT security experts was that, with too much effort invested in trust building, actual security measures may still not be taken seriously enough. This combination may lead to a blind, undeserved and dangerous trust in weakly secured technology.
A common challenge for both election administrators and IT security experts is the need to build systems that are trustworthy and easily understandable for voters at the same time.
Conclusions and recommendations
Many countries will need additional financial resources and increased inter-agency cooperation to strengthen the security of election technologies, and to become more resilient against emerging cyberthreats. However, increased technological security is only one part of the required measures. At least as important are effective communication strategies that inform the public about what is done to mitigate cyber risks and that can react quickly to any misinformation that may be spread by adversaries.
A better understanding of adversaries and their goals and strategies still needs to be developed. Simulation exercises of possible attack scenarios and appropriate responses by EMBs and other agencies can be part of preparing effective countermeasures.
Further research on this topic, including the development of comparative knowledge, such as a global overview of election-related cyber incidents or the impact of cyberthreats on political parties and candidates, would be useful. The findings of this roundtable, as well as any additional research, should be disseminated and discussed at other similar events and as part of broader electoral management conferences.