Cybersecurity in Elections: Recent Developments in Europe - Online Discussion
In cooperation with the State Electoral Office of Estonia, International IDEA convened a group of European electoral management bodies on 15 December 2021, to discuss the cybersecurity aspects of elections, five years after the initial wave of cybersecurity concerns emerged. The EMBs participated from Austria, Albania, Bosnia-Herzegovina, Canada, Croatia, Denmark, Estonia, Finland, Latvia, Moldova, the Netherlands, North Macedonia, Norway, Romania, Slovenia, Sweden, Switzerland and Ukraine. Representatives of organizations including ACEEEO, Council of Europe, OSCE/ODIHR and representatives from the European Commission, DG JUST and EU EEAS, have also attended.
The main themes under discussion included: the impact of cybersecurity when introducing new elections technologies, the intersection between cybersecurity and disinformation, regional cooperation and foreign interference. Related topics included the unique demands necessitated by the introduction of information and communications technologies (ICTs) in elections due to cyberattacks, as well as the broader shift towards online electoral campaigning.
The event was a continuation of International IDEA’s work supporting cybersecurity of elections in Europe, with previous events held in 2017, 2018 and 2019. Even in the three years since International IDEA last brought together EMBs, much has changed: While relatively few major incidents have taken place, the threat of cyberattacks has had a large impact on the way elections are run, and how international best practices have developed. The EMBs have realized that online threats are here to stay and will only continue to evolve moving forward. There are both real and perceived threats, for which we should make sure the EMBs possess the requisite knowledge to counter without having to rely solely on help from outside sources. Managing public expectations and awareness is crucial throughout the process, including to mitigate threats.
Main takeaways from the discussion included:
1. It is important to take a holistic view of the impact and use of ICTs in elections across all stages of the election cycle. Advantages for citizens include ease of interaction, accessibility, and sometimes increased transparency, and for EMBs include increases in speed, efficiency and accuracy. These aspects are however accompanied by the challenges of increased complexity, higher exposure to threats, and risks of the loss of stability. It is crucial to find the right balance between these security and accessibility aspects.
2. There are two major types of interference in the electoral process: cyber operations and information operations. Cyber operations require regular maintenance of security systems, and with increasing awareness of cyber hygiene practices, is generally effective against attacks. Information operations, which impact voter perceptions and include disinformation campaigns, can target a particular election or even in the long-term attempt to undermine confidence in a democratic system. Effective mitigation of information operations requires a combination of efforts, including educational campaigns, and legal and technical.
3. Well-functioning, regularly updated and secure election information systems have become an increasingly important technology for effective election administration. The technology can aid in managing elections, and processing candidates, voters, statistics and results.
4. To ensure credible and transparent cybersecurity and follow best practices, election authorities need to understand the system they use and be able to explain the security features. This aspect will only increase in importance as more countries move towards incorporating e-voting systems. More security will be necessary, and trust in elections will hinge on the accessibility, reliability, adaptability and security of the technologies used.
5. Elections management is continuous and does not start and end with election season: Cybersecurity challenges are evolving and require constant attention and incorporation of the latest updates for all technologies used in the electoral process. The technologies supporting elections management should be made safe against potential risks according to the principles of integrity and authenticity, availability and reliability, secrecy and confidentiality, and usability and accessibility. A 'security by design' approach is recommended, whereby the design, development, and deployment of ICTs incorporate and ensure security at all stages of the process. Reasonable and communicable risk assessments and investments in specific training for not only IT and security staff but all staff, as well as in countering disinformation can be effective.
6. A high level of trust by the public in elections is crucial: voters need to understand the overall process and how the ICT systems supporting elections are made safe and secure. The EMBs should provide additional tools to make the electoral process more transparent, such as through additional verification tools.
7. Lessons from the Estonian experience show how the country invested in voter trust through a well-understood and effective token for e-voters; a strongly established legal basis and broad political support, clear communication with voters throughout the process, open source, secure and transparent technology, and widely understood and supported procedures.
8. Domestic interagency collaboration between the different institutions involved with elections management is crucial to ensuring a secure, efficient and reliable process. Electoral security should not only be the responsibility of the EMB, but rather a shared responsibility by all agencies involved in the organization and holding of elections.
9. International knowledge sharing and cooperation with other EMBs can contribute heavily to improving cybersecurity. One such initiative is the European Cooperation Network on Elections (ECNE), created in 2018/2019 before the European elections of 2019. The ECNE links to national cooperation networks in EU Member States and facilitates the exchange of information and cooperation of all authorities and stakeholders to counter different threats.
International IDEA will continue to work with EMBs to help the process along and calls upon any interested countries to reach out if there is any issue on which you would like us to focus.