Inter-agency Collaboration on Cybersecurity in Elections: Roundtable Discussion
International IDEA organized a two-day roundtable discussion in The Hague, on 27 and 28 November 2018, to convene participants from electoral management bodies (EMBs) and cybersecurity agencies, as well as academics and independent experts from 20 countries: Albania, Austria, Belgium, Bulgaria, Canada, Denmark, Estonia, Finland, Latvia, Lithuania, Mexico, Moldova, The Netherlands, Norway, Romania, South Africa, Sweden, Ukraine, The United Kingdom and The United States of America.
The roundtable followed an initial International IDEA event on Cybersecurity in Elections in 2017. The conclusion of this first discussion was a recognition that cyberthreats consist of both attacks against electoral ICT infrastructure and against the public perception of the integrity of an electoral process. A variety of responses to these threats were in the early stages of development in 2017. It was apparent that EMBs cannot tackle cyberthreats to elections alone and that a broader multi-agency approach is needed in many countries. This formed the basis for International IDEA to embark on further research on the topic of inter-agency collaboration.
Throughout 2018, International IDEA conducted more than 20 case study interviews with electoral stakeholders globally, to document emerging practices on inter-agency collaboration on cybersecurity in elections. The purpose of the 2018 roundtable was to validate the findings of this research and to exchange recent experiences in a collaborative and trusted setting.
Summary of the discussion
The roundtable consisted of six sessions on: (1) the need for inter-agency collaboration, (2) experiences with initiating and facilitating inter-agency collaboration, (3) collaboration between national authorities, local authorities, and non-government actors, (4) activities and focus areas of inter-agency collaboration, (5) collaboration at national and supranational/European level, and finally (6) possible conflict between inter-agency collaboration and EMB independence.
The event provided an opportunity to exchange the latest developments and conclusions regarding cyber-incidents in elections. It became clear that foreign nation states remain important adversaries to consider, but also that many threats emanate from other sources, including online criminals, employees with privileged access, and political actors. All of which is often compounded by a lack of cyber-hygiene and cyber-awareness of electoral stakeholders.
EMBs are still regarded as the main body responsible for cyberthreats against elections. However, cyberthreats often go far beyond an EMB’s mandate, resources and expertise, which underlines the need for inter-agency collaboration. This includes (cyber)security agencies, line ministries, local government, parliament, cabinet office, the military, political parties and the private sector. Additionally, the European Union (EU) has recently recommended member states to set up national election cooperation networks of relevant authorities and requested that they participate in a European-level election cooperation network, ahead of the EU Parliamentary Elections in 2019.
Modalities for setting up collaboration vary. Some countries, especially smaller ones, take a more horizontal, informal approach, without a formalised division of roles. However, others devise more formal and vertical national policies, including the designation of elections as critical infrastructure (CI), which countries such as the US and Georgia have done. Even in countries where direct CI status of elections is not possible, there is often a recognition that the democratic process should indirectly be treated as such.
Strengthening collaboration between state authorities is essential. Now that election administrators are increasingly strengthening their internal defences, the weakest link in the cybersecurity-chain has shifted towards IT-suppliers and electoral stakeholders, including political parties and candidates. These actors may not yet be as prepared as well prepared as EMBs.
The novelty and complexity of cyberthreats mean that, first, specialised agencies should become more involved in elections. Secondly, a clear division of roles is required to enable each agency to apply its expertise where it is best used. Thirdly, the various agencies will need to invest in a better understanding of each other’s organizational cultures; one participant at the roundtable mentioned, ‘election geeks and IT-nerds do not always speak the same language’.
Finally, inter-agency collaboration will increase as collaboration between agencies intensifies and matures, this commonly includes: (1) initial organization and setup of inter-agency communication, (2) joint risk assessment, creation of situational awareness and sharing of intelligence, (3) coordinated public communication and jointly providing voter information, (4) development of integrated prevention and response mechanisms, (5) provision of expertise, tools, training and resources to other agencies, and finally (6) scenario-based joint exercises. In some cases, the high-level political support has helped to enhance inter-agency collaboration.
Inter-agency collaboration was confirmed as an essential element for mitigating cyberthreats in elections. It allows a holistic approach without limitation to specific authorities, and also enables authorities to pool resources, quickly detect threats, exchange information and ensure efficient and coordinated responses.
Most current collaboration efforts are still focused on specific and forthcoming elections. However, several participants emphasised the importance of creating more permanent and long-term mechanisms.
As technical measures to counter cyberthreats improve, public communication around cyber-risks in democracy will likely become more important. A balanced strategy is needed to inform the public about precautions put in place, but without being alarmist and creating additional doubt. Furthermore, this feeds into an important debate on the limits of transparency in elections: while the electoral process clearly needs to be highly transparent, there is a need to explore the limits to openness when it comes to data and information security protection.
Detailed findings of the case study interviews conducted for this project and the discussions at this event will be published in 2019, as part of the upcoming International IDEA ‘Guide on Inter-agency Collaboration on Cybersecurity in Elections’.