With the European Parliament elections fast approaching, as well as several national elections on the horizon, EU Member States are increasingly worried about possible interference. This builds on concerns that recent elections in the U.S. and France were the target of cyberattacks and disinformation campaigns initiated by foreign actors.
Some countries have sought to mitigate the risks by scaling back or avoiding the use of technology in electoral processes. But experts have warned that returning to pen-and-paper ballots does not necessarily mean that elections are more secure.
Estonia is the only EU country that currently offers its citizens the possibility to cast their ballot online in national elections. Other countries integrate technology into their electoral processes to varying degrees, ranging from the tools used to register voters and collate voter lists, to the technologies applied to tally ballots or disseminate the results, as detailed in our previous blog. That means possible vulnerabilities exist at almost every stage of the electoral process. In addition, the misuse of social media platforms to manipulate voter opinions is a growing concern – and one that demands a different approach to tackling the security at the infrastructure level.
“On the one hand you’ve got technical vulnerabilities and on the other hand you’re facing a lot of information and disinformation operations,” says Peter Wolf, Technical Services Manager for the International Institute for Democracy and Electoral Assistance.
On average across the EU, 61% of respondents were concerned about possible manipulation of the European elections via cyber operations.
Europeans are increasingly worried about all aspects of electoral security. A recent Eurobarometer survey found that on average across the EU, 61% of respondents were concerned about possible manipulation of the European elections via cyber operations. Perhaps surprisingly, that figure dropped to just 42% in Estonia – indicating that there does not necessarily need to be a negative correlation between the use of technology and levels of public trust.
Governments can take concrete steps to mitigate online threats, ranging from using encrypted communications and cloud services, to turning on multifactor authentication or installing password management applications.
In fact, all technology users should be taking such steps to protect themselves in their everyday lives but especially those working on campaigns and elections.
For Jessica Zucker, a Cybersecurity Strategist at Microsoft, turning on multi-factor authentication is one of the most important – and one of the easiest – security measures to implement. “Using multi-factor authentication adds another layer of security by requiring users to provide an additional credential, such as a PIN or biometric input” she says. “Enabling multi-factor authentication on all important accounts, such as personal and professional e-mails and social media, is critical.”
Ensuring that elections remain secure against outside interference, however, will also require greater collaboration between election authorities and the cybersecurity community.
“You can never say a system is completely hacking proof,” says Wolf. “It comes down to how many resources you put in versus how many resources your adversary puts in.”
One particular stage of the electoral process seems more vulnerable than any other: the campaign phase. Individual political candidates are often seen as ‘easy’ targets, not because of the technology they use, but because of the possibility of human error.
Over 90% of successful attacks happen when a person unwittingly reveals their password or clicks on a fake link in an email – a technique known as phishing. During the 2016 US presidential elections, one single phishing email led to the leak of emails belonging to John Podesta, who chaired Hillary Clinton’s campaign.
Another common type of cyberattack is denial of service (DoS), where key websites linked to elections – such as a candidate’s website or government election webpages – are made inaccessible. Such attacks were observed during the 2017 Dutch general elections, 2016 Slovakian elections and, most recently, the 2018 U.S. midterm elections.
In addition, the prevalence of disinformation is a growing threat to liberal democracies. The EU has defined this as encompassing any false or misleading information being “created, presented and disseminated for economic gain or to intentionally deceive the public”.
Disinformation has dogged recent elections in Europe, from the 2016 UK referendum on EU membership, to the 2017 French Presidential Election. A recent report from the Oxford Internet Institute suggests that, between 2015 and 2017, computational propaganda disseminated by Russia’s Internet Research Agency (IRA) reached at least 30 million people in the U.S.
The EU and NATO have set up several task forces to detect and combat disinformation. Since it was set up in 2015, the EU’s East Strategic Communication Task Force has identified at least 4,500 examples of disinformation which they attribute to the Russian Federation. Meanwhile, the German Marshall Fund’s Authoritarian Interference Tracker highlights how at least 414 incidents of Russian government interference activities have occurred since 2000. Most of these took place in the last five years, with the list of targets expanding over time from former Soviet states to include Western Europe and the U.S.
Best practices on how to deal with disinformation do exist. Tim Maurer, co-director of the Cyber Policy Initiative and Fellow at the Carnegie Endowment for International Peace, points out how in 2018 the Swedish election proved that countries have the tools to push back. Ahead of the election, Swedish citizens received leaflets advising them to review information with a critical eye, media organizations were reminded of best practices on fact-checking and spotting fake stories, and politicians were taught how to keep their chosen passwords secure and protected.
“They [the Swedish government] did such a good job creating a really comprehensive approach – a society-wide approach working with different actors to counter not just the risk of election hacking but also of interference in social media campaigns,” says Maurer, who recently co-authored a report on Russian election interference and European efforts to counter disinformation and cyberattacks.
Maurer notes that governments must now devise ways for best practice sharing and continue investment: “You now have half a dozen countries who have gone through the experience and collected best practices and lessons learned. We need to find a way for them to share that with other countries and to find the money for other countries to put those into practice.”
The next European Parliament elections will take place in May. In preparation, the European Commission has already held high-level meetings to brief member states and share best practice on preventing cyberattacks and the spread of disinformation, but experts say that sharing any plans with the public is also vital.
“If such an event is exploited through a disinformation campaign in one country, it may hamper trust in the results in every EU country.” – Lukáš Pimper
Lukáš Pimper, the Czech Republic’s Cyber Attaché to the EU and NATO, warns that evidence of manipulation in these elections could have widespread consequences: “If such an event is exploited through a disinformation campaign in one country, it may hamper trust in the results in every EU country.” If something does go wrong, he adds, there needs to be “a frank and open reaction” from senior members of government.
Effective communication is the foundation for ensuring democracies can withstand cyberattacks: whether it be between government officials and their security agencies, with the governments of other countries, or with industry and the wider public.
Increasing cooperation between electoral commissions and security officials – two communities that have traditionally worked separately – is also crucial. “These issues cannot only be addressed by election authorities,” says Steven Martin, a senior election adviser with the OSCE’s Office for Democratic Institutions and Human Rights. “There needs to be in-country coordination between election authorities, other ministries and cybersecurity components to ensure any potential vulnerabilities are being addressed in a more coordinated way.”
Increased concern around election interference is leading to more resources and expertise devoted to the topic. Efforts to compile learnings from recent incidents are well underway, with experts keen to ensure they are shared as widely as possible.
With the recent launch of the Harvard Kennedy School Cybersecurity Campaign Playbook, for instance, former U.S. electoral campaign managers Robby Mook and Matt Rhoades aim to give all campaign staff “simple, actionable information” to help secure their information – wherever they are. Mook, Hillary Clinton’s former campaign manager, notes that “cybersecurity is an issue that every campaign professional needs to take seriously, but it can be daunting for people who aren’t IT professionals.”
As Europeans prepare to cast their ballots, past successes and setbacks must form the foundation for tackling the challenges ahead. With each cyberattack, EU Member States are learning vital lessons about how to defend themselves – from the need for greater communication and collaboration, to the knowledge that Europe’s electoral integrity is only as strong as its weakest link. It seems unlikely that the threats against our democracies will vanish anytime soon but we can all work together to address them.
This article is the second part of a series on elections in Europe in the digital age. Read part one here.