Protecting elections from cybercriminals

European Elections 2019 in Utrecht - Polling station. European Parliament/ROBERT MEERDING

It is a sad fact that cybercriminals have turned the COVID-19 crisis to their own advantage. Even as healthcare systems around the world struggle with the pandemic, we have seen attacks on hospitals, vaccine distribution operations, and medicines regulators. Our democratic processes are no less at risk with rising attacks on governments and affiliated organizations.

With multiple national and local elections scheduled in Europe this year – including the Dutch general elections, the Estonian presidential elections, and the German federal elections, to name just a few, increasing vigilance and protections are needed.

Microsoft first rolled out AccountGuard, our suite of tools to help protect the democratic process, in 2018, and have since expanded it to 31 democracies around the world. This includes 22 countries in Europe. In our most recent update, we have significantly expanded the security measures in place, introducing enterprise-grade identity protections to eligible participating countries in Europe.

We spoke to Jan Neutze, who heads up Microsoft’s Defending Democracy Program, about these latest developments – and why AccountGuard is increasingly important.

What are AccountGuard’s new security measures in Europe?

In a nutshell, we launched AccountGuard with the idea that we want to help protect political campaigns and other democratic stakeholders against cyberattacks, and specifically against nation-state attacks. We initially offered this service for free to political campaigns and parties in the US. It has since expanded to 31 countries and a much wider range of groups are now eligible, including government officials, healthcare entities, journalists, and think tanks. Although, because of local regulations, we can’t offer this service in all democracies.

Ahead of the US elections in 2020, we introduced a suite of enterprise-level security protections, which we have now expanded to AccountGuard customers in other countries.

These new measures consist of three core things. Firstly, there is security hardware, provided free of charge by our partner Yubico, to help with identity protection through things like multi-factor authentication.

Secondly, it’s access to a cloud-based software solution, Azure Active Directory, which helps customers monitor and control who has what permissions. It will also help identify risky sign-ons and allow customers to run risk reports.

Finally, it’s training and guidance. The team has been sharing best practice since the beginning, but this is taking it to the next level – we’re doing training sessions and answering specific customer queries. We are also partnering with a group called Patriot Consulting, which will offer tutorials and answer questions.

Why are these additional security measures needed?

Strong identity protection is really at the heart of strong cybersecurity.

AccountGuard expands protections for our customers against nefarious behavior online − whether it is a nation-state actor or cybercriminals looking to make a profit or cause disruption. Over the past year in particular, we’ve seen criminal groups going after healthcare organizations to then demand ransom payment, or going after municipalities and local governments. And it’s been quite disruptive.

Often, the way these attacks start is a phishing email where a criminal or a nation state gets access to the customer’s credentials. These can be very targeted campaigns, or more random and broad-scale. Once login details are compromised, the attacker can get access to all sorts of data in those accounts. And if it’s a privileged account, they can get access to data from other accounts, in what’s called lateral movement through an organization’s ecosystem.

How have threats evolved and what have you learnt since AccountGuard was launched?

There is a very active and evolving threat landscape, with attacks on the democratic process from both nation states and cybercriminal groups.

There have been attacks on both the Conservative and Labour parties in the UK, on the European Parliament, and think tanks assisting political parties. And it doesn’t stop just because there aren’t elections happening.

AccountGuard started as a targeted notification product for high-risk customers. Now we are more proactive and trying to drive up resilience, especially among organizations that tend to not have large IT-security operations.

Are there any organizations, or parts of the process, particularly prone to attack?

When you think about political campaigns, or election officials, or think tanks, or journalists and newsrooms, for the most part, they do not run highly sophisticated IT-security operations.

Generally, you can say the smaller the organization, the less capacity they have to defend themselves. If you’re running for a seat in parliament, chances are, you’re going to work with a team that combines friends, volunteers, some family members, and maybe one or two professional staff − at least at the initial stages. It is not just the big presidential campaigns we need to support.

But we don’t just need to strengthen the defences of campaigns directly. We see those who are advising or researching key policy issues regularly getting targeted, certainly in the US, but also in other democracies. There was a trend last year where we saw some major security and geopolitical conferences being targeted, for example the Munich Security Conference.

Are there any new measures that would really help improve cybersecurity around the political process?

Greater awareness would make the biggest difference. There are still too many people saying, ‘We’re just a small organization, no one’s going to come after us’. But then it transpires they are advising the national government and have sensitive communications that would be valuable to a hack-and-leak operation, and suddenly it’s too late. Folks in academia or think tanks advising U.S. presidential campaigns are also a regular target. Cybersecurity hygiene needs to be a core part of any kind of modern digital democracy.

Specific to protecting campaigns and elections stakeholders, we need to ensure that IT-security becomes a standard part of any political  or campaign operation, like town hall meetings and fundraisers.

More broadly, digital democracies need to get serious about advancing digital skills in schools, and specifically incorporate baseline cybersecurity knowledge and trainings. We also need more cybersecurity professionals in the world – there’s an absolute shortage.

And then there is the added factor that we’re living through a global pandemic. And that has a huge impact on election organization and campaigning. So much more political campaigning as well as election organizing is going to take place online. And that has an impact both in terms of cybersecurity, but also in terms of disruption through disinformation and through hybrid threats which combine both.

Learn more about the expansion of AccountGuard, Microsoft’s enterprise-grade identity and access management protections here.

[Photo: Polling station in Utrecht during 2019 European elections. EP/Robert Meerding]

Tags: ,

Microsoft Corporate Blogs