Cybersecurity of Election Technology: Inevitable Attacks and Variety of Responses

Liisa Past, Next Generation Leader at the McCain Institute for International Leadership, and former Chief Research Officer at the Cyber Security Branch of the Estonian Information System Authority

Attempts to influence democratic processes have long been part of adversarial strategy seeking to sow doubt and distrust in rule-of-law-based societies. Cyberenabled attacks against elections aim to compromise the confidentiality, availability and integrity of the systems and data involved. As such, they are often integrated with information and influence operations that mostly target public discussions.

While the ‘processes of elections themselves — the registering of voters and candidates, the gathering and counting of votes, and the communication of the election results — are by no means impervious to attack’ (1), ‘it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyberattack or intrusion’ (2). Therefore, the possible attack surface is likely to include a wide selection of auxiliary targets, including the candidates and parties as well as their staffers and volunteers, media or other solutions used to display and publish results, election technology vendors, the local election officials and other systems that elections partially rely on, such as voter rolls, population or property registries as well as connections between these systems.

Thus, a comprehensive, whole-of-government approach is called for. As an example of a comprehensive approach, the Compendium on Cybersecurity of Election Technology, published under the auspices of the Cooperation Group of the Network and Information Security (NIS) Directive, reviews the complete lifecycle of elections. It offers comprehensive, practical and
actionable guidance on bolstering cybersecurity for election organisers and cybersecurity agencies alike, based on the contributions of around two dozen EU Member States and a number of European institutions.

In addition to the systems controlled and owned by election management bodies, the compendium also reviews how government actors can advise owners of auxiliary systems that have been the most common target of cyberattacks in connection to elections. In the context of the elections to the European Parliament it is important that these principles are followed through, including the last mile of communication of election results. The transfer from capitals to Brussels has to be particularly carefully considered as it lacks a common security approach and, unlike national elections, has not been live tested in this new security environment where elections are considered a legitimate target of politically-motivated cyberattacks.

In addition to the comprehensive approach as laid out in the compendium, the EU and Member States need to consider (3):

• Designating elections as critical national infrastructure or essential services: This would extended the mandated standards and extra protections to them automatically. While there are a number of successful examples of protecting elections as critical infrastructure, many fear the approach to be too inflexible or to set an unrealistically high standard given current capabilities.
• While elections are necessarily a national business and the variations in national electoral systems serve partially as a safeguard against widescale compromises, Europe can further use its potential arising from cooperation. In particular, further threat intelligence sharing, and sharing of tools and techniques is called for. As a first step, the Compendium on Cybersecurity of Election Technology can be updated as needed. Building on that, however, those tasked with cybersecurity would greatly benefit from operational cooperation as the adversarial tactics are likely to be similar.
• Attribution and increased public discussion of cyberattacks is key as it can lead to increased deterrence. Attribution is the essential first step in taking legal and diplomatic countermeasures, be it prosecutorial action or sanctions. While there has not yet been collective international response per se to cyberattacks on elections, the coordination efforts so far are promising and coordinated responses have been taken. The EU Cyber Diplomacy Toolbox allows for Common Foreign and Security Policy (CFSP) measures in response to aggression in cyber space and could be used in the case of election meddling.

(1) Cooperation Group of the Network and Information Security Directive (2018). Compendium on Cyber Security of Election Technology, CG Publication 03/2018, Brussels. Available at: https:// www.ria.ee/public/Cyber_security_of_Election_Technology.pdf.

(2) Department Of Homeland Security; Office of the Director of National Intelligence, 2016

(3) Past, L. (2017). All Elections are Hackable: Scalable Lessons from Secure I-Voting and Global Election Hacks. European Cybersecurity Journal, 3(3), 34–47, https://www.ria.ee/public/RIA/ECJ_Volume3. Issue3_Extract_PAST.PDF.