Introduction

1. Introduction

1. Introduction

Some countries such as Estonia, Georgia or the Ukraine have already been exposed to cybersecurity threats to their electoral process for 10 years and more. However, it was only the widely debated cyber-related incidents that are thought to have influenced the 2016 US presidential elections that created broader awareness and attention of this topic. Within several months, this led to worldwide discussions on how to counter increasingly prominent risks of cyberattacks on elections and democracy in both young and established democracies.

Elections rely on varying combinations of manual and technology-based procedures. As neither truly unhackable technology nor entirely tamper-proof manual processes exist, an essential task in election administration involves the management and mitigation of manipulation risks through a range of integrity, audit and control measures. While countries around the world have long-standing best practices for integrity measures for paper-based and manual processes, recent events have highlighted the need to address the risks that emerge from the everincreasing use of technology in elections.

A common misperception is that only countries with electronic voting or other high-profile election technologies are at risk of a cyberattack. However, all elections depend on information and communication technology (ICT) tools, from voter registration to an electoral management body’s (EMB’s) website. Therefore, while the type of cyber-risks, adversaries and attack vectors vary between countries, EMBs—as well as high-level office holders, security agencies and democracy assistance providers—now agree on the need to invest more in understanding, preventing and mitigating the risks that new technologies bring to democratic processes and elections.

A second misperception is that an EMB is the main (or even sole) agency responsible for cybersecurity in elections. However, cyberthreats against elections and democracy arise in a variety of forms that fall under the jurisdiction of many different actors:

cyberattacks against election-related infrastructure aimed at breaching the confidentiality, integrity and availability of election technology and data;
disinformation campaigns that attempt to undermine the credibility of the electoral administration and democratic institutions;
cyberattacks against electoral stakeholders, parties, candidates, media and campaigns; and
disinformation campaigns designed to shape the political debate.

Addressing these cyberthreats often requires more than the implementation of technical mitigation measures by the EMB or any other single entity.

EMBs are commonly responsible for protecting the integrity of their own systems and for upholding the trust and credibility of their institution. Hacking attacks against electoral stakeholders, such as political parties and candidates, and undue influence over the political debate are more commonly a grey area over which other state agencies have jurisdiction; alternatively, there may be no regulation and/or clear mandate for countermeasures.

Election managers and stakeholders often have neither the resources nor the expertise to defend themselves from sophisticated cyberthreats. Cybersecurity expert bodies generally have limited electoral expertise, and may not always give high priority to defending against election-related threats. They may instead focus on protecting critical infrastructure such as the military, public utilities or highlevel economic targets from cyberattacks.

Therefore, more interagency collaboration is needed to pool the required resources and expertise; for developing a better mutual understanding of areas of responsibility, overlaps, gaps and points of contact; and for building holistic defences against both domestic and international cyberattacks on elections and democracy.

This publication describes emerging models of interagency collaboration, at the behest of many election professionals who indicated a need for such a resource. It follows a number of International IDEA events and interviews related to cybersecurity in elections that have taken place following a first international round table on cybersecurity in elections (Wolf 2017), in which representatives of electoral commissions, security agencies, and parliamentary and independent experts have discussed ways to counter real and perceived risks of hacking in elections.

It explores several questions raised as part of a broad needs assessment exercise:

What election-related technologies create exposure to cyberthreats?
Why are cyberthreats important even for countries that do not use evoting or similar high-profile election technologies?
Which government bodies and private sector companies need to be involved?
How should the collaboration of the various actors be structured, and what are their respective roles and responsibilities?
What formal frameworks—from legislation to memoranda of understanding—are required to enable, encourage and facilitate interagency cooperation?
Which measures need to be taken, and in which part of the electoral cycle?
Elections as critical national infrastructure: what does this assessment entail for the EMB?

The publication is based on 20 case studies with EMBs and related government agencies as well as a round-table discussion held in 2018 that facilitated the exchange of experiences between countries as diverse as Austria, Australia, Belgium, Bulgaria, Canada, Denmark, Estonia, Finland, Georgia, Latvia, Lithuania, Mexico, Moldova, the Netherlands, Norway, Romania, South Africa, Sweden, Ukraine, the United Kingdom and the United States.

1. Introduction

Table of Contents

Table of contents