Cyberthreats throughout the electoral cycle

2. Cyberthreats throughout the electoral cycle

2. Cyberthreats throughout the electoral cycle

Cyberthreats can undermine electoral integrity by either exploiting technical vulnerabilities or creating the perception that such vulnerabilities exist. Cyberthreats fall broadly into two categories: (a) attacks targeting election-related technologies; and (b) disinformation campaigns targeting the perceived integrity of the electoral process.

The main targets of hacking attacks against election-related technology include voter registration technologies, voting, vote counting technologies, result transmission and aggregation technologies, websites for result publication and other online election-related services, institutional and private email accounts and communication systems, and broader national infrastructure, including egovernment systems, power grid and communication links.

Hacking attacks against the electoral process can be either generic or election specific. Electoral stakeholders may therefore become either random victims or intentional targets of attacks. Generic attacks often require little sophistication and limited resources and include Denial of Service (DoS) attacks, website breaches, and malware and ransomware attacks.

DoS attacks involve flooding online resources with so many requests that the service becomes very slow or completely unavailable. Such attacks do not penetrate the attacked systems, and cannot change data or access confidential information. The damage is caused by making the systems unavailable, which has reputational implications for the attacked institution. DoS attacks can target websites to make them inaccessible, or communication systems to make communication for their users difficult or impossible. For instance, they could create disruptions by blocking and overloading mobile phones and the communication channels and devices of key election staff (see Box 2.1). If DoS attacks come from a single source, then this source can usually be blocked easily. Distributed Denial of Service (DDoS) attacks are more difficult to defend against, as they come from many different sources; significant computing resources and cooperation with technology partners and Internet providers are required to combat such attacks. As they are relatively simple to execute, successful or attempted DDoS attacks are arguably the most common type of cyberattack; virtually all EMBs experience them at some point. Therefore, many EMBs have recently put in place safeguards to protect against or adequately respond to them.

Box 2.1. Indonesia: cyberattacks against election commission staff
During Indonesia’s 2018 regional elections, there were attempts to hack the results data web page of the General Elections Commission, as well as the Telegram and WhatsApp accounts of key election administration staff via weaknesses in the mobile text messaging systems. The attempts sought to gain access to and block the usage of those services in order to disrupt the election process.

Website breaches involve defacing the appearance of websites or manipulating their content. Changing the visual appearance is usually very obvious and aims to cause reputational damage. Content manipulation can be more subtle; such attacks may aim to create confusion, for example by presenting misleading information or altered election results. Such website breaches are based on exploiting the vulnerabilities of a public website and gaining access to a public web server, but often do not impact any internal information technology (IT) systems or lead to the manipulation of the internal data of the attacked institution. However, successful attacks do cause uncertainty and undermine the credibility of the institution. Breaches of election websites can also lead to the leaking of personal data when online voter registers are compromised.

Box 2.2. Ukraine: A long history of attacks against the Central Election Commission’s online infrastructure
A series of simultaneous cyberattacks took place during Ukraine’s 2014 presidential and parliamentary elections. The attacks disrupted the transmission of results by district electoral commissions, in part by launching DDoS and defacing attacks against the website that displayed the election results; malware and phishing attacks also took place. A similar DDoS attack against the Central Election Commission and candidates was launched a few weeks ahead of the 2019 presidential election. However, the 2019 cyberattacks did not succeed in disrupting the results because the election commission had installed appropriate defence mechanisms.

Malware and ransomware attacks can have adverse impacts on elections by making essential systems and data inaccessible (see Box 2.3). They are not necessarily politically motivated; electoral stakeholders can also become random targets of criminally or financially motivated hacking. In recent years, 12 per cent of global cyberthreat activity affecting democratic processes was criminally, rather than politically, motivated (CSE 2019).

Box 2.3. North Macedonia: ransomware attack against the State Election Commission
About one month before the 2019 North Macedonian presidential election, the State Election Commission’s key information and communication systems did not function properly, which affected the timely accessibility of information; the publication of session minutes, instructions and decisions; the online verification of voters’ data in the voter register; and the online register of complaints. This raised questions related to the commission’s ICT security. According to the election commission, systems affected by the ransomware GEFEST 3.0 included the file and email servers, which also impacted the accessibility of the voter register and the database of public employees used to appoint the Electoral Boards (OSCE/ODIHR 2019).

More advanced attacks explicitly aim to access internal systems, private data and information. Manipulating such data is often more difficult than attacking online public resources. Internal systems are usually much better protected and are not directly accessible from the Internet. Successful attacks are the result of either severe ICT security shortcomings or advanced persistent threats, which are well-planned, multi-phased and commonly conducted by a well-resourced adversary, frequently a nation state; these attacks can cause widespread and severe damage. The attacker selects a very specific, often personal, target and uses the most sophisticated available techniques, including publicly unknown vulnerabilities (‘zero-day exploits’). Advanced persistent threats are executed over long periods of time until they eventually succeed; they can even target systems that are not connected through the Internet, for example though infected USB sticks and devices.

In organizations with low technical vulnerabilities, eliciting access credentials through social engineering is often the easiest and most successful attack vector. Social engineering includes exploiting human psychology to gain access to systems and data and to elicit passwords and other access credentials from users. It can be applied through direct, personal contacts or more commonly through phone calls and phishing and spear phishing emails that lure recipients to reveal confidential information or to click on links to compromised websites that serve as the starting point for further hacking and malware attacks.

Finally, insider attacks include intentional data and system breaches by users with access to election-related information systems. Usually such advanced and targeted attacks can only manipulate result transfer and aggregation systems and election-related online services—such as online voter, party or candidate registration systems—and publicly accessible election-related devices where technology such as voting machines or voter identification systems is used in polling stations.

2.2. Vulnerabilities

Generic cyberattacks exploit vulnerabilities including a lack of ‘cyberhygiene’. This term refers to (a) users’ degree of training and awareness on how to maintain the system’s health and online security; (b) how up to date the organization’s technology is, including the conduct of regular testing and maintenance; (c) whether the procedures and security principles are adequate to address new and evolving cyberthreats; (d) whether there is sufficient separation between internal and online connected systems; (e) whether staff with access to confidential systems are sufficiently screened and monitored, to reduce the risk of insider attacks; and (f) whether the organization’s cybersecurity measures can defend against the resources and ambitions of a dedicated attacker (see Box 2.4).

Box 2.4. Romania: cyberhygiene training for political parties
The Romanian Permanent Election Commission introduced cyberhygiene training programmes for political parties to protect parties’ internal information as well as the election-related data the commission provides to parties. This is because any hacks and data leaks from parties would also create the perception of a successful hack against the election commission.

Some vulnerabilities specific to the nature of the electoral processes pose additional cyber-risks compared to other governmental tasks. The periodic nature of elections results in election-related databases and technology being used periodically and reactivated and scaled up around election day. This makes continuous monitoring and management of cyber-risks much more difficult than in other domains. Election day is the ‘single point of failure’ for elections technology. Many systems, and particularly government IT systems, are designed to be unavailable for a few hours or even days as the result of severe cyberattacks. Election technology must be operational on election day, so an adversary merely needs to create interruptions or confusion for a few hours during the critical period around elections to achieve maximum damage.

Election technology that is used by millions of citizens only once every few years must be easily accessible and secure. These two principles are often contradictory but need to be carefully balanced. Multiple government bodies may share responsibility for complex election-related procedures, such as voter registration, which may leave gaps open for exploitation. If the roles and responsibilities of each actor are not clear, no agency may have ultimate responsible for cybersecurity. Limited financial and human resources and limited IT competence at EMBs for developing and maintaining election technologies can yield poorly designed or secured systems and procedures.

The supply chain of election technology can be another source of vulnerability to cyberattacks. Where custom election technology is sourced, in some cases from foreign vendors, there may be concerns that systems may, whether intentionally or not, be delivered with malware or vulnerabilities.

2.3. Disinformation targeting the perceived integrity of the electoral process

Disinformation is deliberately—often covertly—spreading false, misleading or inaccurate information with the intent to cause harm by influencing public opinion. Disinformation in elections can be spread by either domestic or international actors. Foreign actors may use disinformation as part of ‘influence’ (or ‘information’) operations, a discipline traditionally used in military contexts that has been increasingly applied to elections. Such operations often exaggerate and misrepresent publicly known and debated issues. EMBs’ mandate only entails countermeasures against disinformation campaigns if they specifically concern the electoral process and its administration.

Disinformation activities as part of a political campaign are outside the scope of this document, as they are usually outside the authority of the election administration (see Box 2.5). In this domain, debates about the right level of regulation and legislation, self-regulation and codes of conduct are still ongoing, as this requires a careful balance between preventing disinformation campaigns and protecting the freedom of speech, as well as distinguishing between illegal online activities and legitimate online campaigning. As of 2019, only a few countries have specific ‘fake news’ legislation in place or have discussed related bills (Poynter Institute 2018).

Box 2.5. Latvia: hack of domestic social media and the role of the disinformation task force
A popular Latvian social network site called Draugiem was hacked on the day of the 6 October 2018 general election. A statement in Russian appeared, saying ‘Comrades Latvians, this concerns you. The borders of Russia have no end’, and was accompanied by images of Russian soldiers in Crimea and Russian military parades in Moscow. The source of the hack was not clear.

Since Draugiem is privately owned, no formal response from state institutions was required. However, Latvia’s disinformation task force felt it was important to ensure the media reported on the incident in a balanced way to avoid a negative public perception of the electoral process. The task force therefore responded in three ways: (a) it asked the cyberagency response team to immediately investigate the hack; (b) it publicly announced that the hack in no way affected the elections; and (c) it communicated upwards to political decision-makers on the risk level, to ensure a measured political response. As a result, the response by traditional media and the public was measured, and the prevailing sentiment was that the country’s electoral system is safe.

Two types of information operations are particularly relevant to EMBs, since they attempt to influence elections. Such operations often utilize online and social media mechanisms to reach voters. First, disinformation can seek to suppress voter turnout, for example through false claims that polling stations are closed or that elections are delayed due to weather, violence and other factors, or claims that votes can be cast online or by telephone where this is not the case (see Box 2.6).

Box 2.6. Canada: domestic threats
In 2011, Canada experienced the Robocall scandal, in which thousands of voters in almost 250 ridings (constituencies) across the country reported receiving automated phone messages falsely telling them that their polling stations had been changed. This information operation aimed to suppress voter turnout. Elections Canada’s investigations found that domestic political actors were responsible. The incident prompted Elections Canada to set up an Electoral Integrity Office to identify domestic and international cyberthreats, assess risks and set up systems to track and prevent cyberattacks by foreign actors, political operatives or individuals who might want to disrupt elections or manipulate the results.

Second, disinformation can also aim to undermine trust in electoral processes, institutions and technologies by spreading rumours of manipulation and malfeasance. Where perceptions of electoral integrity are traditionally high, even pointing to small shortcomings may seriously damage this perception (see Box 2.7).

Box 2.7. Mexico: disinformation about the electoral process
Verificado, a fact-checking initiative for the 2018 elections in Mexico, identified several false claims against the election administration and the electoral process (Verificado 2018). These included misleading instructions on how to mark ballots that sought to invalidate votes, rumours about rules allowing individuals to vote on behalf of deceased relatives, and rumours about inadequate or breached ballot security. National Electoral Institute agreements with technology contractors to protect the election infrastructure against hacking attempts were even misinterpreted as transferring control of the official results system to these private companies and their owners.

Election technologies can become easy targets of disinformation when the public and electoral stakeholders do not fully understand their details. Such disinformation can include unfounded rumours that election technology is insecure and hackable (or has been hacked), exaggeration of minor technical weaknesses and breaches, and other intentional misrepresentation of facts. Creating such perceived cybersecurity risks can potentially be as disruptive as actual cyber interference (see Box 2.8).

Box 2.8. The Netherlands: seeking interagency collaboration when the public is watching
In 2006, the Netherlands was forced to abandon electronic voting just weeks before the general elections after a Dutch white hat hacker group advocating against electronic voting had demonstrated the security risks of the country’s voting computers. Since then, election authorities in the Netherlands have been fighting an uphill battle over the use of any electronic instruments in elections, even after returning to manual voting and counting. In 2017, white hat hackers again claimed that the software that municipalities used to aggregate and calculate election results was insufficiently protected. This led the Minister of the Interior to ban the software two weeks before the elections, despite protests from the electoral commission and municipalities. The episode illustrates the difficulty of maintaining interagency collaboration in the public spotlight.

Overly ambitious, undeliverable election technology projects demanded by electoral stakeholders can lead to undue public expectations. This may prompt parties to wage information battles about the real or perceived strength of the country’s cybersecurity measures. Any poorly implemented or understood election technology can be instrumentalized to deliberately undermine the credibility of an election, and can make the timely conduct of elections impossible due to financial, time or technical constraints.

Attacks designed to leak electoral stakeholders’ confidential information constitute a combination of hacking attacks and influencing operations. EMBs need to be especially aware of the risk of data leaks from stakeholders who have privileged access to election data such as voter registers and/or incomplete election results. Guarding against such election data leaks is one possible area of interagency cooperation and joint counter measures by EMBs, other government agencies and electoral stakeholders.

Table 2.1. Spectrum of election-related cyberthreats Table 2.1. Spectrum of election-related cyberthreats

2.4. Adversaries

In the aftermath of the 2016 US election, many countries perceive foreign states that seek to influence national elections as the main adversaries to cybersecurity in elections. International law also applies within cyberspace; election hacking is legally considered an ‘internationally wrongful act’ and a breach of sovereignty that requires the victim to respond. However, attribution and obtaining proof that perpetrators are the organs of a foreign state are very challenging. A range of other adversaries may seek to utilize technology to influence election outcomes, including domestic political actors as part of an election campaign, hacktivists who promote a political agenda or social change via hacking activities, including a demonstration of their lack of confidence in existing election technologies, and terrorists resorting to cyberoperations.

Adversaries outside the political spectrum include organized crime groups trying to influence elections, cyber criminals attacking systems for financial gain, and individuals and groups that attack systems to demonstrate their skills and gain fame and notoriety.

Depending on their motivation and willingness to resort to illegal methods, computer hackers are often categorized into three groups. Black hat hackers with malicious intent conduct operations for their own gain and to damage their targets. White hat hackers are ethically motivated and operate legally; they are frequently contracted to test systems in order to discover security flaws so they may be addressed. White hat hackers do not exploit or publish weaknesses they uncover before any vulnerabilities are addressed. Grey hat hackers may occasionally break the law, but do not exploit the vulnerabilities they uncover.

Any type of hacker can negatively impact the integrity of elections. Even wellintentioned white hat hackers can cause considerable damage to electoral integrity if they carelessly and irresponsibly publish their findings, such as doing so too close to an election with insufficient time to fix flaws or by exaggerating the severity of discovered weaknesses to garner increased publicity. Hacking events such as the DefCon Voting Village (DefCon 2017; DefCon 2018) in the USA serve as an opportunity to advocate improved election technology, but can also threaten the credibility of elections.

Table 2.2. Adversaries that can negatively impact the integrity of elections Table 2.2 Adversaries that can negatively impact the integrity of elections

2.5. Mitigation measures

While a detailed account of measures to mitigate cyber-risks goes beyond the scope of this publication, they usually include the following measures.

Securing technology through regular reviews, audits and updates of technology and procedures, which are reinforced with redundant and backup systems. These include securing alternative communication channels for disseminating information, state-of-the-art encryption and identification systems, ‘air gapping’ and isolating critical technology from the Internet as far as possible, and 24/7 monitoring of all critical infrastructure.
Quality control and audits of election procedures at different levels, incorporating redundancies in critical processes including double data entry, paper or telephone-based verification. Efforts are made to ensure the implementation of such procedures.
Managing cybersecurity in the supply chain, including the scrutiny and careful selection of trusted suppliers and vendors.
Investing in human resources, staff training and cyberhygiene, clearly assigning staff roles and responsibilities, adopting a ‘four eyes principle’ to make sure critical processes are never executed by a lone staff member, and including background screenings of key election staff with administrative access.
Monitoring online conversations on public social media, but also on the dark web, hacktivism forums and other resources for clues of data leaks or planned coordinated attacks.
Establishing criminal liability under the law for election malpractice and manipulation, and prosecuting identified lawbreakers.
Continuous collaboration by maintaining contact with a multitude of actors and establishing internal and public communication early and long before any crisis surfaces.

2.6. The need for interagency collaboration

While adversaries are free to choose any attack vector, defence strategies are much more fragmented. Depending on the country context, some cyberthreats fall under the mandate of various levels of election administration, other threats are the responsibility of other state agencies, some are countered mostly through private sector or political party action and industry self-regulation and some— especially where technical progress is fast or freedom of speech may be at stake— are not regulated at all. The ensuing network of jurisdictions, competences and responsibilities is what makes a whole of government approach and interagency collaboration on cybersecurity in elections essential.

Figure 2.1. Cyber-risks in elections vs. EMB mandate Figure 2.1. Cyber-risks in elections vs. EMB mandate