Link Search Menu Expand Document
Publications
  1. 4. Operationalizing interagency collaboration
    1. 4.1. Focus areas
    2. 4.2. Setting up and facilitating interagency collaboration
      1. 4.2.1. Challenges and limitations
      2. 4.2.2. Horizontal and vertical approaches

4. Operationalizing interagency collaboration

As part of a more comprehensive government approach to cybersecurity in elections, the key goals of interagency collaboration commonly include: protecting the confidentiality of election-related private data such as voter rolls, emails and internal documents; safeguarding the availability and integrity of election-related technology; protecting the integrity of elections against disinformation campaigns; securing resources, expertise, funding, and institutional and legal backing for the required measures; and strengthening the cybersecurity of electoral stakeholders.

4.1. Focus areas

Specific focus areas of collaboration can include:

  • 1.Organizing interagency communication, starting with compiling a directory of interlocutors and emergency contacts at participating agencies, followed by broad agreements regarding the role, coordination and leadership between these agencies. To reinforce these partnerships, agencies should regularly utilize channels of communication between agencies, including the creation of task forces, working groups and similar collaborative forums. Creating working relationships and building confidence between participating agencies, and overcoming differences between institutional cultures, are just as important as substantive cooperation.

  • 2.Joint risk assessment and situational awareness through a multi-agency led assessment of cyber-risks that includes information exchange, situation reports and the development of a shared understanding of vulnerabilities and how they evolve during and between elections (see Box 4.1). Coordinated media and social media monitoring as well as intelligence sharing by relevant agencies can provide further important inputs.

Box 4.1. Finland: intelligence sharing and situational awareness

Finland’s Legal Register Centre meets at irregular intervals with various agencies. Cybersecurity is only one of the topics covered in these election-related coordination meetings, which establish a continuously updated risk overview and specify appropriate mitigation measures based on threat assessments and intelligence. Cyber-risks are assessed on an ongoing basis and for each election, taking into account recent international developments.

  • 3.Coordinating public communication and providing voter information is a key area of comprehensive protection against cyberthreats. Since actual threats are as relevant as perceived threats, a consistent and coordinated public communication strategy is needed. Public communication should aim to inform voters prior to an election, including by providing accurate and consistent messaging following any incidents.

    The agencies included in this publication vary widely in their communication approaches. Some countries prefer not to give this topic heightened visibility to avoid increasing citizens’ unease, while in others, citizen awareness and a well-informed electorate are seen as the best defence. Regardless of the level of public communication, all related agencies should develop a joint communication strategy and share a common message about threats and countermeasures before (or during) a possible crisis.

    To disseminate important messages in a timely manner, efficient communication channels must be established with the media. This increasingly includes formalized agreements with key social media providers to provide voter information and to make sure disinformation about the electoral process is promptly rectified, including through highly visible announcements from the EMB if needed. For example, in 2018 Mexico’s EMB concluded memoranda of understanding with Twitter and Facebook (INE 2018; El Universal 2018).

  • 4.Creating prevention and response mechanisms based on the established risks. Electoral stakeholders can be supported and advised on preventive measures to protect and mitigate these risks, and to help form contingency plans in case cyberattacks do occur. This may include protocols that stipulate when an EMB escalates incidents to security agencies or political decision-makers. Fast responses to emerging issues, including the efficient adjudication of complaints, are essential to maintaining public trust.

Box 4.2. Estonia: maintaining trust in a highly digitized society

Although Estonia has among the highest levels of digital democracy in the world, its EMB does not consider technology breaches to be a major threat. The country’s small size helps: with only 1.3 million inhabitants, it is relatively easy for Estonian EMB staff to find counterparts from other agencies who can help secure election-related technologies. The EMB considers it more important to maintain its strict political impartiality in order to ensure political parties’ support and voters’ confidence in electronic voting, and to help electoral candidates and young voters use digital technologies responsibly. In a highly digitized society, public trust forms the foundation of cybersecurity.

  • 5.Developing and providing expertise, tools and resources on cybersecurity, including training programmes and guidelines such as the EU Compendium on Cybersecurity in Elections (NIS Cooperation Group 2018) or the US Election Assistance Commission’s resources on Election Security Preparedness (US EAC n.d.).

  • 6.Providing independent assessments and certifications of security measures implemented by the EMB through another state agency (see Box 4.3).

Box 4.3. Ukraine: collaboration between the Central Election Commission and other authorities in certification and monitoring election ICTs

All election-related information systems must undergo state assessment to receive a certificate of compliance before they can be used by the Central Election Commission. The State Service of Special Communications and Information Protection of Ukraine tests the system and assesses its conformity with the terms of reference and information protection requirements. During the operation of these information systems, experts from this agency monitor and protect them from attacks.

  • 7.Conducting scenarios-based joint exercises is a more advanced form of interagency collaboration that only some surveyed countries have in place. These crisis scenario simulations are conducted to test the efficiency of a country’s response capabilities. They are designed to get the relevant agencies to work together cooperatively in response to potential crises, to identify planning and procedural shortcomings, and to collect feedback for further improvement. Tabletop exercises, in which participants discuss their roles and responsibilities in various scenarios, are more cost effective and therefore more commonplace than full-scale real-life simulations of incidents.

Interagency collaboration happens at various levels that mutually build on each other, indicating a progression towards more comprehensive collaboration (see Figure 4.1).

Figure 4.1. Levels of interagency collaboration Figure 4.1 Levels of interagency collaboration

4.2. Setting up and facilitating interagency collaboration

The case study interviews conducted for this publication indicate that many countries are still constructing measures to protect elections against cyberthreats. While they increasingly recognize the importance of interagency collaboration, many are still in the early stages of setting up and utilizing the required mechanisms.

4.2.1. Challenges and limitations

Typical challenges to interagency collaboration include contrasting institutional cultures, especially between EMBs and security services, and therefore a hesitation to collaborate on all sides (see Box 4.4).

Box 4.4. Finland: overcoming cultural barriers between agencies

Working with non-traditional agencies can require as much of an organizational shift as a cultural or even linguistic one. In Finland, the military and security services traditionally consider only military targets to qualify as ‘critical infrastructure’ and therefore require their involvement. When the country decided not to use online voting in 2017 for security reasons, these agencies decided elections no longer fell within their responsibility. Despite the intrinsic cultural barriers between agencies, the Legal Register Centre, the technical arm of the Finnish EMB, reached out to security sector agencies to help them protect other IT processes, such as the voter list and result calculation process. The Cybersecurity Agency and the criminal police proved to be particularly receptive. Since then, the EMB has found that even without the official designation of ‘critical infrastructure’, making the necessary funds available and generating institutional willingness can lead to productive results.

In countries with an independent electoral management model where both the actual and the perceived independence of the EMB is essential, preserving this independence while closely working with security agencies can be challenging (see Box 4.5). In particular, giving other state agencies access to technical election infrastructure for security assessments or requiring security clearances for election workers can become controversial, as this raises the risk of giving the agencies conducting these checks both undue influence over the composition of the election administration and inappropriate access to election data and systems.

Box 4.5. Romania: well-established close cooperation on auditing, but debate about cooperation with intelligence services

Romania’s Permanent Election Authority benefits from well-established and comprehensive cooperation with other state agencies and the private sector. For instance, it cooperated closely with the Computer Emergency Response Team for security audits, and with institutions under the Defence Department that provide secure telecommunication and server infrastructure. The Romanian Intelligence Agency is responsible for ensuring the cybersecurity of all state infrastructure, including for elections. Yet given the agency’s past abuses of power, its cooperation with other state authorities is controversial.

If agencies have limited mandates and jurisdictions, this can also prevent them from fostering closer cooperation. When resources are limited or the risk of political fallout is high, the agencies not directly mandated to be involved in the electoral process may be especially reluctant to prioritize work on electoral cybersecurity.

4.2.2. Horizontal and vertical approaches

Initiating interagency collaboration and overcoming related obstacles can benefit from both horizontal and vertical initiatives.

Box 4.6. Denmark: thinking big, but starting small—informal collaboration as a starting point

Interagency collaboration in Denmark benefited in two ways at its inception: the absence of strong media pressure and a recent budgetary increase allowed it to commence in a trusting atmosphere. Since then, the cross-agency and partly informal nature of collaboration that was subsequently chosen has proven effective. Command chains have been kept short and there has been a high degree of initiative at the operational level. This has allowed for the fast bottom-up presentation of information to the right decision-makers. Having key personnel meet on an ad hoc basis when needed, instead of through formalized protocols or newly established agencies, has ensured continued ownership and a strong willingness to collaborate.

Horizontal approaches involve agencies instigating cooperation on their own initiative, which can lead to lightweight, efficient and pragmatic solutions. Agencies, often EMBs, set up the initial interaction based on specific needs, exchange contact details, convene meetings, facilitate overall trust building and attempt to bridge institutional gaps. Depending on the country context, informal cooperation may jeopardize transparency and have an adverse impact on the perceived independence of the EMB.

Vertical approaches are based on high-level decisions and shaped in legal frameworks and policies. They can solidify existing collaboration and enable interagency collaboration where less formal cooperation reaches its limits—for example if potential partner organizations do not prioritize joining forces or have the mandate to do so. An official whole-of-government backing through cybersecurity policies and designating elections as critical infrastructure can make required additional resources available, and allow minimum standards to be set in highly decentralized election administrations. A downside of this approach may be concerns about and resistance to ‘federal overreach’ in highly decentralized systems, such as in the USA.

Whether a horizontal, vertical or a combined approach is preferable depends on various factors, including the size of the country, the nature of existing personal and professional relations, the level of trust between the agencies involved, perceptions of the EMB’s independence, and the extent to which the regulatory framework supports or prevents collaboration.

Box 4.7. United Kingdom: building collaboration in unique contexts

Establishing interagency collaboration often does not start in a vacuum. In the UK, the Electoral Commission collaborates with three agencies that existed before cyberthreats in elections emerged:

  1. Information Commissioner’s Office—the UK’s main data protection agency;
  1. National Cybersecurity Centre—provides advice and support for the public and private sectors on how to avoid computer security threats (one of the first of its kind in the world); and
  1. Constitution Group in the Cabinet Office—has overall responsibility for policy, legislation and funding for UK-wide elections and other polls.

Collaboration in this uniquely chequered environment does not follow international blueprints but grows organically and strengthens with every election.

Few of the case study countries have officially designated elections as critical infrastructure; the meaning and availability of this designation also varies greatly. Finland, for example, reserved this designation for military contexts. Georgia declared that elections are considered critical infrastructure and required the EMB to significantly upgrade its cyberdefences, but did not allocate additional funds or support (see Box 4.8). In the United States, however, critical infrastructure designation was a decisive factor that facilitated the establishment of closer cooperation among the Department of Homeland Security, local election administrators and the Election Assistance Commission because it allowed Homeland Security to provide support to election administrators. In several countries where elections are not officially designated as critical infrastructure, such as Romania, the involved actors still treat them as such. Other countries, including Australia, are considering classifying elections as national critical infrastructure.

Box 4.8. Georgia: critical infrastructure designation and ISO standards

Georgia has classified elections as critical infrastructure, which requires the Georgian Central Election Commission and other agencies to implement its information security management system by considering ISO 27001 requirements, which entails the establishment of comprehensive control mechanisms. Georgia’s Computer Emergency Response Team collaborated closely with the election commission and supported the CEC in implementing its information security management; the team is also available to respond to election-related cyber emergencies.

Table of Contents

Table of contents