1. 5. Conclusions and recommendations

5. Conclusions and recommendations

1. Electoral cybersecurity is a long-term commitment that requires implementation throughout the entire electoral cycle. The technologies used in elections potentially change with each electoral cycle, and so do adversaries and their tools. Comprehensive electoral cybersecurity therefore requires continuous commitment and resources.

2. Even countries that use only limited technology in elections face cyber-risks to electoral integrity that require serious consideration. Until recently, the debate on electoral cybersecurity was mostly about electronic voting; countries with paper-based electoral processes considered themselves largely free of the risk of cyberattacks. There is now widespread recognition that virtually all electoral processes involve technology to some degree, including voter, party and candidate registration, result processing and result publication. Each of these processes can become a target unless it is properly assessed for vulnerabilities and secured.

3. Interagency collaboration is a key element of improving cyber-resilience in elections. Electoral cybersecurity threats transcend institutional mandates. Tackling them often requires resources, information, situational awareness and expertise from multiple agencies. EMBs and other authorities working on elections should therefore consider the various models for interagency collaboration on cybersecurity in elections such as those described in this publication.

4. Managing public perceptions of cyberthreats to an electoral process is as important as defending against actual threats. Electoral integrity is entirely conditional on public trust and support. Coordinated external communication is therefore integral to countering any disinformation about the electoral process in order to adequately prepare the public for a potential cyber-related incident and to provide a consistent response if an incident occurs. This publication offers examples of successful models to manage that communication.

5. Interagency collaboration should be transparent and clearly defined. In order to safeguard the actual and perceived independence of the EMB, interagency collaboration should be publicly explained. It should clearly define where the involvement of non-traditional agencies, such as the security services, begins and ends. This may require legal regulation stipulating the scope and boundaries of collaboration.

6. International collaboration is needed. Cybersecurity in elections is too complex and fast changing to tackle only at the national level. Countries therefore need to invest in bilateral and international knowledge and information exchange. They should do so both regionally and between regions/continents. This publication has shown that different regions are currently moving at a similar speed in the field of cybersecurity. Their variety of experiences, however, offers important potential for cross-fertilization.

7. Interagency collaboration should go beyond government agencies. The private sector, political parties, academia, civil society and the media can all play an important role in improving electoral cybersecurity and its public perception. Conversely, actors with an interest or stake in the subject that feel they have no channel to convey their concerns may create additional reputational challenges by leaking information, and possibly exaggerating claims of vulnerabilities. Government agencies should therefore cast their net wide and collaborate with a broad range of non-governmental stakeholders.

8. Political parties should be made aware of the possibly devastating effects of cyberattacks. Electoral candidates and (particularly small and less resourced) parties are arguably the weakest link in electoral cybersecurity. In some countries, state agencies can provide basic cybersecurity support and advice. At the very least, parties should be informed of their responsibility to protect their infrastructure and government agencies’ limited ability to mitigate the consequences of cyberattacks against parties and their campaigns.

9. Where spontaneous interagency collaboration is absent, policymakers should consider critical infrastructure designation or other vertical approaches. Some countries have successfully organized interagency cooperation on a largely informal, horizontal basis on the initiative of one or more of the concerned institutions. Especially (but not limited to) cases in which organic interagency collaboration is absent or has a limited impact, more formal top-down, vertical approaches may be needed to overcome institutional, cultural or administrative barriers to collaboration, to make funding available and to create the required transparency. Recognizing elections as critical infrastructure is one such vertical approach.

10. Election observers should assess interagency collaboration. Observing cybersecurity in elections should include assessing the level and effectiveness of interagency collaboration, including the involved actors, their responsibilities and the measures taken to protect the independence of the election administration.

Table of Contents

• 1. Introduction
• 2. Cyberthreats throughout the electoral cycle
• 3. Models of interagency collaboration
• 4. Operationalizing interagency collaboration
• 5. Conclusions and recommendations
• Annex A - Case studies
• References and further reading
• About the authors
• About International IDEA