In the context of the upcoming elections for the European Parliament, the EU Agency for Cybersecurity ENISA published an opinion paper on the cybersecurity of elections and provides concrete and forward-looking recommendations to improve the cybersecurity of electoral processes in the EU.
ENISA explores cyber-enabled threats, which have the potential to undermine the EU democratic process. Of particular significance is the possibility of interference in elections by cyber means, due to the widespread use of digital technology to support electoral processes in activities such as confidential communications of politicians and political parties, political campaigns, the electoral register, the counting of votes, and the dissemination of the results.
Udo Helmbrecht, Executive Director of ENISA: “As some EU Member States have either postponed or discontinued the use of electronic voting, the risk associated with the voting process can be considered to be somewhat reduced. Nonetheless, the public political campaigning process is susceptible to cyber interference. We have witnessed in the past election campaigning processes being compromised due to data leaks. ENISA encourages the EU Member States and key stakeholders such as political parties to partake in more cyber exercises aimed at testing election cybersecurity in order to improve preparedness, understanding, and responding to possible election-related cyber threats and attack scenarios. These stakeholders should have incident response plans in place, in the event that they become a victim of data leaks.“
An evolving threat is the motivation behind the actors interfering with the due process of elections by cyber means. The motivation for the actors can be manifold, for example for financial gain, fame and reputation, or to provoke chaos and anarchy, undermine trust in democracy, and subvert political opposition.
Through this paper, ENISA puts forward a set of recommendations aimed at improving the cybersecurity of elections across the EU and supporting the Member States in their efforts.
The most important recommendations that ENISA makes are:
- Member States should consider introducing national legislation to tackle the challenges associated with online disinformation while protecting to the maximum extent possible the fundamental rights of EU citizens
- Member States should continue to actively work together with the aim to identify and take down botnets
- Consideration should be given to regulation of Digital Service Providers, social media, online platforms and messaging service providers at an EU level to ensure a harmonised approach across the EU to tackling online disinformation aimed at undermining the democratic process
- The above players are also advised to deploy technology that will identify unusual traffic patterns that could be associated with the spread of disinformation or cyberattacks on election processes
- A legal obligation should be considered to classify election systems, processes and infrastructures as critical infrastructure so that the necessary cybersecurity measures are put in place
- A legal obligation should be put in place requiring political organisations to deploy a high level of cybersecurity in their systems, processes and infrastructures
- Official channels/technologies for the dissemination of the results should be identified, as well as back-up channels/technologies that validate the results with the count centres. Where websites are being used, DDoS mitigation techniques should be in place.