The rise of electronic voting machines and the digitisation of other parts of the election process has brought many benefits to the countries that have adopted them, writes Piers Wilson, Head of Product Management, Huntsman Security
From a reduction in counting time, to increased voter turnout, to reduced costs, to better accuracy. Alongside these benefits there are also increased risks, and none is more worrying than the possibility of an election being compromised through a cyberattack.
Given that free and fair elections are one of the foundations of modern democracy, the thought that these could be subverted by organised cyber criminals or nation states is cause for serious concern. With the US Primaries coming up next year, and the potential of another UK election or referendum, there is no shortage of targets for cybercriminals. Perhaps more worryingly though, the organisations and supply chains involved aren’t necessarily prepared to defend against a complex cyberattack.
A Supply Chain of Vulnerabilities
Part of the challenge that comes with securing an election is the number of organisations involved. From e-voting machine suppliers, to software vendors, to data storage vendors, to adjudicators, to government officials at both regional and state / country level; the number of moving parts make for potential rich pickings. The vulnerability that citizens might be most aware of, particularly in the US, is the use of electronic voting machines, which have proven to be a challenge with the majority of issues attributed to ageing, malfunctioning or mis-configured machines.
Going beyond physical machines, attackers could hamper voter registration efforts, or the services that remote voters rely on to receive their ballots – online or otherwise. With such a large and complex supply chain, hackers could strike anywhere within it, and the risk is that it’s entirely possible that they could do so without being found out. This could lead to illegitimate governments or worse, loss of faith in democracy, caused by the failure of the electoral process.
Secure Upcoming Elections
To defend against this threat, every organisation involved in an election, in even the smallest capacity, must take appropriate security precautions. Given the scale of elections and the importance of them being correctly carried out, a vital step is to have a strategy in place that encompasses rigorous, constantly updated security preparedness with high levels of oversight. This must then be applied across every organisation or government department involved.
The fact is that if an organisation is well prepared, it can react appropriately when an attack does occur. They would do so by identifying any breaches or problems quickly, quarantining the threat and taking the appropriate action to remediate the issue or invoke a contingency.
During an election this could take the form of a partner identifying a hack as it happens, and then ensuring it doesn’t lead to the rest of the supply chain being compromised whilst minimising the disruption it is causing. The longer problems remain undetected, the worse it will be for the legitimacy of the result. In this kind of scenario, timescales of days or weeks are completely unacceptable, citizens won’t react well to being told an election was manipulated weeks or months after results have been announced.
It’s not just speed that is of the essence, throughout the entire election process communication is equally important. Contingency plans depend where and when the attack occurs – from re-arranging voter registration or extending deadlines, to even – in extreme cases – annulling the results of an election or recounting/rerunning ballots where fraud or disruption has been widespread or significant, so as to preserve the overall process. There needs to be a clear chain of command that helps keep everything on track even when attacks are taking place. This might sound extreme, but the examples mentioned above could be what governments will need to deal with in the coming year – let alone the next decade.
With so much of our election process relying on digital technology – even where e-voting machines aren’t used – it is vital that the governments and the organisations involved in the election process are prepared to deal with a cyberattack that aims to undermine an election. We’ve already seen attempts at interfering in elections through the use of targeted social media and fake news, however, a direct attack on the process itself could have far worse outcomes. If contingency plans and defences aren’t already in place, they must be addressed as soon as possible to ensure the best possible chance of being able to keep elections on track.