Securing Democracy in Cyberspace: An Approach to Protecting Data-Driven Elections

Free, fair and anonymous elections are a cornerstone of democracies. The integrity of elections has to be protected against internal and external threats. Securing elections ensures the trust of citizens in the electoral process and its outcome and therefore legitimates actions of the elected government.

Election interference by (foreign) actors is not new. What is new, is that election campaigns and the election process are becoming increasingly digitized and therefore vulnerable to cyber attacks. Through the digitization the attack surface has broadened. Internal party communication, databases of voters that parties and campaign agencies hold and access or information on public websites can become a tool for targeted in election interference.

To protect , we must understand what individual motivation is behind the attack, which tactics are used and which concrete element of the election process is targeted. The paper analyses three aspects and based upon the results, it proposes specific recommendations to protect against election interference. Those recommendations can be adopted by various countries and specifically applied to their unique modern election process and geopolitical situation.

The analysis has identified five specific motivations, which individually or combined are reasons behind election interference.

1. Manipulation of the election outcome
2. Delegitimization of the process and publicly weaken the democratic system
3. Discrediting political actors and institutions to influence citizens
4. Intimidation of states to achieve a certain political outcome in the sphere of international relations and negotiations
5. Weakening the international credibility of certain governments

To achieve those outcomes, attackers use the following tactics:

• Disrupting the availability of data, information and services that are relevant to election campaigns and the election process
• Eroding trust in the election process, attacking election relevant information on for example public websites
• Manipulation of data to change information, for example the election outcome
• Compromising IT-systems to monitor communication and information for future exfiltration or finding additional vulnerabilities
• Leaking confidential data and information to influence citizens
• Persuading citizens of one or another political position through strategic communication (and disinformation campaigns) using exfiltrated data
• Blackmailing candidates or politicians using confidential information or data that were gained beforehand

The analysis of the tactics showed, that different data and information are the target in elections. To determine the means to secure certain data and information, we have categorized them into the following:

• Publicly available data is publicly available information that creates transparency of the election process, for example time and place of elections or the party platform.  
• Personal data is data that is factual and is used to identify a person such as name, address, phone number or biometrical data.
• Self-reported data is information that report about themselves and that describes for example their interests, opinions on certain topics - can also be collected through tracking.
• Governmental data is information that a citizens, usually combined with personal data, use to identify themselves to vote, such as the pass number or driver’s license ID handed out by a governmental entity.
• Confidential communication is data that is not meant for the public such as private email and instant messenger communications
• Security data is data that is used for the protection of system and accounts, such as passwords.

On the basis of the analysis concrete recommendations were developed that states should implement to secure their elections, including building resilience of the democratic society against election interference:

Governments should…

1. set up the foundations for effective implementation of election security. For example they should agree on a definition of what election interference is, make election security a national security priority and enable election security as a public-private-civil partnership goal.
2. set up an organisational structure that makes effective election security possible. For example a cross-governmental task force is one of the proposed actions in this category.
3. create security mechanisms that protect the election infrastructure proactively. Threat analysis but also a strategy that analyses election technology are among the recommendations for effective election security mechanisms.
4. encourage education and training mainly for stakeholders that have an active part in the election process and campaigns. Enough technical expertise needs to be provided to them.
5. make strategic communications towards the public about this new threat a priority. It is important to build resilience and create transparency regarding the election process and security safeguards.
6. work together with other countries on election security, so democracies can help each other by exchanging information and best practices.