With
the European Union Parliament elections just around the corner, the EU Agency
for Network and Information Security (ENISA) has released a detailed paper
discussing the evolving threat of cyber-attacks on election systems and
processes.

European
Parliamentary elections are to be held in late-May. Notably, this year the
European Council agreed at ambassador level to improve EU electoral law and
reform laws from the 1976 Electoral Act.

To
combat foreign interference such as that witnessed in the US presidential elections
in 2016, ENISA is providing guidelines to all election stakeholders.

ENISA,
a group of network and information security experts for the EU, helps member
states implement relevant EU legislation and works to improve the resilience of
Europe’s critical information infrastructure and networks. The center seeks to
enhance existing expertise in member states by supporting development of cross-border
communities committed to improving network and information security throughout
the Union.

According
to the document – Election
Cybersecurity: Challenges and Opportunities
– a democratic
society needs a well-protected election lifecycle, from the maintenance of the
electoral register and the public political campaigning process to the actual
voting and the delivery of the results. In that respect, ENISA offers the
following recommendations to all stakeholders:

  • Digital Service
    Providers, social media, online platforms and messaging service providers are
    advised to deploy technology that will identify unusual traffic patterns that
    could be associated with the spread of disinformation or cyberattacks on
    election processes.
  • While it is recognised
    that some of the above players have agreed to self-regulate and introduce
    disinformation policies, consideration should be given to regulation of these
    platforms at an EU level to ensure a consistent and harmonised approach across the
    EU to tackling online disinformation aimed at undermining the democratic
    process.
  • Member States should
    continue to actively work together with the aim to identify and take down
    botnets.
  • ENISA supports the
    general and specific technical proposals to mitigate the risks that are
    documented in the Compendium on the Cyber Security of Election Technology.
  • Developing more
    exercises aimed at testing election cybersecurity will help improve
    preparedness, understanding and responding to possible election-related cyber
    threats and attack scenarios.
  • Official
    channels/technologies for the dissemination of the results should be
    identified. Additionally, back-up channels/technologies should be available to
    validate the results with the count centres. Where websites are being used,
    DDoS mitigation techniques should be in place.
  • A legal obligation
    should be considered to classify election systems, processes and
    infrastructures as critical infrastructure so that the necessary cybersecurity
    measures are put in place. A legal obligation should be put in place requiring
    political organisations to deploy a high level of cybersecurity in their
    systems, processes and infrastructures.
  • Member States should
    consider introducing national legislation to tackle the challenges associated
    with online disinformation while protecting to the maximum extent possible the
    values set down in the Treaty of Lisbon and the Charter of Fundamental Rights
    of the EU.
  • The cybersecurity
    expertise of the state should be used to assist political practitioners in the
    securing of their data and their communications. For example, CSIRT expertise
    can be leveraged to support political parties.
  • Political parties
    should have an incident response plan in place to address and counter the
    scenario of data leaks and other potential cyber-attacks.
  • Increased cooperation
    and exchange of best practices and experiences between the Member States and at
    EU-level can contribute to strengthening cybersecurity across the EU, including
    the cybersecurity of the election process. Member States should also make use
    of the existing frameworks and structures that are in place.

In
a statement on the ENISA website, Executive Director Udo Helmbrech said some EU
members have postponed or stopped the use of electronic voting, slightly reducing
the risk to the voting process.

“Nonetheless,
the public political campaigning process is susceptible to cyber interference.
We have witnessed in the past election campaigning processes being compromised
due to data leaks,” he said.

“ENISA
encourages the EU Member States and key stakeholders such as political parties
to partake in more cyber exercises aimed at testing election cybersecurity in
order to improve preparedness, understanding, and responding to possible
election-related cyber threats and attack scenarios. These stakeholders should
have incident response plans in place, in the event that they become a victim
of data leaks.”