A better understanding of cyber security is needed in election supply chains if democracy is to be protected.
With Boris Johnson newly installed at No. 10 Downing Street, the thoughts of many people are inevitably turning to whether there will be a General Election in the UK within the next few months.
Future major elections, such as the upcoming 2020 US primaries, are increasingly likely to attract the attention of cyber attackers with a good chance of attacks being successful.
Huntsman Security has warned that, as more and more nations adopt electronic voting machines and online voting, the potential for subversion of the electoral process will increase.
And it’s not just voting machines where the problem lies. The IT systems used for voter registration and election organisation and counting are also open to abuse.
This is not only true at the point of voting but at every point of the supply chain. Every single supplier contributing to an election – from technology providers to local officials – has to be able resist attack and to guarantee that it has not been compromised.
Managing electoral cyber risks
The likelihood of attack is so high that governments must concentrate not only on prevention, but on reaction. They must ensure that they can detect a successful attack before it does too much damage or undermines the election. And there is a need for clear contingency plans on how to proceed if problems do occur at some point.
“We have seen widespread attempts to manipulate elections and public opinion through hostile media and social media activity, both overt and subtle,” said Piers Wilson, Head of Product Management at Huntsman Security. “However, direct disruption or manipulation of the process itself could cause chaos on a much larger scale.”
“No matter the motives of the attacker, and where the attack occurs, the reaction to any attack is critical. The longer problems are undetected, the worse it will be for the legitimacy of the result. Timescales of days or weeks are unacceptable. Governments need to identify and counter threats in real-time and be certain that every part of the election supply chain is protected.”
What’s the (cyber) problem?
To date, the majority of issues with electronic voting have been attributed to ageing, malfunctioning or mis-configured electronic voting machines. Tests of online voting services have also been hacked.
While attention has focused on these issues, there are many more threats throughout the wider process. For instance, attackers could hamper voter registration efforts, or the services that remote voters rely on to receive their ballots – online or otherwise.
Any organisation involved in an election, from private sector technology providers to government departments or voting organisers, will be seen as a legitimate target for attackers. Some will not be well protected.
Defending democracy from hackers
All organisations involved in an election, in even the smallest capacity, must therefore take appropriate security precautions. This is a large scale undertaking and it is important to get it right. There needs to be rigorous, constantly updated security preparedness with the right levels of oversight.
If an organisation is correctly prepared it can react appropriately when an attack does occur – identifying any breaches or problems quickly, quarantining threat, and taking the appropriate remediation or invoking a contingency plan.
Communication is essential as part of this. Contingency plans depend on where and when the attack occurs: from re-arranging voter registration or extending deadlines, to annulling the results of an election where fraud or disruption has been widespread or significant.
“Electronic voting may introduce threats, but this is no reason to abandon the use of technology. Used correctly it can still extend the franchise to more people than ever before and make elections and voting easier for everyone,” Piers Wilson said. “We’ve seen in other industries that having a clear real-time view of cyber security risk exposure is key. This needs to extend into the supply chain, the web of interconnected businesses that support the core activity.”
The operation of voter registration systems depends on technology, as do electronic voting systems. There can even be a technology element to the management of polling booths. It is vital to know how to defend all of these disparate systems.
Democracy is precious. And there will always be people looking to disrupt it. Governments must be able to react swiftly to any attacks, and have the right contingency plans in place to keep the faith of the electorate.