Elections: what cyber risks are lying in wait?

The number of voters affected by the hacking of the UK Electoral Commission this summer was 40,000. The cyberattackers, who first hacked into the Commission’s servers in August 2021, are believed to have had access to the email system, control systems and copies of electoral rolls for two years.

The prolonged nature of the intrusion and the lack of any demands from the perpetrators suggest that this was a cyber espionage campaign aimed at collecting data on British voters. Although the Commission said that affected voters were not at any personal risk, experts stressed that there was a high probability the hacked data could be used in targeted disinformation campaigns.

Again in August 2023, the Ecuadorian electoral agency – and many voters – bore the brunt of cyberattacks from seven different countries. The incident prevented several Ecuadorian nationals living abroad from voting online and was decried on social networks, even leading to a demonstration in Spain.

Global Affairs Canada (the Canadian ministry responsible for managing diplomatic relations at federal level) reported in early August 2023 that it had detected a new disinformation campaign on Chinese social media site WeChat, targeting Conservative MP Michael Chong. A staunch supporter of the Uighur cause, Chong had already been the target of an intimidation campaign in 2021, revealed in May by the Globe and Mail.

Security flaws and lack of transparency

A few weeks after reporting the cyber incident, the UK Electoral Commission announced that, in 2021, it had failed the Cyber Essentials test, a voluntary programme used to assess an organisation’s preparedness for cyberattacks. Experts interviewed by the media roundly condemned this failure.

“Failing to meet fundamental patching requirements is a pretty good indication that there are deeper problems with management of and investment in information security,” said Steven Murdoch, professor of security engineering at University College London.

The Ecuadorian government has revealed little information about the cyberattacks that took place in August 2023. According to Electoral Council President Diana Atamaint, the cyberattacks came from India, Bangladesh, Pakistan, Russia, Ukraine, Indonesia and China. However, the nature of the cyberattacks and the vulnerabilities the hackers exploited have still not been revealed.

In Canada, suspicions of Chinese interference have been rocking the political boat for several months. Although Canadian Prime Minister Justin Trudeau did expel the Chinese diplomat accused of orchestrating the first intimidation campaign against Michael Chong and his family in Hong Kong, a number of political figures and researchers have accused him of being soft on the issue.

“There is a lot of dissatisfaction within the Canadian Security Intelligence Service (CSIS) with the lack of action by the federal government. After all, they have been sounding the alarm for several years now,” said Guy Saint-Jacques, Canada’s former ambassador to China. Earlier this month, Canada announced it was launching a public enquiry to determine whether China and other countries had interfered in the last Canadian election.

Managing electoral cyber risks: a multifaceted defence

These three cases illustrate the diversity of cyber threats that electoral institutions, stakeholders and processes are facing. Several countries have adopted information technology solutions to streamline processes and simplify how votes are counted. However, this growing dependence on technology increases the risk of theft, sabotage and espionage of data, including sensitive voter data.

Political parties, which hold vast amounts of voters’ personal data in their databases, are also prime targets for cyberattackers intent on getting their hands on this personal information for financial or political ends.

Governments must also mitigate as quickly as possible any vulnerabilities in systems hosting online voting portals, to avoid denying their citizens – including those based abroad – the right to vote.

Foreign interference, on the other hand, is something that also occurs outside election periods, and it can have harmful consequences on how voters feel about electoral integrity. According to a number of experts interviewed by Radio-Canada in the wake of the revelations about Chinese interference in the country, there must be a two-pronged response to interference. Firstly, firm, punitive action against wrongdoers, along the lines of that taken by Australia after the scandal involving Labor senator Sam Dastyari in 2017. And secondly, transparency with the public, who should be informed quickly of any attempt to interfere that jeopardises the integrity of the electoral process.

Finally, it would be difficult to discuss the cyber risks surrounding elections without mentioning the increased risks of disinformation, in particular botnets and misleading content produced and propagated by artificial intelligence. AI-enabled disinformation is more difficult for moderators of online platforms to detect, and there is a risk that it will become even more pernicious in online chat rooms during election periods.