Posted: 5 Min ReadElection Security

As Europe Went to the Polls, Cyber Election Efforts Paid Off

The region’s heightened cyber security standards helped secure a continent-wide election that many feared would come under attack

As voters in the European Union parliamentary elections headed to the polls last month, the region’s prodigious focus on cyber security and anti-disinformation issues paid off.

The elections were the first EU-wide poll held in five years. They were also the first to be held in the environment of heightened election security following incidents such as the 2016 hacks on the Democratic National Committee in the United States.

Europe went to the polls as its efforts to protect its elections from cyber meddling reached an all-time peak. Although election-security measures are implemented primarily at the national level, the EU has passed a number of data-protection and digital-security guidelines in recent years. Cross-border networks have been created to share best practices and – in potential crises – quickly exchange information. The elections will be a first key test of how well these measures function in practice.

“What has been done is quite encouraging,” said Patryk Pawlak, Brussels executive officer of the European Union Institute for Security Studies (EUISS). “But until we have a really big crisis where all these policies are tested, we don’t really know.”

Probes and Responses

Like the United States, European countries and political parties have been targeted by repeated hacks and phishing expeditions in recent years.

Denial-of-service attacks targeted two high-traffic electoral websites in the Netherlands in 2017. Similar incidents have struck Bulgaria’s elections oversight body and election websites in the Czech Republic. Emails stolen from (now) French President Emmanuel Macron’s computer systems were published online before France’s 2017 election, while employees of German Chancellor Angela Merkel’s Christian Democratic Union received targeted spear-phishing emails in 2016.

Yet in fact most countries in the EU have kept their distance from digital or automated election technologies.

The Netherlands rejected the use of electronic voting machines in the 2000s, after studies showed they were susceptible to fraud. France temporarily offered overseas citizens the ability to vote online, but withdrew this option following the hacking concerns in the 2016 U.S. election.

Most countries in the EU have kept their distance from digital or automated election technologies.

The most notable outlier is Estonia, which has offered its citizens the ability to vote online since the 2007 parliamentary elections. While security experts have criticized the implementation, which is based on the same systems used for digital banking, the country’s elections officials have maintained that it is safe.

Learning to work together

EU-level bodies have spent the last several years helping national-level elections authorities modernize their IT systems and security practices.

Early in 2018, a comprehensive set of election guidelines was published that spotlighted critical security practices such as anti-DDoS protections, access control and authentication procedures for election IT systems, digital signatures and duplicate data-entry practices to ensure data integrity, network flow analysis and logging procedures, and network segmentation.

In April, the European Union Agency for Network and Information Security (ENISA) - the EU agency for cyber security - held a cyber security-preparedness war game designed to test these preparations along with countries’ crisis-management plans. The tabletop exercise was aimed both at identifying technical gaps and building bridges between cyber security authorities. Similar exercises have also been conducted within individual countries.

Because most countries still use paper-based ballots, experts note that specifically electoral digital-security concerns are comparatively narrow – though certainly still critical. For example, the integrity of the official results transferred between local polling stations and the central authorities must be protected.

In Estonia, however, citizens can vote either on their own computers or a public PC by using their national ID card and a card reader. The voting application uses the ID card's public key to encrypt the completed ballot. Votes can only be decrypted using a secret key, portions of which are divided between members of the country’s National Electoral Committee, ensuring that no single individual can manipulate results.

By the close of the voting period, no security issues had been reported.

Combatting digital disinformation

Because so many national systems have retained a paper basis, much of the EU’s digital electoral-integrity efforts have focused on the dangers of disinformation and data security.

In October 2018, at the initiative of the European Commission, Facebook, Google and Twitter all signed on to a Code of Practice on disinformation, committing to increase transparency around political and issue-based advertising. Microsoft has also indicated an intention to join. (The companies were compelled to sign the code of conduct to avoid regulatory intervention.)

In its latest response to their monthly filings, EU regulators praised the companies for setting up searchable political-ad databases and for efforts to remove “disruptive, misleading or false” content. However, they noted that Google and Twitter have as yet failed to develop and implement policies for identifying issue-based ads, which they said can be “sources of divisive public debate during elections, hence prone to disinformation.”

Because so many national systems have retained a paper basis, much of the EU’s digital electoral-integrity efforts have focused on the dangers of disinformation and data security.

In early May, Facebook gave European journalists a rare look inside its Dublin “war room,” where several dozen people have been working to screen hate news and manipulative election-related content.

However, the Avaaz activist group a few weeks later released the results of an independent survey that identified over 500 far-right and anti-EU Facebook pages and groups. The work resulted in the shutdown of pages collectively viewed nearly 6 million times per day, and followed by nearly 32 million people, the group said.

“The most worrying thing is we’ve just scratched the surface,” said Avaaz Campaign Director Christoph Schott in a statement. “There could be much, much more out there.”

Protecting voters’ data against misuse by political parties or other private organizations has also been a strong focus. The EU’s sweeping General Data Protection Regulation covers any processing of personal data by political parties. However, privacy advocates have criticized the fact that several countries have carved out exemptions for political parties.

Next steps: Teaching people to act securely

But even though voting in various EU countries went off without any major hitches, cyber security experts say that vastly more work remains regardless of the outcome, particularly with regard to training the individual staffers who actually handle vulnerable political-party or election-system computers.

“We have not seen much internalization by those at the bottom of the political system with regard to what cyber security is, and how important it can be,” said the EUISS’s Pawlek. “Local staffers are hardly ever provided with training on security, or even sensitized to some of the security threats. That is something that still needs to be done.”

You might also enjoy
Election Security3 Min Read

Election Security 2020: No Rest for the Weary

The 2018 elections went off with nary a hitch, but experts say more hard work is needed to secure the 2020 presidential vote

You might also enjoy
Video
Election Security3 Min Read

2020 is Coming and the Time to Secure the Next Election is Now

Experts say a polyglot state voting system that’s evolved will need a thorough inspection to make sure it can handle its next big challenge

About the Author

John Borland

Journalist

John Borland is a journalist based in Berlin. He has been writing about technology and related topics since the late 1990s.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.