As identified at the outset of this paper, EMBs increasingly rely on complex technology in electoral
processes. This has created new security challenges related to protection and safekeeping of election
data in digital form and related computerized systems. Most countries now automate and digitalize at
least part of their elections, from the use of e-voting to electronic voter databases. The issues around
cybersecurity in elections are therefore increasingly universal and are becoming more complex.
Adversaries, whether individual or state, find new ways to disrupt election processes, and new
technologies require staff to be trained on how to use them and how to protect data. Even when cyber
defense is perceived as currently adequate, rapid technological innovation means that EMBs should
focus on potential vulnerabilities in the next election, not on vulnerabilities detected in the last one.
Potential vulnerabilities in electoral cybersecurity are not limited to technology, but are also human,
political, procedural, and legal. In this paper, IFES has sought to identify potential exposures and a set of
cross-cutting processes to address security threats holistically. Part of the ambition of this paper is to
bring lessons from the empirical literature together with the understanding of the variegated nature of
cybersecurity threats in elections. While no method or technology is infallible, the HEAT process aims to
secure electoral processes as much as possible against unanticipated threats, illicit incursions, system
failures, human error, perception issues, or unfounded or excessive legal challenges.
To avoid potential legal exposure similar to the 2008 Austrian student elections court challenge, EMBs
and their governments should work together to draft clear election technology legislation and
regulations. The NIST framework is a comprehensive tool to use as a starting point to reduce
technological exposure, and resources such as the UNDP/European Commission’s Procurement Aspects
of Introducing ICTs Solutions in Electoral Processes can help EMBs develop technology more securely and
effectively to avoid political exposure that can lead to a reduction in public trust in the EMB and the
government. Signing and following the principles in the Open Government Declaration can also signal a
clear intent of transparency, and the participation of observers can help legitimize an election in the
public’s eyes, with sound observation methodologies that account for election technology platforms and
that differ in many ways from traditional observation of paper-based elections. In the future, there
would be value in various international technical assistance providers coming to consensus on IT
governance standards for elections management, along the lines of the Declaration of Principles for
International Election Observation. An alternative approach might be to raise the need for standards in
regional or global EMB associations that currently exist.
Transparent and clear strategies build trust, but they also protect EMBs from blind spots and increase
accountability. Although they are not election-specific, international standards such as the UN General
Assembly Guidelines for the Regulation of Computerized Data Files provide broad data management
principles that place responsibility for data on the persons who collect it, helping protect against
procedural exposure. The guidelines specifically require that data collectors be responsible for ensuring
that the data is accurate, transparently and lawfully collected, properly restricted to avoid
discrimination, securely stored, and lawfully disseminated.
Finally, even more fundamental than best practices is acknowledging the need for those practices, an
essential part of minimizing human exposure. EMBs that understand cybersecurity’s importance will
have more secure elections where others – such as COMELEC in the Philippines, whose commissioner
was forced to resign before he could be impeached for negligence after a data breach – will expose
themselves to threats unnecessarily. Drawing from its experience and expertise, IFES has sought to take
a holistic view of cybersecurity in elections to support our EMB partners from actual and perceived technological failures in the electoral process. The HEAT process framework laid out in this paper is
guided by international best practices on data management and cybersecurity, as well as transparency,
open data and privacy. The process can help EMBs and other stakeholders develop the infrastructure
and systems needed to secure the electoral process as technology changes. A thorough HEAT process, as
described in this paper, has significant time and cost implications. However, without such a process in
place, an EMB may experience an electoral crisis that goes well beyond the time and expenses they
would otherwise invest to protect their cybersecurity.
