In June 2017, 100 election experts from across the United States penned an open letter to Congress noting that many jurisdictions were “inadequately prepared to deal with rising cybersecurity risks.”[1] This concern is echoed globally, as increasing reliance on complex technology-based systems in electoral processes has left troves of sensitive information potentially vulnerable to adversaries.[2] Experiences in several recent elections around the world highlight threats to cybersecurity, as well as how the implementation of certain electronic data management technologies can impact post-election disputes.[3] However, many Election Management Bodies (EMBs) lack the capacity, resources, or appropriate framework to test whether their data management systems are secure from these vulnerabilities, and to put measures in place well in advance of elections to protect data integrity.
Cybersecurity[4] should be considered and implemented at the inception phase of building or upgrading any technology-based election system, as a key component of digitizing specific elements of election administration. At the same time, international good practice around cybersecurity and open data requires EMBs to act transparently and to ensure election results are verifiable and can ultimately be accepted by the electorate. Therefore, it is important to protect both cybersecurity and transparency in the electoral context – a challenge that is particularly unique to EMBs.[5]
Beyond striking this balance, election administrators must focus on cybersecurity as an ongoing and ever-changing concern. As soon as cybersecurity good practices are developed, they may become outdated, because technology moves forward very quickly, as does the technical expertise of those who seek to find and exploit its vulnerabilities. While it is important to learn from experience, rapid technological innovation means that EMBs should endeavor to secure the next election, not focus on vulnerabilities in the last election. This means identifying potential future vulnerabilities, not only addressing issues that have been identified or exposed in the past.
It also means looking at cybersecurity holistically, as one type of vulnerability may be addressed in isolation while another is exploited instead. Or, different types of cybersecurity exposure may compound to produce a unique vulnerability that can result in significant problems, whether though malpractice (negligence or mistake) or fraud (deliberate exploitation).[6] While existing guidelines
on cybersecurity, discussed in the literature review
below, provide sound guidance on mitigating
technological exposure in elections (for example, by
ensuring sound cyber hygiene practices and
implementing two-factor authentication), they may
not consider other types of exposure, such as
restrictive laws, weak procedures or untrained staff,
that can undercut cybersecurity frameworks and
lead to breakdowns in the electoral process or in
public trust of electoral outcomes.
Given all these considerations, how can EMBs secure systems from technical vulnerabilities that leave
them exposed and may lead to post-election challenges, while at the same time protecting principles of
open data and transparency?
In this paper, the International Foundation for Electoral Systems (IFES) outlines strategies for EMBs to
strengthen their technology and procedures to resist vulnerabilities, by following what we have termed
a Holistic Exposure and Adaptation Testing (HEAT) process. While no electoral process or technology is
infallible, the HEAT process aims to secure automated or digitalized electoral processes – as far as
possible – against unanticipated threats, illicit incursions, system failures, or unfounded legal challenges.
Types of cyber security exposure in elections
Technology Exposure – for example, through hacking or system failure.
Human Exposure – for example, through poorly trained or malevolent officials using data systems
Political Exposure – for example, through improper influence over the procurement process for election technology.
Legal Exposure – for example, through poorly drafted or manipulated laws that restrict EMB independence or leave the process vulnerable to litigation.
Procedural Exposure – for example, through poorly designed procedures that create vulnerabilities in how data is managed in practice.
As the name suggests, the HEAT process focuses on the types of exposure an EMB may face when implementing different types of technology systems (technology, human, political, procedural, political and legal exposure, as summarized in the text box at right). This process encourages a more holistic assessment of what
could go wrong in data and technology management and allows the EMB to identify strategies to reduce
or eliminate different types of exposure in a systematic manner.
Because the HEAT process seeks to provide a holistic approach to cybersecurity in elections, we have
drawn lessons from international principles, election cybersecurity case studies, risk-mitigation
methodologies and technology-related election court judgments. The proposed process is also guided by
international best practices on data management and cybersecurity, as well as transparency, open data
and privacy.
A thorough HEAT process, as described in this paper, has significant time and cost implications.
However, without such a process in place, an EMB may experience an electoral crisis that far exceeds
the time and resources invested in such a risk-mitigation process. It is important to note that a HEAT
process is only suitable for the earlier part of the electoral cycle when there is significant time for the
EMB to implement measures to mitigate identified deficiencies. While the HEAT process itself may be
achievable in a short time period, it is often the case that cyber vulnerabilities cannot be addressed by
“quick fixes,” but require significant lead time to address properly. For example, if certain legal or
procedural vulnerabilities are revealed, several months or more may be required to draft or pass
amendments, or to adjust procedures and then train and publicize new procedures effectively. If a HEAT
process is conducted and reveals vulnerabilities too close to an election to be able to rectify, this could
then have an adverse effect on stakeholder confidence in the electoral process.[7] This is particularly true in environments with pre-existing low trust.
This paper outlines the existing literature on cybersecurity and data protection in elections, including
international standards, good practice guidelines, cybersecurity frameworks, election observer
guidelines, and jurisprudence. This literature is then applied to discuss the various types of exposure
EMBs may face when implementing technology and seeking to protect data and data processing in
elections. This application is important, as while much of the standard-setting is taking place in North
America and Europe, in IFES’ experience many developing democracies outside of these regions are also
considering and using election technologies. Finally, the paper introduces the IFES HEAT process as a
holistic tool for identifying and mitigating different types of cybersecurity exposure in elections.
[1] “Election Integrity Open Letter to Congress,” National Election Defense Coalition, https://www.electiondefense.org/election-integrity-expert-letter/.
[2] Reuters, “Two 11-year-olds altered election results in hacker convention’s replica of U.S. voting system,” CBC,
August 14, 2018, https://www.cbc.ca/news/technology/def-con-hacking-convention-voter-village-1.4784803.
[3] For example, electronic transmission of results at the polling station level or maintenance of national biometric voter registration databases, but also penetration of less high-profile databases such as personnel records for ad hoc staff that could undermine the public’s confidence in the EMB (and its capacity to secure more sensitive databases).
[4] A note on definitions: In this paper, IFES uses the terms ‘cybersecurity,’ ‘data security’ and ‘data protection’ interchangeably, in line with ISO standards and academic literature. See, for example, Basie Von Solms, Rossouw von Solms, "Cyber security and information security – what goes where?", Information & Computer Security, https://doi.org/10.1108/ICS-04-2017-0025 which offers a definition that: "Cyber Security [is] part of Information Security, which specifically focuses on protecting the Confidentiality, Integrity and Availability (CIA) of digital information assets against any threats, which may arise from such assets being compromised via (using) the Internet."
[5] For example, other agencies such as Defense, or institutions such as banks or insurance agencies, can focus primarily on cyber-security without the same transparency concerns.
[6] IFES has defined these terms further in Chad Vickery and Erica Shein, Assessing Electoral Fraud in New Democracies: Refining the Vocabulary, May 2012, http://www.ifes.org/sites/default/files/assessing_electoral_fraud_series_vickery_shein.pdf. Electoral fraud differs from electoral malpractice along several key dimensions. The range of possible actors is wider for fraud, as it can include any person or group with a stake in the election result. This may include voters, political parties, state officials with election-related duties, candidates and the media, in addition to election workers. Malpractice, on the other hand, is largely analyzed in the context of election officials (permanent and ad hoc staff), though other actors (e.g., political parties, the media) can breach their duty of care as it relates to codes of conduct, guidelines, or internationally accepted best practice. The nature of the action and the presence of intent is most significant: fraud is committed deliberately and with intent to interfere with the electoral process (manifested as either an action or an omission, in the case of an actor with official election responsibilities), while malpractice results from carelessness or neglect.
[7] The Venice Commission’s Good Practice in Electoral Matters, http://www.venice.coe.int/webforms/documents/default.aspx?pdffile=CDL-AD(2002)023rev-e, includes a provision that the fundamental elements of the election legislation should not be fundamentally amended one year prior to a forthcoming elections.
