Drawing on the themes, trends, and approaches that emerged from the literature review, we have
identified five different types of exposure an EMB must consider in its use of data management
technology platforms. These different types or “dimensions” of exposure have informed the
development of IFES’ HEAT process, which is outlined in the next section of this paper.
a) Technology Exposure
Election management systems for various parts of the electoral process are becoming increasingly
automated or digitalized,[1] including voter registration, voter identification and authentication on
Election Day through electronic voter lists (e-poll books), party and candidate registration, and
tabulation of election results, among others. In IFES’ experience, most countries running elections today
have automated and digitalized at least one of these processes, most commonly the tabulation of
results. Unfortunately, there are myriad ways a piece of technology or an entire system can be
misconfigured or compromised, deliberately or otherwise. While there are various applicable
international principles and guidelines, as discussed above, there are usually no country-specific
standards for employing automated or digitalized systems in elections, with some exceptions.[2]
The danger of cyberattacks on EMBs has become ubiquitous, and the level of sophistication of such
attacks varies. Perpetrators range from under-resourced and often young individuals, who want to
commit vandalism, gain notoriety, or make a political statement by defacing an EMB’s website, to
Advanced Persistent Threat (APT) groups, usually cyber offensive groups supported and financed by
states that want to inflict damage during elections or as part of hybrid warfare. Attacks can therefore
range from simple hacks using existing penetration testing tools (for example, Kali Linux)[3] to advanced
exploitation of a hardware or software vulnerability that might not even have been documented before
the attack (known as zero-day exploits).[4]
Wide interconnectivity also creates possibilities for novel attack vectors. In 2016, for example, a botnet82
(Mirai Botnet) was discovered in a small jewelry store, and was eventually found to have compromised
25,000 CCTV cameras globally (Mirai Botnet), raising a concern that certain types of devices can be
compromised even during their production.[6] The so-called Internet-of-Things (IoT) – which is basically
the concept of connecting any device with an on and off switch to the internet or to other devices –
allows for a constant and substantial increase in the number of internet-facing devices that may be ripe
for exploitation by malicious actors.[7] Internet-facing systems with limited capacity that depend on their
own organization’s resources to function and be maintained can also be open to distributed denial-ofservice
(DDoS) attacks. In Estonia in 2007, a DDoS attack nearly shut down internet infrastructure in the
country, while in Kyrgyzstan in 2009, hackers effectively took the country offline after a ten-day DDoS
cyber assault, eliminating 80 percent of the country’s online capacity. DDoS attacks flood the system
with numerous requests from many different locations. Due to limited resources, EMBs typically do not
have the capacity to withstand persistent, powerful DDoS attacks without some external assistance.
DDoS attacks will always be a threat, since they are inherent to the free design of the system. For
example, election results reporting can be targeted by a DDoS attack during election night, when the
interest of election stakeholders peaks in a very short period of time and the impact of denied service
will therefore be significant.
Beyond deliberate attacks, election technologies are also vulnerable to misconfiguration, accidental
misuse, deterioration (especially in transfer or storage), and various types of hardware and software
failure. For example, in the 2013 electoral process in Kenya, a significant number of voter identification
kits suffered battery failures. Election technology may also require back-up satellite coverage in the
event of cellphone or internet failure. It is, therefore, paramount that there are contingency procedures
in place, sometimes requiring reverting back to pen and paper.
b) Human Exposure
The need to protect systems from cyberattacks might be obvious, but it is still off the radar of many
organizations’ decision-makers. A 2018 research survey by PricewaterhouseCoopers (PwC) posited that
almost half of company executives lack an overall information security strategy and that many executives are still beginners in data-use governance.[8] This is typically a problem of vertical disconnect
between decision-makers and IT specialists, and EMBs are no exception. Most EMBs lack a dedicated
cybersecurity officer. Election commission members often do not understand or appreciate the
cybersecurity dangers associated with their decisions. When they do, they may resort to hoping their
systems are obscure, irrelevant, or beyond the reach of hackers. Given how important elections are, this
is a systemic fallacy with dire consequences.
The failure of decision-makers in EMBs to understand the importance of cyber protection usually goes
hand in hand with a lack of basic cybersecurity practices (commonly referred to as cyber hygiene) used
by staff on computers connected to sensitive networks. In some situations, this even extends to IT
staff.[9] Inadequate cyber hygiene may or may not be compounded by a lack of understanding of the
social engineering aspects of a cyberattack. For example, it can require training to understand the
dangers of impersonation during unsolicited communication, as well as the difference between
requested and unsolicited conversation over the phone or other communication channels, such as
emails or chat on social networks.
Three of the major ways in which EMBs are vulnerable to human exposure are phishing attacks,
watering hole attacks, and insider attacks. Phishing attacks are cyberattacks through impersonation or
other fraudulent action, performed to gain access to systems or to some piece of information, such as
passwords. This method of attack was used by Russia in targeting the presidential campaign of Hillary
Clinton in 2016.[10] A phishing attack aimed at specific personnel, such as the most vulnerable staffer who
knows the least about security or exhibits the most lax behavior, is referred to as spear-phishing. Most
adversaries target the weakest link to make such attacks affordable, so high-tech responses aren’t
necessarily the right answer.
If an attack is also aimed at high-level executives or decision-makers, it is commonly known as whaling.
One of the most common attack vectors in spear-phishing is fraudulent emails (also referred to as
spoofing) or clone-phishing (where a legitimate and previously delivered email is cloned and malware
inserted).[11] In case of high-level attacks by advanced hacker organizations, emails are crafted to be
virtually indistinguishable from legitimate intra-institutional emails and may contain links with malware.
Once the victim clicks on the link, the damage may already be done, and it may take substantial effort
and training to remove the malware. Watering hole attacks are where a hacker or hacking group guesses
or observes which websites an organization’s employees often uses and infects one or more of them
with malware in order to ultimately infect the organization’s network.
Insider attacks represent yet another attack vector that can be devastating. If an adversary has physical
proximity to an election system, it may be easier to procure or install a malevolent player inside an EMB,
which can inflict serious damage to election systems. An insider attack may also come from an individual
acting destructively to achieve some political goal. Insider attacks may come from weak physical security
of systems, inadequate vetting of contractors, or even poor hiring and employment practices. A related
problem is the limited pool of experienced IT experts willing to start or continue working for EMBs.
EMBs typically pay salaries comparable to the rest of the public sector, while good IT experts can earn
much more in the private sector. While this may be a problem for any type of expert working with an
EMB, where the responsibility is enormous and wages limited, it is even more so with IT. Incentives must
be considered when evaluating human exposure. A related challenge is the requirement for even
greater openness and transparency to EMB systems and platforms for stakeholders such as observers
and party agents, which as seen in Kenya in 2017 may even be ordered by the courts. This presents even
greater entry points for human mistakes or interference, and argues for a careful security credentialing
process and oversight and monitoring of stakeholder access.
c) Political Exposure
There is no end to the ways in which an EMB can be exposed politically, sometimes by their own action
or inaction, especially in developing democracies where checks and balances may not be in place. It
takes significant time and effort to build trust in elections and the institution running an election but
takes very little to lose that trust. For example, if corruption is alleged during a procurement process for
new election technology, whether proven or not, this can significantly impact public perceptions of the
EMB. Types of political exposure include political influence on EMBs to adopt certain types of election
technology, improper influence over election technology procurement processes, and allegations of
improper technology use that is designed to cast doubt on the institution, process, or outcome.
Procurement of election technology can be particularly fraught, especially as technology vendors access
senior political figures promising an easy fix to integrity issues, or as citizens look to technology for a
solution for perceived failures in the electoral process. This can leave an EMB exposed when they face
pressure to adopt a certain technology or are influenced in the procurement process to use a solesource
procurement or select a preferred provider.
A particular concern in the procurement process is commonly termed “vendor-lock.” As the ACE
Electoral Knowledge Network notes, “[w]here technology is proprietary to a vendor, where data formats
are not open, or when an EMB relies heavily on a vendor for its electoral operations, it risks being locked
into a particular vendor…[a]ny such tie to one particular vendor should be avoided to make sure the
EMB remains in control of the systems it uses and the costs incurred."[12] Beyond being locked into one
vendor, there can be flow-on risks and costs in the vendor relationship that can leave an EMB exposed.
For example, in The Gambia, in response to criticism following the 2011 election cycle, the Independent Election Commission (IEC) contracted an international vendor to centralize and digitize the voter register
into a single national database that promised biometric de-duplication through fingerprint matching.
The 2011 presidential election was held on the basis of the new centralized register. However, given the
specific contractual arrangements and proprietary technology in place with the vendor, the IEC remains
unable to independently perform data queries, updates, or de-duplication. In advance of the 2016
presidential election, the IEC paid the vendor nearly half the cost of the entire election for its assistance
in undertaking The Gambia’s first and only voter registration update since 2011.[13] At a cost of 7.9 Euro
per registered voter (comparatively extremely costly), the IEC recorded 89,649 new entries, and made
no deletions or address changes.[14] It remains unclear whether any de-duplication, the predominant reason to implement biometric technology, was ever performed.[15] This also undermines attempts by the EMB to ensure data security on its servers and safeguard the database from leaving its premises.
Relying on an external vendor can also result in political exposure, opening up the process to
accusations of foreign interference. The Democratic Republic of Congo (DRC) is currently facing
controversy over its procurement of EVMs from a South Korean company, Miru Systems. South Korea’s
National Election Commission has come out against the decision, saying the machines are ill-suited for
the Congolese electoral environment. Opposition in the DRC have objected to the machines too, calling
them “cheating machines,” a clear case of the use of a foreign vendor lowering trust and providing a
pretext for contesting election results.[16] Following the August 2017 presidential election in Kenya,
members of Parliament affiliated with the opposition accused the technology vendor, based in France,
of providing kickbacks to the EMB and ruling party, while “willfully allowing” unauthorized access to its
systems and therefore abetting rigging.[17] At the same time, concerns may be raised around privacy of
citizen data, including biometric information – especially in countries that are collecting voter data and
do not have data protection laws in place, or where data is kept on servers outside the country, raising
the risk that such data could be exploited.
There are a number of countries in which the central election authority is a de facto extension of the
government, regardless of the EMB’s formal status as an independent commission. In countries where
political parties appoint election commission members, the ruling party may have a dominant position.
This can lead to data security breaches, such as breaches of voter registration data stored in the central
election office. If an IT staffer receives an order from a politicized EMB commissioner to copy the entire
voter register onto a USB flash drive, he or she may do it without questioning, fearing repercussion.
Such actions may go unrecorded and ultimately unsanctioned. The HEAT process outlined below would game out these types of risks and make sure this is part of the information and communications
technology (ICT) system protocol so that supervisors automatically get warnings should these types of
cases emerge. IT personnel may also require particular protection from political influence or
interference, compounded by the fact that qualified IT personnel may be difficult to recruit and retain,
as discussed above.
Failures of trust, such as perceived inflation or deflation of voter lists, persist around the world. Apart
from procedural aspects plaguing the accuracy of voter lists, which are categorized herein as procedural
exposure, the electorate may perceive that voter data is not held securely. For example, there might be
rumors that the government is printing fake ID cards to impersonate voters (these voters may be
deceased or residing abroad but still listed on the voter rolls). It is difficult to prove such claims without
conducting a comprehensive audit, but the shadow of doubt may very negatively impact the process.
Finally, the collection and processing of election returns is now semi- or fully automated for EMBs that
use “contained” results management systems. The associated processes may also be burdened by
political considerations. For example, given a choice, EMBs would typically err on the side of protecting
the perceived integrity of election results rather than providing maximum transparency. They may
decide to publish only the summary results and not the full breakdown of results by polling stations. One
example of a practice increasing the transparency of and trust in a system, without compromising
security, is in South Korea. Voters mark physical ballots, which are sealed and transported to a
constituency counting center. There, in front of political party observers, ballots are scanned and
counted using optical scan voting systems. Teams feed ballots into the machines, which then emit stacks
of 100 votes for the same party. These stacks are run through the machine again to be counted, and
observers are present for both processes.[18]
d) Legal Exposure
It is important for primary election legislation to contain provisions enshrining principles governing the
creation, use, processing, and publication of data in elections, without being so prescriptive or opaque
that they create challenges in implementation. Without a clear and implementable legal framework, the
EMB may face legal exposure either in terms of potential lawsuits against different parts of the electoral
process, or with respect to legal restrictions that make the procurement or use of election technology
difficult in practice. For example, the law may be so prescriptive that it requires an EMB to procure and
deploy specific technology platforms within unrealistic deadlines, and this may set the EMB up to fail
well before the election is initiated. Or, as in the case of Kenya, the EMB may be required by law to
submit regulations governing election technology for parliamentary approval, which opens these rules
up to modification by political actors who do not have any practical technical knowledge.[19]
There are also broader principles that should be enshrined in law to avoid political exposure for the EMB
in terms of cybersecurity. For example, if the election law does not clearly establish the independence of
the central EMB and grant the EMB full control over their secretariat, the government, or certain
quarters within it, may be tempted to install its own personnel in key IT positions. Since the issue of
cybersecurity is often considered a matter of national security, there may be situations where the
articles governing national security and EMB independence contradict each other. In terms of
accountability, laws often establish shared responsibility for managing information assets, most
importantly for voter registration data. In countries with passive registration systems, EMBs often
depend on local and state authorities for voters’ citizenship and residency information. Even though the
central election commission may be responsible for the accuracy of voter lists, it cannot fully control the
process. The shared responsibility must be managed properly in the law or run the risk that no one is
held accountable.
In terms of data privacy, the authorities need to make sure that election legislation is harmonized with
data protection legislation or includes articles about the protection of private citizen information,
drawing on international principles. Similarly, important transparency measures should be enshrined in
law, but without being overly prescriptive, and in a way that is supported by time and resources (for
example, adequate provision in the EMB budget). At the time of writing, the opposition party in
Zimbabwe has filed a petition in the Supreme Court seeking to nullify the election result, with one of the
grounds being that the EMB did not release the entire final voter roll on a USB, as the EMB decided not
to include photographs and biometric fingerprints. An EMB might consider their primary role to be
managing elections without irregularities, even at the expense of transparency. As a result, they may
forbid observers from coming too close to data-entry personnel who tabulate election results, whether
for the sake of physical security or a calmer working environment. Even when an EMB wishes to be
more transparent, they may value control over transparency to be safe. If the law establishes that
transparency of information is one of an EMB’s core functions, the EMB will be required to strike a
balance and allow closer access to observers.
There are significant associated costs in ensuring transparency, especially in terms of information
management. For example, if an EMB wants to be transparent about gender-disaggregated polling data,
they need to be able to count and record this information at the polling station level and to publish the
relevant data. This may be more difficult than it seems: some polling officials may fail to record gender
information, or there may be technical challenges in the disaggregation process. An EMB that is legally
required to disseminate this information must have the resources to properly design data-collection
methodologies, train staff, securely store data, and publish information in an accessible format. Pakistan
has recently included the requirement for gender-disaggregated data in its new election rules.[20]
Finally, with respect to legal redress for election irregularities, because the gathering of evidence in
annulment cases, and election cases generally, can be extremely difficult, the role of the election
commission can be of critical importance.[21] In some cases, the EMB will be the only party in a position to investigate irregularities.[22] In other cases, the EMB may be best able to determine the impact of the
irregularity. Unfortunately, modern data management systems may not produce evidence traditionally
accepted in courts or may produce evidence that requires specialized understanding by an adjudicator.
For example, there may be digital data logs showing that an event occurred, but adjudicators would
need to understand how such files could be easily falsified without leaving a trail, or how they can be
signed digitally to clearly establish authenticity. Laws or rules on civil procedure and evidence may not
be appropriately drafted to account for specific evidential needs or timelines for election cases, and this
may ultimately impact the right to redress and the provision of electoral justice.
e) Procedural Exposure
Every EMB has a plan for running elections, but if election commissioners do not understand how
modern data management systems work, there may be a procedural gap. The proper operation of
computerized election systems within an EMB should be formalized through regulations and procedures
prescribing a certain level of detail. The main principles related to functionality, operability, and security
should all be laid down explicitly. Otherwise, critical issues may occur during the run-up to the election.
For example, the design of systems may turn out to be a patchwork of partial plans and there may be
gaps or confusion over who does what and when.
Formalizing election operations into regulations or bylaws increases transparency, as these provisions
are made available to election stakeholders and the public. An EMB that formalizes how they deal with
personal voter data can later be held accountable if they do not follow their own rules. However, EMBs
can be legalistic or risk-averse and may refrain from interpolating the election legislation with more
detailed procedures for fear of being accused of straying outside their remits. Instead, EMBs in many
cases go to the other extreme and simply repeat language of the primary legislation. In some cases, the
government or legislature must approve administrative regulations, and this may impact the quality of
rules adopted. Or, detailed procedures may be developed internally by the EMB but not formalized or
widely published. Such internal procedures are neither transparent nor externally tested, and are often
not under the full control of the commission as the collective and collegial body.
EMBs also typically lack comprehensive cybersecurity strategies. If an EMB does not lay down their
system design in detail, they will not be fully aware of its potential vulnerabilities and the security
assumptions they make. If they do not evaluate potential threats, both internal and external, they will
not be able to prepare themselves for cyberattacks. And if they do not collaborate with external
institutions, such as consulting their country’s CERT organization and data security standards, they may
fail to employ best practices in cybersecurity. After introducing EVMs, the Indian Election Commission
claimed their machines were invulnerable to attacks. When a group of ICT experts published a paper in
2010 arguing that the EVMs were in fact susceptible to cyberattacks, police arrested one of the writers
and researchers, interrogating him over how he had accessed one of the machines (he was released
soon after).
[23] In 2013, the Supreme Court of India validated the experts and ordered the phasing-in of
VVPATs for the machines. VVPATs are now used in Indian elections as a back-up security measure. EMBs
must be aware of the security flaws in their technologies and plan accordingly.
[1] Automation is converting to automatic operation, without the need for human assistance, while digitalization is converting data into a digital form that can be processed by a computer.
[2] In the U.S., the Elections Assistance Commission (EAC) has produced Voluntary Voting System Guidelines (VVSG), which were last updated in 2015, but which are continuously developed. See “Voluntary Voting System Guidelines,” Voting Equipment, U.S. Election Assistance Commission, https://www.eac.gov/voting-equipment/voluntary-voting-system-guidelines/. These are a set of specifications for basic functionality, accessibility and security capabilities of voting as well as election management systems. While these guidelines are non-obligatory at the federal level, except those obligations stemming from the Help America Vote Act of 2002, a number of U.S. jurisdictions have adopted them as obligatory or introduced parts of the standards in their state legislation. See “Help America Vote Act,” About U.S. EAC, U.S. EAC, https://www.eac.gov/about/help-america-vote-act/.
[3] Kali Linux, https://www.kali.org/.
[4] There are a number of possible attack vectors from external locations, such as SQL injections, DNS hijacking, cross-site scripting, rootkits, etc.
[5] A botnet is a string of connected computers coordinated together to perform a task. See “What is a botnet?”
Malware, US Norton, 2018, https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html.
[6] Daniel Cid, “Large CCTV Botnet Leveraged in DDoS Attacks,” Sucuriblog, June 27, 2016, https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html.
[7] For example, this number increased by a third from 2016 to 2017. Researchers suggest that the future cyberattacks are imminent and that the IoT devices must be with a patchable firmware. Derek Hawkins, “The Cybersecurity 202: Here’s
what security researchers want policymakers to know about the Internet of Things,” The Washington Post, August
10, 2018, https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/08/10/the-cybersecurity-202-here-s-what-security-researchers-want-policymakers-to-know-about-the-internet-of-things/5b6c6ec91b326b020795603d.
[8] Christopher Castelli, Revitalizing privacy and trust in a data-driven world: Key findings from The Gloval State of Information Security® Survey 2018, PwC, https://www.pwc.com/us/en/cybersecurity/assets/revitalizing-privacy-trust-in-data-driven-world.pdf.
[9] For example, IT specialists may sometimes avoid installing anti-virus software on their workstations only to avoid computation overhead, especially if they have to operate on outdated hardware.
[10] Intelligence Community Assessment, “Assessing Russian Activities and Intentions in Recent US Elections,” January 6, 2017, https://www.dni.gov/files/documents/ICA_2017_01.pdf
[11] Computero, “How Not to Go Phishing,” May 16, 2014, https://computerobz.wordpress.com/tag/clone-phishing/.
[12] ACE: The Electoral Knowledge Network, “Election Technology Vendors,” https://aceproject.org/ace-en/topics/em/emia/emia03.
[13] The vendor provided new hardware (server and 70 laptops) and the assistance of two external experts
[14] For additional information, please see: UNDP and IFES, Getting to the CORE, A Global Survey on the Cost of
Registration and Elections, 2005, http://aceproject.org/ero-en/misc/undp-ifes-getting-to-the-core-a-global-survey-on/view.
[15] IFES Electoral Integrity Assessment, The Gambia, 2017
[16] “South Korea election panel attacks DR Congo voting system,” The Sun Daily, April 10, 2018, http://www.thesundaily.my/news/2018/04/10/s-korea-election-panel-attacks-dr-congo-voting-system.
[17] Patrick Lang’at and Silas Apollo, “Nasa: We don’t want Al Ghurair and Morpho in poll,” Daily Nation, September
18, 2017, https://www.nation.co.ke/news/politics/Nasa-MPs-raise-bribery-claim-in-Kiems-kits-tender/1064-4101748-ev0kq3z/index.html.
[18] Tim Meisburger, “Korean Elections: A Model of Best Practice,” The Asia Foundation, 2016, https://asiafoundation.org/2016/04/20/korean-elections-a-model-of-best-practice/.
[19] Section 44 (5) and section 109 of the Kenya Elections Act, 2011.
[20] Democracy Reporting International, “From Law to Action: Election Reforms in Pakistan,” 2018, https://democracy-reporting.org/from-law-to-action-election-reforms-in-pakistan/.
[21] For a discussion of legal approaches to election annulments, see IFES’ forthcoming paper: “Annulling Election
Results: How Many Irregularities Are Too Many?” http://www.ifes.org/news/annulling-election-results-how-many-irregularities-are-too-many.
[22] To play this role, the EMB must be equipped to properly conduct election investigations within tight timelines, and to handle evidence appropriately to ensure it is admissible. General Comment 31 to the International Covenant on Civil and Political Rights (ICCPR): “Administrative mechanisms are particularly required to give effect to the general obligation to investigate allegations of violations promptly, thoroughly and effectively through independent and impartial bodies.” IFES has outlined key principles for election investigations in a forthcoming publication Standards, Techniques and Resources for Investigating Disputes in Elections (STRIDE).
[23] Matt Ford, “Indian Democracy Runs on Briefcase-Sized Voting Machines,” The Atlantic, April 15, 2014,
https://www.theatlantic.com/international/archive/2014/04/indian-democracy-runs-on-briefcase-sized-votingmachines/360554/.