The following is an excerpt from an IFES white paper. The full paper is available in the ACE “Cybersecurity in Elections” Encyclopaedia Topic and on IFES.org.

In June 2017, 100 election experts from across the United States penned an open letter to Congress noting that many jurisdictions were “inadequately prepared to deal with rising cybersecurity risks.”¹ This concern is echoed globally, as increasing reliance on complex technology-based systems in electoral processes has left troves of sensitive information potentially vulnerable to adversaries.² Experiences in several recent elections around the world highlight threats to cybersecurity, as well as how the implementation of certain electronic data management technologies can impact post-election disputes.³ However, many election management bodies (EMBs) lack the capacity, resources, or appropriate framework to test whether their data management systems are secure from these vulnerabilities, and to put measures in place well in advance of elections to protect data integrity.

Cybersecurity⁴ should be considered and implemented at the inception phase of building or upgrading any technology-based election system, as a key component of digitizing specific elements of election administration. At the same time, international good practices around cybersecurity and open data require EMBs to act transparently and to ensure election results are verifiable and can ultimately be accepted by the electorate. Therefore, it is important to protect both cybersecurity and transparency in the electoral context – a challenge that is unique to EMBs.⁵

Beyond striking this balance, election administrators must focus on cybersecurity as an ongoing and ever-changing concern. As soon as cybersecurity good practices are developed, they may become outdated, because technology moves forward very quickly, as does the technical expertise of those who seek to find and exploit its vulnerabilities. While it is important to learn from experience, rapid technological innovation means that EMBs should endeavor to secure the next election, not focus on vulnerabilities in the last election. This means identifying potential future vulnerabilities, not only addressing issues that have been identified or exposed in the past.   

It also means looking at cybersecurity holistically, as one type of vulnerability may be addressed in isolation while another is exploited instead. Or, different types of cybersecurity exposure may compound to produce a unique vulnerability that can result in significant problems, whether through malpractice (negligence or mistake) or fraud (deliberate exploitation).⁶ While existing guidelines on cybersecurity, discussed in the literature review, provide sound guidance on mitigating technological exposure in elections (for example, by ensuring sound cyber hygiene practices and implementing two-factor authentication), they may not consider other types of exposure, such as restrictive laws, weak procedures or untrained staff, that can undercut cybersecurity frameworks and lead to breakdowns in the electoral process or in public trust of electoral outcomes.

Given all these considerations, how can EMBs secure systems from technical vulnerabilities that leave them exposed and may lead to post-election challenges, while at the same time protecting principles of  open data and transparency?

In this paper, the International Foundation for Electoral Systems (IFES) outlines strategies for EMBs to strengthen their technology and procedures to resist vulnerabilities, by following what we have termed a Holistic Exposure and Adaptation Testing (HEAT) process. While no electoral process or technology is infallible, the HEAT process aims to secure automated or digitalized electoral processes – as far as possible – against unanticipated threats, illicit incursions, system failures, or unfounded legal challenges.  

As the name suggests, the HEAT process focuses on the types of exposure an EMB may face when implementing different types of technology systems (technology, human, political, legal and procedural). Because the HEAT process seeks to provide a holistic approach to cybersecurity in elections, we have drawn lessons from international principles, election cybersecurity case studies, risk-mitigation methodologies and technology-related election court judgments. The proposed process is also guided by international best practices on data management and cybersecurity, as well as transparency, open data and privacy.  

A thorough HEAT process, as described in this paper, has significant time and cost implications. However, without such a process in place, an EMB may experience an electoral crisis that far exceeds the time and resources invested in such a risk-mitigation process. It is important to note that a HEAT process is only suitable for the earlier part of the electoral cycle when there is significant time for the EMB to implement measures to mitigate identified deficiencies. While the HEAT process itself may be achievable in a short time period, it is often the case that cyber vulnerabilities cannot be addressed by “quick fixes,” but require significant lead time to address properly. For example, if certain legal or procedural vulnerabilities are revealed, several months or more may be required to draft or pass amendments, or to adjust procedures and then train and publicize new procedures effectively. If a HEAT process is conducted and reveals vulnerabilities too close to an election to be able to rectify, this could then have an adverse effect on stakeholder confidence in the electoral process.⁷ This is particularly true in environments with pre-existing low trust.   

This paper outlines the existing literature on cybersecurity and data protection in elections, including international standards, good practice guidelines, cybersecurity frameworks, election observer guidelines, and jurisprudence. This literature is then applied to discuss the various types of exposure EMBs may face when implementing technology and seeking to protect data and data processing in elections. This application is important, as while much of the standard-setting is taking place in North America and Europe, in IFES’ experience many developing democracies outside of these regions are also considering and using election technologies. Finally, the paper introduces the IFES HEAT process as a holistic tool for identifying and mitigating different types of cybersecurity exposure in elections.

To read the new ACE Encyclopaedia Topic on Cybersecurity, please click here. 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

1. “Election Integrity Open Letter to Congress,” National Election Defense Coalition.

2. Two 11-year-olds altered election results in hacker convention’s replica of U.S. voting system, Reuters, 2018.

3. For example, electronic transmission of results at the polling station level or maintenance of national biometric voter registration databases, but also penetration of less high-profile databases such as personnel records for ad hoc staff, that could undermine the public’s confidence in the EMB and its capacity to secure more sensitive databases.

4. In this paper, IFES uses the terms “cybersecurity,” “data security” and “data protection” inter-changeably, in line with ISO standards and academic literature. See, e.g., Basie Von Solms, Rossouw von Solms, Cyber security and information security – what goes where?, which offers that: "Cyber Security [is] part of Information Security, which specifically focuses on protecting the Confidentiality, Integrity and Availability (CIA) of digital information assets against any threats, which may arise from such assets being compromised via (using) the Internet.”

5. For example, other agencies such as defense, or institutions such as banks or insurance agencies, can focus primarily on cybersecurity without the same transparency concerns.

6. IFES has defined these terms further in Assessing Electoral Fraud in New Democracies: Refining the Vocabulary.

7. The Venice Commission’s Good Practice in Electoral Matters includes a provision that the fundamental elements of the election legislation should not be fundamentally amended one year prior to a forthcoming elections