Cybersecurity for elections: a Commonwealth guide on best practice
report
posted on 2023-06-09, 21:18authored byIan Brown, Chris Marsden, James Lee, Michael Veale
Since the 1990s, internet-connected computers, mobile and ‘smart’ devices have become integral parts of day-to-day life for many in the Commonwealth, including for election-related activities. During each phase of contemporary elections, the direct and indirect use of computers and other technology introduces a range of risks to electoral integrity. These pose threats to confidentiality, integrity, and availability of information and infrastructures concerning votes and voters, candidates and parties, and broader election processes. Canada’s Communications Security Establishment has reported that from 2015 to 2018, it observed more than twice as many digital attacks on democratic processes worldwide, and a three-fold increase in Organisation for Economic Co-operation and Development (OECD) countries. These attacks have come from sophisticated state intelligence agencies, as well as ‘hackers for hire’2 and crime gangs targeting organisations for ransoms (as suffered by one Caribbean EMB, which had to pay a bitcoin ransom to regain access to its data). This guide explains how cybersecurity issues can compromise traditional aspects of elections, such as maintaining voter lists, verifying voters, counting and casting votes and announcing results. It also describes how cybersecurity interacts with the broader electoral environment and new ways elections are being carried out, such as campaigns and data management by candidates and parties, online campaigns, social media, false or divisive information, and e-voting. Unless carefully managed, all these cybersecurity issues can present a critical threat to public confidence in election outcomes – which are the cornerstone of democracy. To help Electoral Management Bodies (EMBs) manage cybersecurity risks, this guide describes principles for electoral cybersecurity as well as specific organisational recommendations that can be adapted as required. It additionally signposts an array of more detailed materials that can help with specific technical, social, or regulatory challenges.