Attacks against elections are inevitable -- Estonia shows what can be done

No single defense can protect every part of a democratic system and society, so elections officials must evaluate what attackers are likely to be after and what’s at stake.

The Conversation

Kremlin-backed attackers are working to influence the upcoming European Parliament elections, according to cybersecurity firm FireEye. A hacking campaign has targeted governments and political organizations as well as think tanks and nonprofits, including prominent ones such as the German Council on Foreign Relations, the Aspen Institute and the German Marshall Fund, as Microsoft has reported.

These new reports highlight rising fears of digital attacks on democracy around the world, including on the U.S. presidential elections in 2020.

Potential targets include election technology such as voter lists, computers that tally the votes and websites that report results to the public. But the threats go farther, to cyber campaigns against institutions supporting democratic processes like political parties, think tanks and the media, as well as information warfare targeting public opinion.

Old problem of election interference

Russian interference in the West is not new. The experiences of Estonia -- the first country ever victim to a clearly coordinated and politically motivated cyber operation -- can inform American and European defenses to these complex threats.

Together with its neighbors Latvia and Lithuania, Estonia has won international recognition for the effectiveness of its defenses against politically motivated hacking and disinformation, which combine government, industry and public efforts. In the parliamentary elections of March 3, 2019, Estonians showcased the confidence they have in their country’s digital security.

Three days before Election Day, close to 40 percent of those eligible had already cast their vote. Most of those early voters did so online, and 44 percent of the total votes were cast over the internet.

Preparing to defend

This recent Estonian election was largely unaffected by cyberattacks or coordinated information operations. Some of the reason is likely because the country and its people have improved their understanding of the problems, and their defenses against it, over the past couple of decades.

Back in 2007, the relocation of a Soviet-era memorial in the Estonian capital Tallinn resulted in public protests and several waves of coordinated distributed denial of service attacks. These did not steal citizens’ data, but they did shut down many digital services for a number of hours on each of several days. This highlighted both the public’s increasing reliance on digital technology and the weaknesses of online systems.

The digital systems that Estonian governments and businesses have developed in the years since 2007 are strong, secure and trusted by users -- who welcome further digitization of their lives because it is convenient and safe. Electronic banking systems, digital medication prescriptionse-schools and thousands of other online services rely heavily on government-backed secure digital identity, a digital population registry and a robust data exchange layer between databases and services.

These systems also facilitate the digital elements of electionsincluding internet voting.

Comprehensive cyber defenses

A key lesson from Estonia is that with so many different threats, no single defense can protect every part of a democratic system and society. Rather, defenders must evaluate what attackers are likely to be after -- and what’s at stake.

In 2017, two Estonian government agencies, the State Electoral Office and the Information System Authority -- where one of us, Liisa Past, was chief research officer for cybersecurity -- joined forces to comprehensively analyze the threats and risks to local elections. In addition to the technical risks, like failures in connections or flaws in software, the team paid close attention to issues in management as well as the possibilities for information warfare.

The Estonian government engaged in similar analyses in the lead-up to the 2019 elections. In addition, the agencies took a lesson from the French and U.S. experience in 2016 and taught political parties and individual candidates how to protect themselves and their information online.

Similarly, governments across the European Union are sharing their best ideas about designing trustworthy election systems. Logging and monitoring network access, for example, can help computer administrators quickly detect and respond to unauthorized activity.

Understanding the double threat of information operations

Estonia’s lessons may be useful elsewhere. In the past five years, Russian attacks have targeted both election-specific systems, like the Ukrainian national election commission website in 2014, and the larger public discussion around the election and current political issues.

Online efforts seeking to manipulate people’s views in the run-up to the 2016 Brexit vote, as well as during presidential campaigns in the U.S. and France, are quite similar to Cold War tactics known as “information operations.”

The practitioners use 21st-century tools like social media and automation to plant false stories and exploit social divisions. They don’t necessarily seek to break through network firewalls or compromise any secure government systems, but rather appear to unwitting online audiences as authentic fellow contributors in a free, open debate.

Bots’ characteristic behaviors can give them away. Yet there are so many of them that they can crowd out human voices and undermine the democratic principle of real participation by actual people.

Defense in depth

Elections’ legitimacy depends on more than just technical security. They must also be seen to be free of external influence. Governments should take comprehensive views of their security, and threats to it -- accounting for elements as diverse as cyber defenses of essential systems and the effects of information warfare on voters.

It’s a worldwide problem, with Russia exerting influence not just in the U.S. and Estonia but also Egypt, and China attacking Australia’s political system.

The response, therefore, has to include open, healthy public debate and media literacy as well as preventing, detecting and mitigating the effects of cyberattacks on the confidentiality, availability and integrity at the very core of democratic systems.

This article was first posted on The Conversation.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.