Analysis | Attacks against elections are inevitable. Estonia has shown that their success is not
Liisa Past and Keith Brown
Kremlin-backed attackers are working to influence the upcoming European Parliament elections, according to FireEye, a cybersecurity firm. A hacking campaign has targeted governments and political organisations as well as think tanks and nonprofits, including prominent ones such as the German Council on Foreign Relations, the Aspen Institute and the German Marshall Fund, as Microsoft has reported.
Potential targets include election technology such as voter lists, computers that tally the votes and websites that report results to the public. But the threats go farther, to cyber campaigns against institutions supporting democratic processes like political parties, think tanks and the media, as well as information warfare targeting public opinion.
Russian interference in the West is not new. The experiences of Estonia, the first country ever to become the victim of a clearly co-ordinated and politically motivated cyber operation, can inform American and European defences of these complex threats.
Together with its neighbors, Latvia and Lithuania, Estonia has won international recognition for the effectiveness of its defences against politically motivated hacking and disinformation, which combine government, industry and public efforts. In the 3 March parliamentary elections, Estonians showcased the confidence they have in their country’s digital security.
This recent Estonian election was largely unaffected by cyberattacks or co-ordinated information operations. Some of the reason is likely because the country and its people have improved their understanding of the problems, and their defenses against it, over the past couple of decades.
Back in 2007, the relocation of a Soviet-era memorial in the Estonian capital Tallinn resulted in public protests and several waves of co-ordinated distributed denial of service attacks. These did not steal citizens’ data, but they did shut down many digital services for a number of hours on each of several days. This highlighted both the public’s increasing reliance on digital technology and the weaknesses of online systems.
The digital systems that Estonian governments and businesses have developed in the years since 2007 are strong, secure and trusted by users, who welcome further digitisation of their lives because it is convenient and safe. Electronic banking systems, digital medication prescriptions, e-schools and thousands of other online services rely heavily on government-backed secure digital identity, a digital population registry and a robust data exchange layer between databases and services.
A key lesson from Estonia is that with so many different threats, no single defence can protect every part of a democratic system and society. Rather, defenders must evaluate what attackers are likely to be after, and what’s at stake.
In 2017, two Estonian government agencies, the State Electoral Office and the Information System Authority (where Liisa Past, a co-author of this article, was chief research officer for cybersecurity) joined forces to comprehensively analyse the threats and risks to local elections. In addition to the technical risks, like failures in connections or flaws in software, the team paid close attention to issues in management as well as the possibilities for information warfare.
The Estonian government engaged in similar analyses in the lead-up to the 2019 elections. In addition, the agencies took a lesson from the French and US experience in 2016 and taught political parties and individual candidates how to protect themselves and their information online.
Similarly, governments across the EU are sharing their best ideas about designing trustworthy election systems. Logging and monitoring network access, for example, can help computer administrators quickly detect and respond to unauthorised activity.
Estonia’s lessons may be useful elsewhere. In the past five years, Russian attacks have targeted both election-specific systems, like the Ukrainian national election commission website in 2014, and the larger public discussion around the election and current political issues.
Online efforts seeking to manipulate people’s views in the run-up to the 2016 Brexit vote, as well as during presidential campaigns in the US and France, are quite similar to Cold War tactics known as “information operations”.
The practitioners use 21st-century tools like social media and automation to plant false stories and exploit social divisions. They don’t necessarily seek to break through network firewalls or compromise any secure government systems, but rather appear to unwitting online audiences as authentic fellow contributors in a free, open debate.
The legitimacy of elections depends on more than just technical security. Elections must also be seen to be free of external influence. Governments should take comprehensive views of their security, and threats to it, accounting for elements as diverse as cyber defences of essential systems and the effects of information warfare on voters.
The response, therefore, has to include open, healthy public debate and media literacy as well as preventing, detecting and mitigating the effects of cyberattacks on the confidentiality, availability and integrity at the very core of democratic systems.