Like it or not, it looks as though the UK might sail into a General Election before long. The last one was in 2017 and the cyber threat scene has changed a great deal since then, becoming more sophisticated all the time and, worryingly, potentially even more capable of dodging the digital election security measures put in place to thwart them.
Here's an exploration of the West's voting systems and what's being done to secure them as the US 2020 election looms, we get ready to leave the EU, and our own General Election gets ever-closer.
Hacktivism threatens UK election security
As reported by Business Cloud, a brand new survey reveals an unnerving scenario. It looks like less than one in ten Brits believe cybersecurity professionals are 'important to society', but at the same time over 33% of us are worried that hacktivism could disrupt the nation's democratic processes, including General Elections and referenda. There's more. It looks like very few of those asked place much value on cybersecurity as a career.
The disconnect fell out of a 2018-person survey of UK adults from Cyber Discovery, a UK Government programme designed to lure teens into the digital security sector. Apparently just one in five of us thinks the nation is well enough prepared to 'defend itself against future cyber security issues', and 45% don’t think the country has enough cyber security experts to protect us.
These findings clearly reveal a serious gap in people's awareness about what cyber security experts actually do. As a nation there's no way we'll be able to handle the fast-changing digital geopolitical landscape if we can't educate the cyber defenders we need. Right now, there's almost no sense of urgency. And that can only be fixed with education, provided by government and industry, parents and teachers.
Election cyber-security in Europe
Back in February this year ENISA, the EU's cybersecurity agency, made a suite of essential recommendations about EU digital election security. With EU Parliamentary elections coming up, ENISA's opinion paper makes sobering reading.
ENISA has explored cyber-enabled threats in detail, focusing on those that could undermine the EU's democratic processes. Cyber-interference in elections is always a possibility, thanks to widespread use of digital technology to support electoral processes, things like confidential communications between politicians and their parties, campaigns, the electoral register itself, vote counting, and delivering the final results. As Udo Helmbrecht, the Executive Director of ENISA, said in the article:
“As some EU Member States have either postponed or discontinued the use of electronic voting, the risk associated with the voting process can be considered to be somewhat reduced. Nonetheless, the public political campaigning process is susceptible to cyber interference."
ENISA has already seen past election campaigns compromised by leaked data. They're keen for more Member States and political parties to test election cyber-security and get better prepared. It's also vital for everyone involved to gain a better understanding about possible election-related cyber threats and attacks, and apply tried and tested response plans in case of a data breach.
ENISA's recommendations are designed to improve the cyber security of elections across the EU and help members prepare properly. Here are the most important points:
Members need to consider new national legislation to tackle the challenges 'while protecting to the maximum extent possible the fundamental rights of EU citizens'
Members must continue to actively work together to take down botnets
The EU should consider regulation of Digital Service Providers, social media, online platforms and messaging service providers at an EU level to create a harmonised approach to prevent the undermining the democratic process
Relevant players should use technology to spot unusual traffic patterns
Election systems should be classified as critical infrastructure
Political organisations should use a high level of cybersecurity
Official channels and etch should be created to spread the news about the results of all this activity
Tech should be used to support and validate the results from vote counting
If websites are involved, DDoS mitigation must be used
The state of election cyber-security in the USA
In the USA, the 2016 election saw Florida, a vital swing state, become a target as the Russians breached two of the States' county voting systems, along with a software vendor. No wonder digital security for the 2020 election is a big concern. FBI director Christopher Wray isn't the only official to predict more foreign interference in the next elections, and Florida is a highly likely target once more.
As a result the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security, is encouraging state participation in its cybersecurity programs. Chris Krebs, CISA's director, says that a 'significant amount' of agency effort is being spent raising awareness about ransomware efforts targeting state voter registration databases, and he says his team is 'over halfway there to getting every state signed up for cyber hygiene scanning'.
Krebs' next step is to make sure as many States as possible understand the value of vulnerability disclosure programmes, which have crack teams of security researchers working behind them. As we write a new batch of American schools, cities, hospitals and more have been hit by ransomware attacks. No wonder more States than ever are coming to CISA for ransomware guidance.
Get your firm ready for a cyber attack-rich future
We've said it plenty of times, and we'll say it again. Right now the best way to stay safe from cyber mischief is to learn about the threats out there and use what you've learned to avoid them. Human error remains the biggest cause of data breaches and digital attack, which means making sure your employees know exactly what's what can be a business-saver. Walk this way for the UK Government's Cyber Essentials and Cyber Essentials Plus schemes. Let's just hope everyone involved with the next UK General Election knows their cyber-risk stuff!