Are the EU Elections 2024 Cybersecure?
State of Play and Recommendations
Summary
This blog post, tailored specifically for you-the election staff, political campaign staff, and political candidates-aims to analyse the security threats related to elections in general and specifically to the forthcoming 2024 European Parliament (EP) elections. The objective of the analysis is multi-fold. First, it will summarise the cyber threats pertinent to the election process – those which could lead to influencing or distorting the elections or the final results of the 2024 EU elections. Second, it will discuss the measures adopted (so far) in preparation for the forthcoming 2024 EU elections. Third, it will offer recommendations for improving the cyber resilience of the 2024 EU elections. The analysis will focus on both strictly cyber-specific threats and broader hybrid threats.
Introduction
In June 2024, EU nationals across all 27 Member states will vote to appoint 716 Members of the European Parliament (MEPs) to represent them in the European Parliament for the period 2024-2029. This will be a critical vote, setting the tone of Europe’s democratic voice in a decade of growing insecurity, in the conventional sense and cybersecurity. The urgency of this topic cannot be overstated, as the very foundation of our democratic process is at stake.
Nonetheless, information security is at the centre of free and democratic societies. The freedom to express ideas and economic stability depend on information security.
While the trustworthiness and integrity of the elections are crucial, they are continuously challenged. Information security measures need to be put in place to preserve genuine, uninterrupted, authentic, and free public debate. Such measures are also needed, for instance, to preserve the availability of public communication channels, vet the authenticity of online identities, and guarantee the privacy of communications.
Electoral cybersecurity also needs attention, as the trustworthiness of the results is crucial, especially if votes are cast online. Election systems need, therefore, to be resilient. Investing in cybersecurity – from awareness campaigns for political leaders and ball out stations’ staff to strengthening the security of systems, networks, devices, and identities – is a top-of-the-agenda priority for the political parties running for the 2024 elections.
The threat landscape
Cybersecurity, defined as the security of ICT systems and networks, has been progressively getting more attention in recent years due to massive and continuous cyber incidents. Cybersecurity was an integral part of the debate surrounding the security of the 2019 EU elections and is thus ever more important today, given the 2024 elections that see increased digitalisation of voting systems, votes cast online, and, last but not least, an evolving threat landscape.
Cyber threats, if not addressed, could significantly impact the registration systems, tamper with voters’ data, block authorities’ servers/websites at critical moments, hack campaigns’ websites and social media accounts, spread disinformation, and tamper with the software for online voting to impact the results. Malicious accounts often spread manipulative and untruthful content through social media networks. The potential consequences are grave, underscoring the urgency of our collective efforts to secure the integrity of the 2024 EU elections.
In our CYEN Predictions for cybersecurity threats in 2024, we identified the top five possible threats that will dominate the year of the EU elections. Four of the five are strictly related to the elections: disinformation campaigns, AI abuse, data breaches, and supply chain attacks.
ENISA identified disinformation as the 2nd most prominent threat and AI abuse as the 10th most prominent threat in its 2030 Foresight Cybersecurity Threats for 2030 report. The 2024 EU AI Act classifies ‘AI systems intended to be used to influence the outcome of an election or referendum or the voting behaviour of natural persons in the exercise of their vote in elections or referenda’ as ‘high-risk AI systems’. AI-enabled threats, such as deep fakes, could be used to impersonate political figures with a manipulative intent, multiplying the impact using bot (robot) accounts to facilitate the spread of fake content.
Identity theft of political leaders is also causing concern, as weak passwords for social media accounts lead to easy access and impersonation. This allows malicious actors to spread a “fake” message from the political leaders’ real accounts, reaching a large audience and attention.
Another critical concern is that cyberattacks such as ransomware, malware, phishing, or DDOS do not require sophistication to cause damage and interfere with the election process or results. The lack of cyber awareness and hygiene among political party personnel, campaign organisers, suppliers, and European institution personnel has become a significant threat.
Moreover, in 2022 the European Court of Editors published a Special Report on the cybersecurity of the EU institutions, bodies and agencies, concluding that the level of preparedness did not correspond to the level of threat, that the level of cybersecurity maturity varies between such bodies, and they did not always adopt good practices nor have sufficient support. More recently, POLITICO reported in December 2023 that an internal European Parliament review showed that its cybersecurity “has not yet met industry standards” and is “not fully in line with the threat level” posed by state-sponsored hackers and other threat groups.
Indeed, in February 2024, European Parliament Members and staff in the chamber’s subcommittee on security and defence (SEDE) had their phones hit with intrusive surveillance software tools. In November 2022, the European Parliament systems proved to be an easy target, as an alleged Russian DDOS attack took down its external website. In December 2023 it warned that state-sponsored attacks on the Parliament were becoming more frequent and more sophisticated. And in April 2024, a data breach regarding an external application PEOPLE that supports recruiting non-permanent staff, including MEPs’ assistants, was reported, potentially exposing home addresses, bank details and criminal records of the impacted persons. This is a particular concern as the information could be used for further attacks such as blackmail or identity theft in the runup of the EU 2024 elections. Individual political figures and candidates suffered cyber attacks too, most notably the European Commission President and running 2024 EU Elections candidate Ursula von der Leyen saw her campaign website attached by bots. Such threats and cybersecurity vulnerabilities will continue to be exploited during the 2024 elections and beyond.
Securing the European Elections 2024: the EU measures
The cybersecurity of the networks and systems that might be affected during the 2024 EU elections is crucial. Several steps were taken to address the topic and encourage increased attention to cybersecurity. For instance, in 2024 ENISA updated its Elections compendium, underscoring the crucial need for collaboration and information sharing between all interested parties. This includes identifying the risks and ways to manage threats and crises, providing training, and implementing the necessary technical and organisational measures to secure the elections. Only through collective effort can we effectively combat these cyber threats.
The new Regulation on Cybersecurity at the institutions, bodies, offices, and agencies of the Union, which entered into force in January 2024, with its requirement for an internal cybersecurity risk management, governance, and control framework for each Union entity, is a step in the right direction. It provides an impetus and a framework for better cyber resilience of the EU Institutions. But this will take time.
Yet, these steps focus on the EU’s security and cyber resilience. Individual EU countries’ political parties differ in the level of cyber resilience and relevant support, but all need to adopt security measures to better protect their networks, systems, and—ultimately—the trustworthiness of the EU election process.
This is why we at CYEN are putting forward our recommendations for political parties, campaign managers and staff to consider when addressing cybersecurity risks related to the European elections in 2024.
Recommendations for improving the cyber resilience of the 2024 EU elections
Above all, we recommend that interested parties pay close attention to the cyber threats and develop plans to mitigate their effects on the election process. Specific cyber resilience measures to prioritise include:
Awareness measures
Against this election’s threat landscape, cyber awareness could help identify malicious phishing campaigns, disinformation spread through social media accounts, the truthfulness of news and videos online, and whether they are deep fakes.
Interested parties – political senior staff or campaign managers, for instance – could organise/sponsor the attendance of social engineering campaigns for all staff and third-party suppliers’ staff to identify the existing gaps in cyber awareness in general and in election interference more specifically. The resilience of the whole supply chain needs to be considered and evaluated, including any third-party ICT service provider, e.g., software, hardware, or Internet provider.
Based on the outcome of the social engineering campaigns, we recommend that all staff be empowered to attend cybersecurity awareness courses or exercises specifically focused on election interference threats to raise their level of awareness. These should also include ways of identifying deep fake images, videos and news, for instance.
These awareness campaigns will bring an understanding of the various threats, their sources, and their nature. Staff should be able to differentiate between malware and a ransomware attack, recognise a phishing email, and identify an edited image/video. They need to know how to react in case of an incident and who to contact for help. Understanding the roles and responsibilities of the different cybersecurity authorities, e.g. CSIRT, DPA or law enforcement agencies, are critical to swift mitigation and response to an incident.
Technical measures
Firstly, at the fundamental level – but essential – technical measures to be implemented include using strong multi-factor authentication (MFA) for organisation and personal accounts for emails, social media, sensitive applications, and information systems. Secondly, essential are also strong identity and access management (who has access to which networks? to which shared folders?), system updates (software vulnerabilities are often linked to outdated versions that have not been updated), encryption (for the most sensitive documents, information and data), network segmentation and regular data backups (regular backups are key to preserving the integrity and entirety of data and information). Also, security audits need to be performed regularly to identify the gaps and address them timely. Finally, the resilience of the election systems needs to be tested for vulnerabilities and, consequently, strengthened. A good way of doing this is by performing security, data backup and resilience testing to identify any relevant gaps in the protection systems. Issues and gaps must be managed promptly by applying security patches or extra security measures.
Organisational measures
Campaign organisers are also advised to work with the national intelligence and cybersecurity communities, including the computer incident response teams (CSIRTs) across the EU, for an early warning or identification of threats or intruders. The potential cross-border impact should be evaluated, and national CSIRTs should ensure any potential or practical threats are shared with the EU-wide CSIRT Network without undue delay.
Each campaign needs an incident and crisis management plan and a roadmap of action to prevent, detect, mitigate, and respond in case of a cyber or hybrid attack. The roadmap needs to also include the best practices and lessons learned from the 2019 elections and the work in the other EU countries. Ready-to-use communication plans through which information can be shared during a cyberattack could prevent disaster and facilitate prompt recovery from the attack.
Addressing the multitude of possibilities for breaches prior to the election process commencing would give political parties a significant head start. Malicious actors will always try to meddle with the process, but security measures put into place beforehand will reduce the success rate or impact of such attempts. Adopting cybersecurity measures is a key to achieving trustworthy elections.
Overall, the awareness and technical and organisational measures will help mitigate the risks to which the individual campaigns are exposed. More advice is available on Cyen’s YouTube channel. Cyen has extensive experience and provides cybersecurity awareness, governance, risk and compliance management, and third-party security services. Contact us at info@cyen.eu or book a free meeting with one of our experts here to discuss further or if you need help.
Recent Comments