ENISA issues recommendations to protect EU Parliament elections against cyber-threats

With the European Union Parliament elections just around the corner, the EU Agency for Network and Information Security (ENISA) has released a detailed paper discussing the evolving threat of cyber-attacks on election systems and processes.

European Parliamentary elections are to be held in late-May. Notably, this year the European Council agreed at ambassador level to improve EU electoral law and reform laws from the 1976 Electoral Act.

To combat foreign interference such as that witnessed in the US presidential elections in 2016, ENISA is providing guidelines to all election stakeholders.

ENISA, a group of network and information security experts for the EU, helps member states implement relevant EU legislation and works to improve the resilience of Europe”s critical information infrastructure and networks. The center seeks to enhance existing expertise in member states by supporting development of cross-border communities committed to improving network and information security throughout the Union.

According to the document – Election Cybersecurity: Challenges and Opportunities – a democratic society needs a well-protected election lifecycle, from the maintenance of the electoral register and the public political campaigning process to the actual voting and the delivery of the results. In that respect, ENISA offers the following recommendations to all stakeholders:

• Digital Service Providers, social media, online platforms and messaging service providers are advised to deploy technology that will identify unusual traffic patterns that could be associated with the spread of disinformation or cyberattacks on election processes.
• While it is recognised that some of the above players have agreed to self-regulate and introduce disinformation policies, consideration should be given to regulation of these platforms at an EU level to ensure a consistent and harmonised approach across the EU to tackling online disinformation aimed at undermining the democratic process.
• Member States should continue to actively work together with the aim to identify and take down botnets.
• ENISA supports the general and specific technical proposals to mitigate the risks that are documented in the Compendium on the Cyber Security of Election Technology.
• Developing more exercises aimed at testing election cybersecurity will help improve preparedness, understanding and responding to possible election-related cyber threats and attack scenarios.
• Official channels/technologies for the dissemination of the results should be identified. Additionally, back-up channels/technologies should be available to validate the results with the count centres. Where websites are being used, DDoS mitigation techniques should be in place.
• A legal obligation should be considered to classify election systems, processes and infrastructures as critical infrastructure so that the necessary cybersecurity measures are put in place. A legal obligation should be put in place requiring political organisations to deploy a high level of cybersecurity in their systems, processes and infrastructures.
• Member States should consider introducing national legislation to tackle the challenges associated with online disinformation while protecting to the maximum extent possible the values set down in the Treaty of Lisbon and the Charter of Fundamental Rights of the EU.
• The cybersecurity expertise of the state should be used to assist political practitioners in the securing of their data and their communications. For example, CSIRT expertise can be leveraged to support political parties.
• Political parties should have an incident response plan in place to address and counter the scenario of data leaks and other potential cyber-attacks.
• Increased cooperation and exchange of best practices and experiences between the Member States and at EU-level can contribute to strengthening cybersecurity across the EU, including the cybersecurity of the election process. Member States should also make use of the existing frameworks and structures that are in place.

In a statement on the ENISA website, Executive Director Udo Helmbrech said some EU members have postponed or stopped the use of electronic voting, slightly reducing the risk to the voting process.

“Nonetheless, the public political campaigning process is susceptible to cyber interference. We have witnessed in the past election campaigning processes being compromised due to data leaks,” he said.

“ENISA encourages the EU Member States and key stakeholders such as political parties to partake in more cyber exercises aimed at testing election cybersecurity in order to improve preparedness, understanding, and responding to possible election-related cyber threats and attack scenarios. These stakeholders should have incident response plans in place, in the event that they become a victim of data leaks.”