Cybersecurity For Elections - Commonwealth Secretariat
Cybersecurity for ElectionsA Commonwealth Guide on Best PracticeCommonwealth Secretariat
Cybersecurity forElectionsA Commonwealth Guide on Best PracticeCommonwealth Secretariat
Commonwealth SecretariatMarlborough HousePall MallLondon SW1Y 5HXUnited Kingdom Commonwealth Secretariat 2020All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means, electronic or mechanical, including photocopying,recording or otherwise without the permission of the publisher.Published by the Commonwealth SecretariatTypeset by Nova Techset Private Ltd, Bengaluru & Chennai, IndiaPrinted by APS GroupViews and opinions expressed in this publication are the responsibility of the author[s] and shouldin no way be attributed to the institutions to which [he/she/they is/are] affiliated or to theCommonwealth Secretariat.Wherever possible, the Commonwealth Secretariat uses paper sourced from responsible forestsor from sources that minimise a destructive impact on the environment.Copies of this publication may be obtained from:Publications SectionCommonwealth SecretariatMarlborough HousePall MallLondon SW1Y 5HXUnited KingdomTel: 44 (0)20 7747 6500Email: publications@commonwealth.intWeb: https://books.thecommonwealth.org/A catalogue record for this publication is available from the British Library.ISBN (paperback): 978-1-84929-192-7ISBN (e-book): 978-1-84859-984-0
iiiAcknowledgmentsThe Commonwealth Secretariat acknowledges with gratitudethe work of Ian Brown, Chris Marsden, James Lee and MichaelVeale in developing the guide, as well as the financial support ofthe United Kingdom Foreign and Commonwealth Office.The Secretariat also extends its thanks to the ElectoralCommission of Ghana, the Election Commission of Pakistan,the Elections and Boundaries Commission of Trinidad andTobago and the UK Electoral Commission for hosting researchvisits, and to all the Commonwealth election managementbodies who responded to the questionnaire and providedfeedback on the drafts.The authors additionally wish to thank Ross Anderson, AndyBaines, Sonali Campion, Nic Cheeseman, Alex Folkes, CarinaKabajunga and Steven Malby for their detailed feedback ondrafts of this guide. Any errors and omissions remain theirown responsibility, and can be notified to electoral.network@commonwealth.int for future updates.
vContentsAcknowledgmentsiiiList of FiguresviiList of BoxesixAbbreviations and AcronymsxiAbout the Authors123xiiiIntroduction31.1 The increasing vulnerability of electoralsystems31.2 The electoral cycle61.3 The Commonwealth context81.4 Relevant organisations and regulatoryframeworks9Notes and references19Cybersecurity Across the Electoral Cycle252.1 Election activities across the electoral cycle262.2 Overarching features of direct threats292.3 Planning and logistics342.4 Electoral rolls362.5 Campaigning432.6 Voting452.7 Communication of results652.8 Auditing and challenging results71Notes and references73Overarching Best Practices for Secure Elections813.1 Holistic action833.2 International co-operation863.3 Cybersecurity risk management903.4 Privacy and data protection1063.5 Electoral campaigns, interference anddisinformation111Notes and references126
Cybersecurity for Electionsvi4Principles and Recommendations1354.1 Democratic self-determination1354.2 International law and co-operation1364.3 Strengthening the use of ICTs for electionswhile enhancing their security1394.4 Non-discrimination1424.5 Conclusion143Notes and references144
viiList of FiguresFigure 1.1Figure 1.2Figure 1.3Figure 1.4Figure 2.1Figure 2.2Figure 2.3Figure 2.4Threat activity targeting democraticprocesses observed by Governmentof Canada, Communications SecurityEstablishment (CSE)4International IDEA’s levels of multiagencycollaboration12Ghana’s National CommunicationsAuthority advertises its anti-spam SMSservice13Proportion of respondent Commonwealthcountries modernising electorallegislation for cybersecurity threats15Cyber threats to global democraticprocesses, observed by Governmentof Canada, Communications SecurityEstablishment (CSE)26The electoral cycle as presented byInternational IDEA27Centralised vs decentralised voterregisters in respondent Commonwealthcountries37South Africa’s voting, counting andresults announcement process46Figure 2.5Indelible ink mark made on a South Africanvoter’s thumbnail during the 2009 election 47Figure 2.6Use of biometric identification byrespondent EMBs51USA vote casting and counting systemsby county in 201654Types of voting employed acrossrespondent Commonwealth countries56Proportion of respondent Commonwealthcountries where non-residents can vote58Figure 2.7Figure 2.8Figure 2.9Figure 2.10 Respondent EMB use of social mediaFigure 3.1Proportion of respondent CommonwealthEMBs which have a partnership with thenational cybersecurity centre or CSIRT7092
viiiFigure 3.2Figure 3.3Figure 3.4Figure 3.5Figure 3.6Cybersecurity for ElectionsProportion of respondent CommonwealthEMBs which have internal cybersecurityteams95Proportion of respondent CommonwealthEMBs who have commissioner orboard-level cybersecurity representation96Phases of the IFES HEAT Process (HolisticExposure and Adaptation Testing)99Proportion of EMBs which have usedinternational standards (such as thosedeveloped by ISO, IEE, the UN, OAS,etc.) in the development of policies,regulations or processes for electionscybersecurity103UK Member of Parliament warns ofelectoral disinformation spreading viaWhatsApp during the 2019 generalelection113Figure 3.7Reported cases of electoralmisinformation on social media platformsin respondent Commonwealth countries 114Figure 3.8Twitter warns against use of its servicesto manipulate or interfere in elections115Pakistan’s legal requirement for specialmeasures to register women voters142Figure 4.1
ixList of BoxesBox 1.1Models of interagency collaboration11Box 1.2International co-operation by Ghana14Box 1.3Ghana’s National Cyber Security Centre16Box 1.4Trinidad and Tobago’s Computer SecurityIncident Response Team (TTCSIRT)16Commonwealth countries withreported (or proposed, limited or largelyuncommenced) data protection orprivacy laws18Aspects of the electoral cycle vulnerable tocybersecurity risks27Targeted confidentiality attacks on politicalparties and campaigns29Box 2.3Canadian 2011 robocalling scandal31Box 2.4SMS look-up of polling station location inPakistan35Box 2.5Electoral roll integrity in Pakistan40Box 2.6Voter registration and availability attacks inthe UK42Box 2.7Microtargeting and Cambridge Analytica44Box 2.8Biometric voter verification trials in Pakistan49Box 2.9Stolen biometric voter registration kitin Malawi52Box 1.5Box 2.1Box 2.2Box 2.10 The interaction of electronic votingmachines and fraud in India52Box 2.11 India’s electronically transmitted postalballot system57Box 2.12 Internet voting trials in Pakistan60Box 2.13 Vote counting and collation in Ghana66Box 2.14 Results transmission in Pakistan68Box 2.15 Results reporting in India70Box 2.16 Independent audits of South African elections 72
Cybersecurity for ElectionsxBox 3.1Risk management tools and approaches82Box 3.2Cross-government decision-making inTrinidad and Tobago and Ghana84Box 3.3New Zealand cross-agency working85Box 3.4Ghana’s media environment86Box 3.5OAS preliminary audit of the Bolivianpresidential elections on 20 October 201988US Department of Justice press release on2020 election security, 5 Nov 201993Box 3.7Ghana cybersecurity training initiatives94Box 3.8The UK Cyber Essentials scheme97Box 3.9Commonwealth EMB use of cloud computing 101Box 3.6Box 3.10 ISO/IEC 27000 and other securitycertifications102Box 3.11 NIS election exercise objectives104Box 3.12 South Africa’s strategic security focus105Box 3.13 Structure and provisions of dataprotection law106Box 3.14 Ghana’s approach to voter education113Box 3.15 Social media tracking centre during 2016Ghana elections115Box 3.16 Singapore’s Protection from OnlineFalsehoods and Manipulation Act 2019117Box 3.17 Social media codes of conduct andreporting in Commonwealth countries118Box 3.18 Excerpt from the Joint Declaration onFreedom of Expression and ‘Fake News‘122Box 3.19 The EU Code of Practice on Disinformation123Box 3.20 Mozilla Foundation recommendations onpolitical advertising archives124Box 3.21 NATO Strategic Communications Centreof Excellence Recommendations125
xiAbbreviations and AcronymsAIartificial intelligenceAPIapplication programming interface – allows one pieceof software to send and receive data to another andrequest it to take actionsCERTcomputer emergency response teamCNIcritical national infrastructureCRAcommunications (including broadcasting) regulatoryauthority/agencyCSIRTcomputer security incident response teamDDoSdistributed denial of service – a type of online attackwhere a site and its ISP are flooded with traffic fromother devices across the internet, slowing down orstopping the site from responding to legitimate usersDPAdata protection authority (or commission), referredto in some countries as an information or privacycommissioner, responsible for enforcing dataprotection and privacy lawsDREdirect recording electronic (machine) – a type ofvoting machine that records a voter’s choice in apolling stationEMBelectoral management bodyEVMelectronic voting machineFIRSTForum of Incident Response and Security Teams, aglobal non-governmental association of computeremergency response teamsGDPRThe European Union’s 2016 General Data ProtectionRegulationGISgeographic information system – computer tool usedto manage and visualise geographical data, such asconstituency boundariesICCPRInternational Covenant on Civil and Political Rights,a core UN human rights treatyIDEAInternational Institute for Democracy and ElectoralAssistance, an intergovernmental organisation with33 members
Cybersecurity for ElectionsxiiIFESInternational Foundation for Electoral SystemsISOInternational Organization for StandardizationISPinternet service providerITUInternational Telecommunication Union, UnitedNations treaty body for communicationsNADRA National h Atlantic Treaty Organisation, defensivealliance with several Commonwealth countries asmembersNCSCnational cyber security centre (or authority) –increasingly common national governmentalinstitutions, for example UK’s National CyberSecurity CentreNISnetwork and information securityOASOrganization of American StatesOECDOrganisation for Economic Co-operation andDevelopment – an intergovernmental economics‘think tank’ with 36 membersOSCEOrganization for Security and Co-operation inEuropeRTSResults Transmission System – used to digitallytransmit provisional election results from pollingand counting centres to Electoral Management BodyheadquartersSIDSsmall island developing statesSMSshort message service – short text messages sentbetween mobile phones; used, for example, inPakistan to provide voters with details of their pollingstation, and in some multifactor authenticationsystemsVVPATvoter verifiable paper audit trail
xiiiAbout the AuthorsIan Brown is visiting CyberBRICS Professor at FundaçãoGetulio Vargas in Rio de Janeiro, and an ACM DistinguishedScientist. He was previously Senior Fellow at Research ICTAfrica; Principal Scientific Officer at the UK government’sDepartment for Digital, Culture, Media and Sport (DCMS);Professor of Information Security and Privacy at the Universityof Oxford; and a Knowledge Exchange Fellow with theCommonwealth Secretariat and UK National Crime Agency.His books include Regulating Code: Good Governance and BetterRegulation in the Information Age (with Christopher T Marsden)and Research Handbook on Governance of the Internet. His2001 PhD in computer and communications security is fromUniversity College London (UCL).Christopher T Marsden has been Professor of Internet Law atthe University of Sussex since 2013, and Founder-Director ofthe Centre for Information Governance Research @SussCIGR.He was formerly Professor of Law at Essex University, havingpreviously taught and researched at Warwick University, theUniversity of Oxford and the London School of Economics(LSE). He is author of five monographs on Internet law: NetworkNeutrality: From Policy to Law to Regulation; Regulating Code;Internet Co-regulation: European Law, Regulatory Governanceand Legitimacy in Cyberspace; Net neutrality: Towards aCo-Regulatory Solution; and Codifying Cyberspace.James Lee is a Senior Policy Adviser at the Department forDigital, Culture, Media and Sport (DCMS), where he has beenleading work on online content policy, and to ensure regulatorsare equipped for a digital age. He draws on five years ofexperience in technology policy, notably working for the UK’snational technology trade association to represent its members’interests in cyber and national security; here he authored anexploratory report, Playing Catch Up: Incorporating DistributedLedgers into the Technology Stack and Repurposing the WiderEcosystem. He holds a degree in International Relations from theUniversity of St Andrews.Michael Veale joined UCL’s Faculty of Laws as Lecturer inDigital Rights and Regulation in 2019. He holds a PhD in theapplication of law and policy to the social challenges of machine
xivCybersecurity for Electionslearning. He previously worked at the European Commissionand holds degrees from Maastricht University and the LSE.Since 2019, Dr Veale has also been Digital Charter Fellowbetween the Alan Turing Institute, the UK’s National Centrefor AI and Data Science, and DCMS. He has authored andco-authored reports for a range of organisations, includingthe Law Society of England and Wales on algorithms in thejustice system, the Royal Society and British Academy on thefuture of data governance, and the United Nations on artificialintelligence (AI) and public services.
Chapter 1Introduction
3Chapter 1Introduction1.1 The increasing vulnerability of electoral systemsSince the 1990s, internet-connected computers, mobile and ‘smart’devices have become integral parts of day-to-day life for many in theCommonwealth, including for election-related activities.During each phase of contemporary elections, the direct and indirect useof computers and other technology introduces a range of risks to electoralintegrity. These pose threats to confidentiality, integrity, and availability ofinformation and infrastructures concerning votes and voters, candidatesand parties, and broader election processes. Canada’s CommunicationsSecurity Establishment has reported that from 2015 to 2018, it observedmore than twice as many digital attacks on democratic processesworldwide, and a three-fold increase in Organisation for EconomicCo-operation and Development (OECD) countries (see Figure 1.1).1 Theseattacks have come from sophisticated state intelligence agencies, as wellas ‘hackers for hire’2 and crime gangs targeting organisations for ransoms(as suffered by one Caribbean EMB, which had to pay a bitcoin ransom toregain access to its data).This guide explains how cybersecurity issues can compromise traditionalaspects of elections, such as maintaining voter lists, verifying voters, countingand casting votes and announcing results. It also describes how cybersecurityinteracts with the broader electoral environment and new ways elections arebeing carried out, such as campaigns and data management by candidatesand parties, online campaigns, social media, false or divisive information,and e-voting. Unless carefully managed, all these cybersecurity issues canpresent a critical threat to public confidence in election outcomes – which arethe cornerstone of democracy.Using digital technology during polling and counting also means that reliableelectricity supplies are needed at polling stations and counting centres(with expensive backup facilities), and in some cases (such as checkingvoter records against remote databases, updating shared lists of individualsthat have voted, and reporting preliminary counts remotely), functioningtelecommunications links are needed as well. These can by no means betaken for granted in any Commonwealth country – and are another target forboth sophisticated and basic attacks.
Cybersecurity for Elections4Figure 1.1 Threat activity targeting democratic processesobserved by Government of Canada, Communications SecurityEstablishment (CSE)% targeted, democratic processesrelated to an 01620172018YearWorldwideOECD CountriesTo help electoral management bodies (EMBs) manage these risks, thisguide describes principles for electoral cybersecurity, as well as specificorganisational recommendations that can be adapted as required. Itadditionally signposts an array of more technically detailed materials that canhelp with specific technical, social or regulatory challenges.Cybersecurity covers the broad range of technical, organisational andgovernance issues that must be considered to protect an information systemagainst accidental and deliberate threats. It goes well beyond the details offirewalls, anti-virus software and similar technical security tools. This breadthis captured in the widely used International Telecommunication Union (ITU)definition:Cybersecurity is the collection of tools, policies, security concepts,security safeguards, guidelines, risk management approaches, actions,training, best practices, assurance and technologies that can be usedto protect the cyber environment and organization and user’s assets.Organization and user’s assets include connected computing devices,personnel, infrastructure, applications, services, telecommunicationssystems, and the totality of transmitted and/or stored information in thecyber environment. Cybersecurity strives to ensure the attainment andmaintenance of the security properties of the organization and user’sassets against relevant security risks in the cyber environment.3The importance of cybersecurity has increased as so many government,business and day-to-day activities around the world have moved online –including election management. But especially in emerging economies, ‘[m]any organizations digitizing their activities lack organizational, technological
Introduction5and human resources, and other fundamental ingredients needed to securetheir system, which is the key for the long-term success’.4 Although ‘[o]neof the claims made for digital technology is that it can strengthen electoralprocesses in countries where state and electoral management bodies havelimited capacities’, ‘ensuring that such technology is properly used is farfrom straightforward additional timelines and training requirements, notgreater simplicity, are often the corollaries of digitization’.5Cybersecurity of elections includes issues concerning electronic votinginfrastructure, but is not limited to that alone. For example: In the US state of Georgia, a security researcher found avulnerability that allowed him to download and potentially alterthe register of 6.7 million voters on an insecure election server, aswell as instructions and passwords for election workers to log in tosystems used to verify voters on election day.6 During the 2016 elections in France, the USA and Germany, hackersreleased information such as internal e-mails stolen from politicalparties and candidates in an attempt to damage their credibility –with serious allegations of the involvement of other countries.7 Foreign organisations have been accused of planting and facilitatingthe spread of misleading and inaccurate information on socialmedia in the run-up to recent elections. Journalists and electoral observers are core parts of oversight inelectoral systems, but are also personally and organisationallyvulnerable to cybersecurity threats.This guide gives decision-makers in Commonwealth EMBs and relatedgovernment organisations the information they need to understandand manage these risks. I
Box 3.7 Ghana cybersecurity training initiatives 94 Box 3.8 The UK Cyber Essentials scheme 97 Box 3.9 Commonwealth EMB use of cloud computing 101 Box 3.10 ISO/IEC 27000 and other security certifications 102 Box 3.11 NIS election exercise objectives 104 Box 3.12 South Africa’s strategic security focus 105
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
Brownie Cybersecurity Explore cybersecurity by earning these three badges! Badge 1: Cybersecurity Basics Badge 2: Cybersecurity Safeguards Badge 3: Cybersecurity Investigator This Cybersecurity badge booklet for girls provides the badge requirements, background information, and fun facts about cybersecurity for all three Brownie
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
Mar 01, 2018 · ISO 27799-2008 7.11 ISO/IEC 27002:2005 14.1.2 ISO/IEC 27002:2013 17.1.1 MARS-E v2 PM-8 NIST Cybersecurity Framework ID.BE-2 NIST Cybersecurity Framework ID.BE-4 NIST Cybersecurity Framework ID.RA-3 NIST Cybersecurity Framework ID.RA-4 NIST Cybersecurity Framework ID.RA-5 NIST Cybersecurity Framework ID.RM-3 NIST SP 800-53
Further, the standard called for the utilization of third party certification as a mechanism for verifying compliance to the standard at the firm level. Despite the rapidly growing popularity of ISO 14001 there have been many criticisms regarding the ability of ISO 14001 to truly illustrate the day to day practices within a firm and the authenticity of its commitment to decreasing its .
