Political parties, please meet cybersecurity

They have large amounts of private data, their internal communications are highly sensitive, they have a lot of power, they don’t seem to take cybersecurity seriously. How do we move forward?

Originally published on balcanicaucaso.org

In early 2019, the European Union’s Agency for Cybersecurity (ENISA) released a set of recommendations for EU-wide election cybersecurity . They focused mainly on three aspects: online disinformation, threats to the digital infrastructure that is used to manage the voting process, and concerns about the cybersecurity of political organisations and political practitioners.

There is an ongoing and widespread debate about the perils of online disinformation, and possible approaches to deal with this issue. It is a vast problem with no easy solution, but by 2020 the question of how to deal with (online) disinformation is solidly part of the public agenda.

Ensuring that the digital infrastructure needed to manage elections is functional and secure is certainly no easy task, but state authorities have full control and responsibility on all phases of the process. This is by and large a technical and managerial issue to be approached through established procedures and good practices: the EU has released a Compendium on Cyber Security of Election Technology that serves as a useful point of reference; IDEA has published a report highlighting the importance of inter-agency cooperation in this context. Given ongoing concerns , electronic voting seems unlikely to take over paper ballots any time soon; quite on the contrary, even countries that introduced paperless voting in the 2000s have later abandoned such initiatives . In brief, while there is still work to be done, there is widespread consensus on how to deal with cybersecurity issues in this context.

Somewhat surprisingly, however, and in spite of high-profile hacks, the cybersecurity of political organisations and political practitioners has not yet become object of policy debates. Even when they have become part of public debates, the conversation rarely touched questions of policy: what policies could or should be introduced to mitigate this risk?

The cyber-vulnerability of political parties and political practitioners

The hack of the servers of the National Democratic Committee in the US , as well as the timed release of private emails of - for example - John Podesta (chairman of Hillary Clinton’s presidential campaign) in 2016 or those of Emmanuel Macron’s electoral campaign team in 2017 , have made the news in the past years. While some of these hacks demonstrated a degree of sophistication and were likely the result of actions by state actors, others used more basic techniques. According to the head of the French cyber-defense agency the hack to Macron’s campaign was “not very technological; […] the attack was so generic and simple that it could have been practically anyone.” Many observers still blame this and other cyber-attacks to Macron’s campaign on Russia , others seem less convinced .

The fact that individuals without the need of large resources or powerful means have been able to access the computer systems of top-tier European political organisations as happened with Emmanuel Macron does not seem to be an exception, and while past hacks have obtained significant attention in the news, it is unclear if anything has been learned from those events. In the run-up to Italian elections in 2018, Lega’s social media account, website, and emails have been repeatedly hacked . Surprisingly, Italian and international media have largely ignored the news, and did not report in any detail about the trove of more than 20GB of emails belonging to Lega’s campaign staffers and Lega’s regional organisations that could easily be downloaded via torrent and could later be accessed directly on a website accessible via Tor .

The Five star movement (M5S), which has been in government since 2018, has long been criticised for its disregard for cybersecurity. Vulnerability of the platform used by M5S to take decisions and evidence that it had very low standards of cybersecurity has hit the news in particular in 2017, when different actors broke into computer systems used by M5S leading to action by Italy’s Data Protection Authority. Among the issues highlighted in the official report published afterwards , the Authority established that as of 2017 the online platform used by M5S to define and vote on policies (one of the most touted features of M5S) was running on an outdated version of a CMS, first released in 2009 and considered by its authors unfit for use since 2013.

Both cases demonstrated extremely lax cybersecurity practices that were not immediately fixed even after incursions were made public. Indeed, even if the hacks of both M5S and Lega were apparently the work of domestic actors, they prove that cybersecurity standards are so low that it seems possible, if not likely, that foreign intelligence may have (or at least, may have achieved at some point in time) full access to such data, including personal communications and private data of thousands of citizens. Fundamentally, it should be highlighted that we are aware of the hacking of the computer systems and online communications of political organisations only because the hackers make public their feat: foreign intelligence would have mostly no reason to advertise their hack, and instead continue to enjoy access to such supposedly private communications (timed release of hacked contents remains an option).

Do we have reason to believe that other parties in Italy are using computer systems that are any more secure than those of M5S, Lega, the US Democratic Party, or Macron’s staff in France?

How do we more forward?

Responses to hacks of political organisations vary wildly, and range from mockery of the organisation at the receiving end of the cyber-attack to declarations of concerns, in particular if the attack is attributed to a foreign power. Yet, the public conversation has not moved on to what seems to be the logical question when an event threatening the integrity of democratic processes takes place: what should be done to reduce the vulnerabilities that made this possible?

The EU agency for Cybersecurity has three recommendations on this:

  1. a legal obligation should be put in place requiring political organisations to deploy a high level of cybersecurity in their systems, processes and infrastructures.
  2. the cybersecurity expertise of the state should be used to assist political practitioners in the securing of their data and their communications.
  3. Political parties should have an incident response plan in place to address and counter the scenario of data leaks and other potential cyber-attacks.

As highlighted in a report published by the Carnegie Endowment for International Peace , “the UK National Cyber Security Centre organised technical seminars for campaign staff, released guidance material, and made its experts available to assist political parties with cyber-related problems.” It also suggested to political parties to refer to Cyber Incident Response (CIR) certified companies to help them deal with targeted attacks. The Belfer Centre at Harvard has released in 2017 an accessible guide specifically addressing political organisations, the “ Cybersecurity Campaign Playbook “. Big tech companies have demonstrated some readiness to provide additional tools to increase the cybersecurity of campaigners and candidates, with initiatives such as Google’s Protect your election .

Available guidance and good practices may be a useful starting point, but more public discussions should focus on how to move forward from the current situation, considering the specificities of the countries where relevant initiatives are to be implemented. The involvement of security services in contributing to the cybersecurity measures of organisations may be welcome in some contexts, while it should likely be more discreet in others, possibly delegating activities to independent organisations and consultants. New cybersecurity obligations for political parties should probably come with adequate funding to meet these obligations, which is likely to raise debate. Questions of competence, procedures, and resources for agencies or authorities working in this field should also be raised; if, as happened in Italy, intervention is left to the Data Protection Authority, then this should be adequately resourced, and perhaps be given mandate to intervene before violations of computer systems take place.

Finally, in the case of political organisations and movements, there are a number of complicating factors that make having robust cybersecurity practices more difficult. For example, some guidelines suggest to rely on major vendors such as Google for managing emails and files rather than use self-hosted solutions that are more difficult to protect: in principle, this may well be correct, but relying on the computer systems of US-based tech behemoths may be politically unacceptable for practitioners of different political persuasions. Governments should consider sponsoring security improvements to open source alternatives, and finance more generously initiatives that address the vulnerabilities of pieces of software that many of us use on our computers or that are necessary for the functioning of the web infrastructure we all rely on. Besides, even fully formalised political parties, in their daily practice, may resemble more loose movements involving a significant number of volunteers than hierarchical businesses where a cybersecurity policy can be more easily coordinated and, if necessary, imposed.

Mitigating the vulnerabilities in terms of cybersecurity of political organisations and political practitioners is certainly challenging, and is an effort that intersects with debates on privacy and on the cybersecurity of individuals, state authorities, critical infrastructures, and businesses. A combination of factors, however, makes political organisations exceptionally vulnerable to cyber threats. Let’s take this into account, and move forward, one step at a time.

Giorgio Comai
Researcher, data analyst