Over 20 EU Member states have together compiled a compendium on cyber security of democratic processes. The document is a broad set of practical and workable measures that can be applied by both election management bodies and cyber security authorities.

“Elections are crucial to the functioning of representative democracy and election processes being compromised can delegitimize a whole political system. At the same time, elections have become an increasingly frequent target in the modern digital era, coming under attack across the globe,” highlights the compendium drafted under the auspices of the Cooperation Group of the Network and Information Security (NIS) Directive.

The guidelines take a comprehensive view of cyber security of elections, starting with candidate and voter registration and ending with broadcasting the results. Cyber-enabled threats, often combined with information operations, must be reflected in election planning and risk management, emphasize the authors. “All elections are expected to be free, open and fair, and based on secret ballot; technology cannot be introduced at the cost of compromising these requirements,”  the document highlights. Even electoral systems that exclusively rely on pen and paper in voting can take advantage of digital tools and services in compiling voter rolls, candidate registration or result tabulation and communication, the compendium explains.

The compendium on cyber security of election technology is designed to share experiences and provide guidance as well as give an overview of tools, techniques and protocols to detect, prevent, and mitigate such threats.

It is a broad sum of guidelines that are based on the experiences and best practices of contributors. Thus, cyber security measures are reviewed as pertaining to:

  • the specifics of European Parliament elections, including the communication of results from capitals to the European Parliament;
  • universal development and security principles as applicable to election technology, including testing and auditing;
  • security measures specific to elections;
  • voter and candidate registration and databases;
  • electronic tools used in gathering or aiding the gathering of votes;
  • digital tools to transmit, process and count votes;
  • systems to publish or communicate election results;
  • relevant auxiliary systems and services.

More than 20 EU Member states as well as the European Commission, ENISA and the staff of the European Parliament contributed in an effort led by the Estonian Information System Authority and Cyber and Information Security Agency of the Czech Republic.

The compendium on cyber security of the election process can be found online at here: https://www.ria.ee/public/Cyber_security_of_Election_Technology.pdf