An increasing number of EU citizens are concerned about the manipulation of elections through cyberattacks and malicious interventions, according to figures published on Monday (26 November).
The first results of the Eurobarometer study on democracy and elections were released earlier in November, but further data on Monday draws attention to the vulnerabilities Europeans face following a turbulent decade of cyber interference.
Monday’s data shows that 61% of Europeans worry that elections can be manipulated through cyberattacks, while 59% are concerned about foreign actors and criminal groups influencing elections.
The results prompted strong responses from the European Commission.
First Vice-President Frans Timmermans said on Monday EU citizens are “well aware of the dark forces that would like to manipulate what they read, think and ultimately vote for,” while Justice Commissioner Vĕra Jourová has called upon EU governments to work together in order to address voter concerns.
Estonia leads the way
Figures from the report differed between member states, with Estonia demonstrating a relative confidence in electronic voting systems compared to other states.
Some 42% of Estonian respondents were concerned about cyberattacks within the context of the EU elections, while 74% in Spain and 67% in the United Kingdom highlighted this as a particular area of concern.
Estonia’s dominance in the field of cybersecurity is no surprise. Having been the first country in the world to introduce online voting in 2005, the country went on to experience a series of cyberattacks in April 2007 that temporarily crippled the private sector.
The country subsequently went on to bolster its IT systems and advocate more broadly for improved cybersecurity measures across the continent.
The prospect of electronic voting is also striking cybersecurity concerns amongst EU leaders. Currently, Estonia is the only country in Europe to offer internet voting to the electorate. The European Parliamentary elections in 2014 saw just over 30% of Estonian voters cast their ballots over the internet.
Speaking at a recent EURACTIV high-level conference on cybersecurity in the context of elections, Luukas Ilves of The Lisbon Council accused the EU of a “lack of confidence” in the field, saying that, at a supranational level, the EU is “collectively failing to do the work” to ensure that the elections next year are sufficiently protected.
Lionel Gervais of Deutsche Telekom Security added that the EU needs a straightforward cybersecurity strategy delivered with “clear communication and clear governance.”
In the context of electronic voting, Europe treads precariously. Several member states have flirted with the idea of employing such systems, but many have ultimately retracted.
Ireland scrapped a 2002 plan to introduce electronic voting after a €54 million outlay, following public opposition and a lack of confidence in the systems.
The Netherlands dumped electronic voting in 2007 after highly-publicised security issues, while Germany abandoned it in 2009, after the Federal Constitutional Court found that electronic voting was unconstitutional, citing high levels of public distrust.
France’s relationship with online voting has also had a number of setbacks. Internet voting was permitted in 2003 when French citizens living in the US were allowed to vote remotely in an election for representatives to the Assembly of French Citizens Abroad.
However, momentum was stifled in 2017, when France announced that electronic and internet voting would be no more, after the hacking of the Democratic National Committee’s networks during Hilary Clinton’s presidential campaign in the US prompted similar fears in France.
The French were right to be concerned. Despite attempts to dissuade malign interference, Emmanuel Macron’s campaign team bore the brunch of a series of phishing attacks that resulted in the leaking of tens of thousands of emails.
Speaking to EURACTIV, Thierry Masson, digital advisor to the Internal Market and Consumer Protection Committee in the European Parliament, said that En Marche was targeted from the start of the campaign, but the leak was not as successful for the hackers as had first been purported.
“The issue was the fact that many of the so-called ‘leaks’ contained a lot of false information,” Masson said. “The leaks were mixed up with fake news, which meant that many members of the public understood that the hacks came from sources seeking to do France harm.”
In order to counter the threats from such hackings, there needs to be an EU-wide approach to cybersecurity, Masson added.
“The EU needs to act as a single body, and we need to protect our European sovereignty. We should not let the member states protect their own sovereignty because at the end of the day it will harm the whole of the European Union.”
Current legislative framework
An EU-wide approach in reinforcing cybersecurity is very much on the cards, with legislation having been adopted in 2016 as part of the Directive on Network and Information systems (NIS), which obliges firms to have efficient incident response measures.
Then there is the Cybersecurity Act, currently going through interinstitutional negotiations, and the proposal for the establishment of a cybersecurity competence centre and national coordination centres, currently being discussed in the Parliament and Council.
As well as proffering more responsibility to the EU’s cybersecurity agency, ENISA, the Cybersecurity Act will establish a voluntary certification framework that will set minimum security standards for a myriad of products and services, ranging from nuclear power plans to lightbulbs.
Romanian presidency to take a stand
In addition, EURACTIV has been briefed on the future priorities of the incoming Romanian Presidency of the Council, who take their seat at the head of the table in January.
One such priority, said Ramona Niță of the Permanent Representation of Romania to the EU, is to ensure that Europe’s cybersecurity systems are reinforced as a means to guard against future vulnerabilities.
“We have seen, over recent years, that cybersecurity has moved quickly from an IT-only activity to an entire ecosystem, because it can affect everyone from individual users, to companies, to vital sectors to the economy and society,” she said.
Monday’s Eurobarometer figures indeed make for concerning reading. With Europe’s checkered history in guarding against election interference, it comes as no surprise that policymakers are raising the issue.
“Free and fair elections”
President Juncker’s September commitment to ensure ‘free and fair elections’ entails a number of measures that the Commission believes will help to secure this.
Those include the recommendation to set up national election cooperation networks, improve transparency in online political advertising and combat disinformation in the context of the EU elections.
Commissioner Jourová duly recognises that the EU needs to do more and that the Eurobarometer results should come as a warning sign to regulators on the continent.
“I want Europeans to be able to make a free decision when casting their vote,” she said. “To ensure this, the online anarchy of election rules must end.”