Paper presents ENISA’s opinion on the cybersecurity of elections and provides concrete and forward-looking recommendations to improve the cybersecurity of electoral processes in the EU.
1 Digital Service Providers, social media, online platforms and messaging service providers are advised to deploy technology that will identify unusual traffic patterns that could be associated with the spread of disinformation or cyberattacks on election processes.
2 While it is recognised that some of the above players have agreed to self-regulate and introduce disinformation policies, consideration should be given to regulation of these platforms at an EU level to ensure a consistent and harmonised approach across the EU to tackling online disinformation aimed at undermining the democratic process.
3 Member States should continue to actively work together with the aim to identify and take down botnets.
4 ENISA supports the general and specific technical proposals to mitigate the risks that are documented in the Compendium on the Cyber Security of Election Technology.
5 Developing more exercises aimed at testing election cybersecurity will help improve preparedness, understanding and responding to possible election-related cyber threats and attack scenarios.
6 Official channels/technologies for the dissemination of the results should be identified. Additionally, back-up channels/technologies should be available to validate the results with the count centres. Where websites are being used, DDoS mitigation techniques should be in place.
7 A legal obligation should be considered to classify election systems, processes and infrastructures as critical infrastructure so that the necessary cybersecurity measures are put in place.
8 A legal obligation should be put in place requiring political organisations to deploy a high level of cybersecurity in their systems, processes and infrastructures.
9 Member States should consider introducing national legislation to tackle the challenges associated with online disinformation while protecting to the maximum extent possible the values set down in the Treaty of Lisbon and the Charter of Fundamental Rights of the EU.
10 The cybersecurity expertise of the state should be used to assist political practitioners in the securing of their data and their communications. For example, CSIRT expertise can be leveraged to support political parties.
11 Political parties should have an incident response plan in place to address and counter the scenario of data leaks and other potential cyber-attacks.
12 Increased cooperation and exchange of best practices and experiences between the Member States and at EU-level can contribute to strengthening cybersecurity across the EU, including the cybersecurity of the election process. Member States should also make use of the existing frameworks and structures that are in place.