Cyberattacks on elections 'could happen here' and 'once could be very bad news'

“We have to guard against the risk that this [a cyberattack] might happen here,” Mr O’Leary said. “Our website has been regularly tested and is very strong and is particularly tested in advanced of electoral events.” 

For this they rely on the expertise of the Irish National Cyber Security Centre (NCSC). “They’re very close partners with us and they’ve been really helpful,” the chief executive of the Electoral Commission said.

Mr O’Leary said any breach would be a serious issue: “An attack on the Electoral Commission website is a situation which would have a great impact because, if we are to be viewed as a trusted source of information, then anything that people read on our website should be believable.” 

ENISA, the EU Cyber Security Agency, published a detailed guide for member states last March, in which it said cyber threat activity targeting elections had “increased worldwide”.

It said that while voting was by pen and paper in most EU countries, including Ireland, computer systems were “widely used” for voter registration and the compilation and transmission of election results.

In addition, most political candidates rely heavily on technology for their campaigning and media rely on digital devices for their work covering elections.

It said that while politicians and media do not fall under the remit of Electoral Management Bodies (EMBs), cyberattacks on them could “impact the actual or perceived integrity or fairness” of elections.

The report said it was "good practice” for countries to establish a “national election network”, including the EMB, the national cyber agency, relevant ministries, IT organisations, law enforcement, disinformation agencies, intelligence agencies and government spokespersons.

The report recommended that a cybersecurity risk assessment be conducted before the election.

Mr O’Leary said they were in the course of finalising a risk assessment.

“One of our jobs is the oversight of the electoral register, which is managed by local authorities and we are to ensure the completeness and accuracy of the electoral register,” he said. “We have 28 separate electoral registers and none of them talk to each other.” 

He added: "We are satisfied or we’ve been assured by registration authorities [local authorities] that all that can be done [on cyber security] is being done.” 

The Department of Housing, the policy department on elections and the Electoral Commission, said the three Constituency Returning Officers for the European Parliament election provide the Chief Returning Officer the results in “hard copy and electronically”.

It added: “There is verification of results between a Constituency Returning Officer and the Chief Returning Officer.” 

Mr O’Leary said trust in the integrity of the election results was of “paramount importance” and that ensuring the process was cyber-secure formed part of its “oversight role” and, if necessary, would be dealt with in the post-election review.

The National Cyber Security Centre

Also speaking to the Irish Examiner, NCSC director Richard Browne said they had “worked heavily” with the local authorities in terms of protecting their electoral registers and were in regular contact with the Electoral Commission to protect the election infrastructure.

He said that Ireland’s pen and paper system offered protection from cyberattack: “The system is manual to a very large degree and the chain of ownership of ballot papers — from printing them to people voting on them, back through the collection of votes and counting of those ballots — is extremely transparent.

“Returning officers can work around lots of potential attacks, they’re trained to do that.” 

Mr Browne said the validation process “extends up the chain” so that when returning officers are collating it is done on large boards and visible to everyone present.

“The numbers that are transmitted, via an Excel sheet, back to Europe are tallied back to the numbers on the board,” he said.

The cyber chief said that even if there were attempts to interfere with the transmission of the data, there were “multiple means” of sending the information to Europe.

“What we are guarding against is the potential for people or groups or States to interfere in the process by trying to question the robustness and resilience of the system and question the validity of the vote,” he said.

We have hundreds of cyber incidents every year. We have never come across anything very significant to the electoral process.

Mr Browne added: “But it could happen, and if it happens, the first time it happens is enough and once could be very bad news. So we have to guard against the potential.” 

He said that “perhaps the most pressing issue” is the cyber security of IT systems and digital devices used by political parties and by individual politicians.

He said: “We have issued guidance and held information sessions in the Oireachtas and with politicians on this very important issue.”

Mr Browne said they were linked in with various EU agencies to keep up to date on cyber threats to critical infrastructure, including election systems.

Cyberwar

Last week, the NCSC, along with the Defence Forces, took part — for the first time — in the world’s biggest simulated “cyberwar game” involving more than 40 countries, organised by the Nato Cooperative Cyber Defence Centre of Excellence.

At the end of the week, the EU’s diplomatic chief Joseph Borrell warned that a Russian-controlled cyber group had compromised email accounts of the German Social Democratic Party, as well as its technology and defence sector, in addition to institutions of the Czech Republic.

He said this same group had previously targeted institutions and agencies in Poland, Lithuania, Slovakia and Sweden.

Mr Borrell said he was “mindful” of the upcoming elections and said the aim of such cyberattacks was to “degrade our critical infrastructure, weaken social cohesion and influence democratic processes”.