The U.S. Cybersecurity and Infrastructure Security (CISA) was successful in supporting the U.S. to protect their infrastructure and achieved what its head, Christopher Krebs, called the “most secure election in American history.” Achieving that goal required planning, coordination between federal, state and local authorities and taking the reliance “on computerized systems and software” seriously. For instance, the establishment of CISA’s Rumor Control Website was an important myth-busting innovation that gave journalists credible information regarding the integrity of election systems’ cybersecurity. Rumour Control has noted that it would not be possible to change the election outcomes without detection, a reference many have seen as related to conspiracy theories casting doubt about the functionality of Dominion Voting Systems. These efforts were key in fortifying public trust in the 2020 elections, across the political spectrum even amid sustained political attacks and ultimately Krebs’ dismissal.
The OSCE Observation Mission made note of the sleeper success of these efforts, stating a “road range of election stakeholders expressed overall confidence in the integrity of election infrastructure and efforts to mitigate cyber-security risks.“ But the U.S. elections also underscore that gaps still exist despite efforts to address end-to-end election cybersecurity – particularly in the urgency with which both sides approach the digital transformation of electoral processes and infrastructures. This is particularly true in Europe. Portugal, the Netherlands, Germany and Bulgaria will hold elections in 2021. Others like France and Hungary will follow with elections in 2022. Unlike the United States, many European democracies – including Germany – only use paper ballots. But it is misguided to think that touch screens in the voting booths are the only vector of attack. Reports have shown that Germany’s local and state-level vote tabulation systems are easily hacked and manipulated. In all democracies, voter registration systems are stored in electronic databases, a major source of vulnerability.
There are many national, civil society and international networks that monitor and strengthen election systems’ integrity. Awareness has risen through initiatives like the Bratislava Call on ‘Protecting Electoral Infrastructure’ by the Global Commission on the Stability of Cyber Space (GCSCS) held following the conclusion of the GLOBSEC Bratislava Forum in 2018, or the ‘Oxford Statement on International Law Protections Against Foreign Electoral Interference through Digital Means’ in 2020. One piece of the puzzle lies in the Organization for Security and Cooperation in Europe (OSCE) with 57 participating States from Europe, Central Asia and North America. Around the Euro-Atlantic, the OSCE’s Office for Democratic and Human Rights (ODIHR) devotes considerable resources (although the amount could be increased) to observe the electoral contest long before election day, continuing its effort to the actual vote where it calls out irregularities at polling sites to protect against voting fraud. Its observers have eyes on the ground both in the toughest neighbourhoods and in “established democracies”. They deployed over 1000 observers on the ground in the post-Maidan Ukraine elections, approximately 500in the US in 2016 and the same number in Putin’s reelection in 2018. The OSCE has cultivated a reputation for election observation that is transparent, assiduous, systematic and inclusive of all walks of civil society.
As a new secretary-general takes over the OSCE in the form of a skilled diplomat and deputy head of the EU’s External Action Service, Helga Schmid, it’s time for the OSCE to lift its capacity in the area of election systems observation. ODIHR can provide cyber-observation similar to the on-the-ground assessments examining tampering with registration, voting and tabulation integrity. But they have not fully empowered it. Cyber-OSCE observation missions could watch voter registration, voting machine and tabulation systems to catch and shine a light on systems tampering in advance and in real-time. In the 2018 midterms, ODHIR provided some into U.S. conditions citing that 30% of jurisdictions provide insecure online resources to voters and “1300 of around 10,500 jurisdictions are ISAC members that receive security updates.” But deeper analysis is possible and should be deployed in Europe and Eurasia as well.
Is the OSCE ready to take on this task? Some of the pieces are already in place. In 2013, the OSCE released a handbook for the observation of so-called New Voting Technologies (NVT). The OSCE recognized the challenges that come from these technologies – specifically, that they can render “physical observation” less important and that many, if not most, election observers do not understand these technologies. The handbook is an important contribution to thinking about the integrity of election systems. But ODIHR has not been updated since 2013 and the gravity of the threat has not been given the lift it needs in a post-Ukraine, post-2016 Russian interference world where new technologies like artificial intelligence and new threats like homegrown populists present new vulnerabilities. Both technology and the over the geo-political environment in which elections are held has changed greatly since 2013. ODIHR should update the handbook to account for today’s realities with needs assessment missions focused on cyber aspects more systematically deployed to evaluate the credentialing, stress test software and hardware and look for signs of tampering before and, crucially, after elections. And an assumption that NVT analysts be present in all observation missions. Furthermore, an extension of the OSCE’s national capacity program offers potential in terms of fostering cybersecurity capacity building and training to address electoral interference more comprehensively and credibly.
Finally, NVT observation should continue beyond election day to accompany integrity of election systems until certification. For instance, the United States election is demonstrating now, post-election cybersecurity remains important at recount audits and verification processes remain vulnerable to foreign adversaries and claims of cyber incidents. For this reason, CISA has decided to maintain its 24/7 war room until the entire certification process is concluded and the Electoral College completed its vote in December.
The benefits from beefing up ODIHR’s cyber-watch capacity are clear. First, it would help build norms and muscle memory on how to monitor online election systems and set incentives for a free and secure opinion-forming process during pre-elections in all participating member states. The OSCE itself has recognized the U.S. vulnerability of its dependence on voting machines. In its 2018 midterm election report, it noted that 15 states use voting machines without paper-verifiable ballots. But many other OSCE member-states – including big players like Germany – are lulled into a false sense of security regarding the “hackability” of their elections by pointing to the fact that they use paper ballots on-site. That is just one element in the election process. Many have automated “behind the curtain” processes around registration and tabulation, which are often controlled at the local level. While paper ballots provide a last line of defence in ultimate voter counts, meddling with registration servers or tabulation software could cloud the results – sowing the confusion and doubt many of democracy’s rivals want.
Second, retooling observation capacity would also mean incorporating Euro-Atlantic tech sector specialists, including many from Silicon Valley, into the fight against next-generation election manipulation. Bringing in White Hat cyber observers would create a synapse at one of the weakest points in the current election ecosystem – the space where state-backed adversaries meet undertrained, underprepared local election bureaucracy working with outdated technology.
Third, the OSCE has at least limited buy-in from Russia. It will be harder for Russia to attempt to weasel out of accusations of cyber election tampering from cyber election monitors from the OSCE, an organization where it is a member. Independent OSCE observation that election systems are clean and call out irregularities would go a long way to preserve – and in some cases restore – faith in elections as worthy of voters’ trust. Often even the spectre of digital sabotage is enough to eat away voter confidence and contribute to delegitimizing the process.
Finally, reorienting observation toward cyber integrity could also spill over into other areas as well. For instance, ODIHR’s media monitoring teams currently cannot access data on pre-election political party spending on social media, nor can they assess social media action from abroad attempting to influence voters. Some examples already exist. For instance the joint chatbot project of the OSCE and Ukraine’s Central Election Commission in advance of the local elections on October 25th 2020. Launched as “CEC about elections”, the chabot in form of an AI-application, is set up to inform voters, candidates and election commissioners about various aspects of the local elections. More importantly, the cooperation was very keen in applying a context-sensitive solution by making it first available via Telegram and later on for the Facebook Messenger.
The OSCE is far from perfect. States like Russia wield the body’s consensus-driven process to gum up the full realization of security, democracy and self-determination. Other problems continue as well. The organization is only slowly emerging from a long leadership struggle and crises will continue to occupy the agenda in places like Belarus, Ukraine and Nagorno-Karabakh. And even within ODIHR, challenges remain. For instance, ODIHR was not deployed in the European Parliament elections in 2019 and 2014 after having done so in 2004 and 2009, likely the result of objections from one or more OSCE participating States. Leaving the EU elections unobserved should have raised alarm bells given mammoth scale, unevenness and potential for disruption – to be held in 28 EU member-states, over 3 days, with a patchwork of dozens of different ballot systems – with vulnerabilities everywhere. Despite the drawbacks, an update to the OSCE’s operating system that beefs up observation of election systems integrity is overdue.
