Critical infrastructure
In this high-stakes year for democracy, the importance of robust election safeguards and national cybersecurity strategies cannot be understated
August 9, 2024
•
,
3 minutes reading
The mention of election security, especially in a year when the majority of the world is destined to vote, brings to mind images of a voting machine or even some form of subversion of online voting or counting processes. So it wasn’t a big surprise when the opening keynote of this year’s Black Hat USA conference was entitled:Democracy’s biggest year: the fight for secure elections around the world”.
The aftermath of the CrowdStrike outage
But prior to the conference itself, the cybersecurity ecosystem was rocked by the recent CrowdStrike incident that caused major global disruption – and a panel of government agency leaders from around the world clearly had to address this first.
One of the panelists, Hans de Vries, COO of the European Union Agency for Cybersecurity, made an interesting observation: “It was an interesting lesson for the bad guys.” This perspective may not be immediately obvious, as the incident in question was not malicious.
However, if a nation state or a cybercriminal wanted a real-world simulation of how a cyberattack could unfold and cause global disruption, the CrowdStrike incident just delivered a full proof-of-concept, complete with insights into recovery times and how society as a whole dealt with the damage that occurred after the incident.
Protecting the ballot box
Also on stage were Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, and Felicity Oswald OBE, CEO of the UK’s National Cyber Security Centre, and all three panellists spoke on the topic of election security.
The consensus seemed to suggest that apart from attempts to disrupt elections, such as denial-of-service attacks, the risk that an election outcome would be manipulated as a result of an attack on infrastructure technology was virtually non-existent. Processes are in place to ensure that every vote, whether paper or electronic, has numerous failsafe mechanisms built in to ensure it is counted as intended. This is reassuring news.
The discussion then shifted to the spread of misinformation surrounding the election process. The panel suggested that opponents seeking to manipulate the outcome would focus more on creating the perception that the electoral process is broken, rather than hacking it directly. In other words, they are designed to make voters feel like their vote is not safe, and spend more effort spreading fear about the process than attacking the process itself.
National cybersecurity frameworks under scrutiny
Later in the day, another presentation took up the topic of evaluating national cybersecurity frameworks. The study, presented by Fred Heiding of Harvard, examined how different governments approach protecting their national cybersecurity. The research team evaluated twelve countries using a 67-point rubric, ranking them as innovators, leaders or underperformers based on their cybersecurity position.
The scorecard approach included several interesting categories, including protecting people, institutions and systems, building partnerships and communicating clear policies. Even the length of each country’s strategy document affected the score, and it varied widely, from 133 and 130 pages for Germany and Britain respectively, to just 24 pages for South Korea and 39 pages for the US.
Some countries, such as Australia and Singapore, stood out as leaders in more areas of the scorecard than others, leading or trailing in all categories. Great Britain occupied a mid-table position with six leading scores and four meeting the mark. The United States, meanwhile, had the opposite, with four leading scores and six clearing the mark.
Only two countries achieved lagging scores in some areas: Germany and Japan. It is important to note that the scorecards presented covered only seven of the twelve countries. Furthermore, this is obviously an academic research paper that looks at policy rather than its implementation. Some countries can do an excellent job in formulating strategies while falling short in implementation, or vice versa.
As a parting thought, it is important that we hold our governments accountable for their cybersecurity policies and their willingness to protect our society and citizens.
