Next Investors logo grey

Election security in a digital democracy


Published 22-MAY-2019 12:06 P.M.


5 minute read

Hey! Looks like you have stumbled on the section of our website where we have archived articles from our old business model.

In 2019 the original founding team returned to run Next Investors, we changed our business model to only write about stocks we carefully research and are invested in for the long term.

The below articles were written under our previous business model. We have kept these articles online here for your reference.

Our new mission is to build a high performing ASX micro cap investment portfolio and share our research, analysis and investment strategy with our readers.

Click Here to View Latest Articles

Thanks to the Digital Age, there are emergent and ever growing risks to elections. Whilst we have come through the Australian Federal election unscathed, ensuring trust in the process and results is now a team sport writes Katherine Bodendorfer and Forrest Allen.

For the past several years, cyber threats to open election processes have become evident to us all. Campaign offices, polling stations and other small centres associated with the election process remain vulnerable to primarily state sponsored, hacktivist and individualist cyber-attacks. Threats to democracy are high because it now comes in digital form. Disinformation campaigns through social media, outdated voting machines, and inadequate cybersecurity measures for voting machines and databases are just a few of the vulnerabilities that leave our elections open to sabotage by adversaries.

In February this year, the Australian Federal Parliament’s computers were hacked. Prime Minister Scott Morrison blamed it on state actors, but with an election looming (though it hadn’t been called at the time), it was a serious breach.

In the wake of this attack, the Australian Electoral Commission (AEC) prepared itself to counter cyberattacks during the election.

Fortunately, no attack eventuated in Australia, but as we turn our attention to US elections next year, the question of cybersecurity will become more and more prominent.

Security is vital to electoral stability

Security has always been a key component of free and fair elections around the world. In the U.S., each state and jurisdiction has measures in place to ensure security in all phases in the election process to ensure the results are true.

Data-driven election campaigns and computerized election infrastructure in the U.S. and around the world are raising concerns regarding security and privacy. Not to mention questions regarding the ethics and the impact on voting trends and practices.

Who are the troublemakers in this space?

Foreign adversaries’ intentions are not to change voter outcomes, but rather something more attainable: undermine and disrupt the confidence of the people in their government, their democratic institutions and even trust in the results their elected representatives. This is an assault on all democracies. And all a threat actor has to do is penetrate systems that have weak end-points and internal vulnerabilities likes weak passwords.

Russia’s cyber-attacks on political party servers and state voter registration databases in 2016 certainly raised alarms. In October 2018, the director of national intelligence, FBI, US Department of Justice, and DHS issued joint statements underlining the concerns regarding threats posed by Russia and other threat actors to election processes. The Justice Department even charged a Russian national for her alleged part in a Russian operation targeting the 2018 US midterm elections.

The threat also comes from beyond nation states like Russia and China. There exist organizations, entities, and individual adversaries looking to disrupt the electoral system. With polarizing politics and accessible online tools, one could easily envision a disgruntled member of the opposing party taking matters into their own hands to shut down a voting center on election day.

Why is it an issue?

As campaign offices and polling locations turn to digital analytic tools and tracking mechanisms, computers become the front line of exploitation by threat actors. One of the reasons computer security is so difficult is having a secure system means doing a lot of things just right. When you talk about something connected to the internet, there are lots of different entry points that can make turn your defenses inside out.

Here are some basic examples: old electoral infrastructure, issues with the basics like: weak passwords, and user vulnerabilities. All of potential risk areas must be addressed correctly in order to maintain a secure system. Malfeasance, technical breakdown or administrative incompetence could easily create disorder with the electronic systems.

Where are the systems vulnerable?

The top election related threats, as identified by the U.S. Department of Justice, are direct damage to computer systems, data theft, fraud schemes, extortion and blackmail, attacks on critical infrastructure, and malign foreign influence operations.

Because of the complicated nature of most democratic societies, state, local, and federal election processes often mean that campaign and electoral systems are somewhat disparate. Further, as elections lengthen, all the many months, and even years of work that being done by campaigns builds the attack surface and richness of the data targets. Political Action Committees, financing institutions, and national political parties provide more opportunities for threat actors. That is all just pre-election!

In the US, the Department of Homeland Security (DHS) designated the voting process as a critical infrastructure, because the networks and systems’ security are vital to the American democracy. As such, if attacked, it would have a significant impact on national security.

What can be done?

Around the globe, democracies need to identify and update election IT basic infrastructure, cybersecurity practices across state voter registration systems, campaign data, and election auditing.

The NIST Cybersecurity Framework offers guidance by helping to understand and manage risks by organizing threats into five functions: identify, protect, detect, respond, and recover. While many campaign offices, polling stations and other centers do not have the expertise or resources to employ a robust IT staff, the basic tenets of this framework provide a solid, simple foundation from which to build.

A cyber risk framework of real time continuous monitoring across all election infrastructure, offices and organizations can be put in place, providing insight into key cyber risk indicators and ongoing activities that help to develop approaches, policies and best practices for each election office and organization. Such services are a commercial commodity and affordable and available to all.

For information about our advisory services contact

General Information Only

S3 Consortium Pty Ltd (S3, ‘we’, ‘us’, ‘our’) (CAR No. 433913) is a corporate authorised representative of LeMessurier Securities Pty Ltd (AFSL No. 296877). The information contained in this article is general information and is for informational purposes only. Any advice is general advice only. Any advice contained in this article does not constitute personal advice and S3 has not taken into consideration your personal objectives, financial situation or needs. Please seek your own independent professional advice before making any financial investment decision. Those persons acting upon information contained in this article do so entirely at their own risk.

Conflicts of Interest Notice

S3 and its associated entities may hold investments in companies featured in its articles, including through being paid in the securities of the companies we provide commentary on. We disclose the securities held in relation to a particular company that we provide commentary on. Refer to our Disclosure Policy for information on our self-imposed trading blackouts, hold conditions and de-risking (sell conditions) which seek to mitigate against any potential conflicts of interest.

Publication Notice and Disclaimer

The information contained in this article is current as at the publication date. At the time of publishing, the information contained in this article is based on sources which are available in the public domain that we consider to be reliable, and our own analysis of those sources. The views of the author may not reflect the views of the AFSL holder. Any decision by you to purchase securities in the companies featured in this article should be done so after you have sought your own independent professional advice regarding this information and made your own inquiries as to the validity of any information in this article.

Any forward-looking statements contained in this article are not guarantees or predictions of future performance, and involve known and unknown risks, uncertainties and other factors, many of which are beyond our control, and which may cause actual results or performance of companies featured to differ materially from those expressed in the statements contained in this article. S3 cannot and does not give any assurance that the results or performance expressed or implied by any forward-looking statements contained in this article will actually occur and readers are cautioned not to put undue reliance on forward-looking statements.

This article may include references to our past investing performance. Past performance is not a reliable indicator of our future investing performance.